The risk management process starts from the risk identification process to which functions, departments, units, and operations of an organization are exposed. Risk identification is an ongoing and systematic process that requires efforts to identify and document the organization’s key risks, which may already exist or be emerging.

What Is The Risk Identification Process?

Risks often can’t be avoided. However, it is possible to identify the existing and emerging risks for their appropriate and timely management. Therefore, it is desirable for every organization, whether small or large, to implement and perform periodic risk-identification activities in each department and process. 

Before the identification of risk, an understanding of the organization’s objectives and mission are important. The risk identification process involves the identification of those events and outcomes that are not wanted by the governance and management of the organization. Due to rapid changes in technology, ways of doing business, and increased customer expectations, organizations face emerging risks and threats. 

The objective of risk identification is to know which functions and processes within the organization are exposed to what types of risks. The risk identification process helps to develop a risk database for each function and department. 

An organization is exposed to different types of threats from internal and external sources. Risk identification helps in documenting and analysis of these threats, which provides a roadmap to risk owners for developing mitigants and controls to manage the identified risks.

Ongoing risk identification is an important part of risk management because risk owners identify various new or emerging risks, which were previously not included in the risk database for further analysis. 

Identifying Organizational Risks

Organizations are required to identify risks in an effective manner where all risks are identified. 

Organizations are required to adopt an ongoing risk-identification approach where existing risks are revisited, and emerging risks are identified on a timely basis. New and emerging risks arise for various reasons such as the adoption of new technology, changes in the product range, new competitors in the market, and new regulations and laws introduced for compliance.  

The risk identification process should not be biased. It should involve all stakeholders within the organization and should not be dependent only on the inputs of a few employees or staff.

The risk identification process may involve workshops, process observation, and interviews, which help in identifying, filtering, and screening risks relevant to different areas and functions of the organization. The risk identification process also requires judgments of risk identifiers, which may be corroborated with supporting data or information available with risk owners or relevant departments. 

Risk References And Sources

The risk identification process also requires references or sources of risks, such as:  

• External and internal audit reports; 
• Financial statements analyses; 
• Loss database or incidents data; 
• Compliance review reports; and
• Regulatory inspection reports

Organizations should identify strategic and operational level risks during the risk-identification process.

Strategic Risks

Strategic risks arise due to strategic choices made by the board of directors or senior management. For example, the board might decide to expand or transform the business and operations. Strategic choices and decisions usually involve the acquisition of new machinery, relationships with new vendors, technology changes, changes in human resources, the introduction of new business processes, and others. Due to the strategic choices and decisions, an organization commonly faces new or evolving risks, which must be timely identified. 

A strategic risk identification process should be performed both before and after making strategic choices. This helps in considering all potential risk factors and issues arising from the choices made.

All identified strategic risks should be documented by risk owners, for assessment, evaluation, and management. All identified strategic risks should be periodically reviewed for changes or amendments. This is necessary because changes or amendments in the strategic decisions may give rise to new risks not initially identified before revision or amendment in strategic decisions. 

Strategic Risks Examples

Examples of strategic risks include:

• Technological advancement or changes;
• Frequent turnover of senior management;
• Competition in the market or competitive pressure;
• Customers and other stakeholders’ pressure;
• Changes in consumer preferences; and
• Changes in consumer preferences.

Operational Risks

Operational risks arise due to changes in processes, systems, people, vendors, contractors, regulatory changes, and various other external factors. Operational risks must be identified by the management or risk owners and should be made part of the risk database for assessment and evaluation purposes. 

Operational risk identification is an ongoing and continuous process that involves the identification of new and emerging risks. 

Operational risks identification is relevant for all types of organizations especially for large organizations which have a large product range, complex business operations, large customers base, and complex regulations to comply with. All these factors contribute to the exposure of an organization to more operational risks. 

To identify the operational risks, it is important for the risk identifiers to have sound knowledge of the business operations, systems, processes, and people in the organization. Therefore, risk identifiers should be experienced risk-management professionals or risk owners having sound knowledge of their respective processes, systems, people, and controls. 

The operational risks identification process also involves consideration of past events and incidents that occurred that resulted in disruption of business operations. 

Operational Risks Examples

Examples of operational risk include:

• Risks arising from natural disasters or uncontrollable events (for example, floods or hurricanes);
• Cyber-attacks;
• Fraud conducted by employees, third parties, or customers; and
• Non-compliance with internal policies and procedures. 

Final Thoughts

The goal of risk identification is to identify events that, if they occur, will have a negative impact on the project’s ability to achieve performance or capability outcome goals. They may originate within the project or from outside sources.

Risk assessments come in many forms, including program risk assessments, risk assessments to support an investment decision, alternative analysis, and assessments of operational or cost uncertainty. The type of risk identification that is required to support risk-informed decision making must match the type of assessment that is required. The first step in an acquisition program is to identify the program goals and objectives, fostering a shared understanding among the team of what is required for program success.