Risk Identification and Assessment Best Practices Guide

There’s risk in all organizations, from startups to a multinational corporation. However, many businesses are at risk due to a lack of systematic identification and risk assessment of the risks affecting their goals. This leaves gaps which result in expensive surprises, missed opportunities and avoidable crises.

Risk Identification And Assessment

One key skill that can make the difference between a company that can manage risk efficiently, and one that simply cannot, is the capability to fully and accurately recognize and evaluate risks.

This guide takes you through the full spectrum of risk identification and assessment, along with frameworks, methodologies and best practice tools which are employed by leading organizations around the world.

Table of Contents

Risk Identification And Assessment: What Is It?

Identifying and assessing risk is the basis for good risk management. These terms are sometimes used interchangeably, but are actually two different but related processes.

Risk identification is the act of identifying, recognizing and narrating risks that might impact your organization’s goals. It is a response to the basic question what can go wrong?

The next step in the risk assessment process is to evaluate the risk by estimating its probability and consequences, which is referred to as risk assessment. It responds: What are the levels of these risks and what are the most important ones?

All these processes combine to form the “foundation for all subsequent risk management activities”, as stated in ISO 31000 (the international standard on risk management). If there is no identification and an honest assessment, then organizations are working blind – they are not able to allocate their resources where they are most needed.

These Processes Are Important Because…

It is a serious matter. Think about the following real life consequences:

  • A manufacturing company does not know what risks there are on the supply chain, and when the company finds itself in a serious crisis with no suppliers, it is too late.
  • A financial institution which fails to properly evaluate cybersecurity risks loses millions that could have been prevented by a cybersecurity breach.
  • In a construction company without safety precautions, accidents derail projects and ruin lives.

On the other hand, companies that have strong risk identification and evaluation processes are able to have a tremendous competitive edge:

  • Enhanced decision making: Leaders make decisions with knowledge and understanding of the issues at hand.
  • Resource efficiency: Organisations focus on material risks and not spread resources across the board.
  • Systematic approaches: Many industries have documented risk processes that are required, and systematic approaches can meet these requirements
  • Trust of stakeholders: Investors, board, and customers have confidence in an organization that is mindful of risk.
  • Organizational resilience: Companies who are aware of their weaknesses, can defend themselves in advance of disasters.

The Core Components Of Risk Identification

Risk identification is not something that just occurs. It takes structure, involvement, and the appropriate techniques!

Describes the key components of a comprehensive risk identification.

1. Organizational Context Definition

To be able to recognize risks first, you need to clearly define what you want to protect. This includes:

  • Your strategy or goals (how you will achieve them)
  • The factors that affect you in your operation (internal and external)
  • Who does depend on your success? (Your stakeholder landscape)
  • Your resources (what do you have to allocate for management?)

A lot of organisations go straight ahead and begin enumerating threats. This results in fragmented and unfocussed identification processes, which fails to capture material risks and is an inefficient way of capturing trivial risks.

2. Multi-Perspective Involvement

Threats seem to be different from one perspective. Market risk is viewed in a different light by a sales manager than by an compliance officer. A frontline employee is likely to notice operational risks which senior management is unaware of.

Successful identification is based on:

  • The team with strategic and external risks is a new addition to the PMO team.
  • A view of the process and execution risks.
  • Technical perspective: Technology and system risks
  • Compliance view: Regulatory/legal risks
  • Employee view: Practical risks at ground level.
  • External perspective: Customer, supplier and market risks.

Only one or two groups involved, will repeatedly overlook critical risk groups.

3. Historical Analysis

There are trends to be seen in past incidents. Review:

  • Worst case scenarios. What went wrong and what could go wrong.
  • Any incident in the industry that is similar to the one experienced by the organization.
  • Internal audit findings
  • Customer complaints and quality problems
  • Employee safety reports

This is not a discussion on past mistakes, it is about learning from them. Many organizations have repeat incidents, because they have not systematically learned from the first incident.

4. Environmental Scanning

Your surroundings around your organization are continually changing. Systematic scanning captures:

  • Regulatory changes
  • Competitive moves
  • Technological disruptions
  • Economic trends
  • Social and demographic change
  • Environmental factors

This forward-looking component proactively tackles up-coming risks while they are still emerging rather than turning to a crisis.

Identification Of Risks And Methodologies

There are multiple ways of identification, depending on the situation. Multiple methods are usually used to achieve a full coverage of leading organizations.

Identification Of Risks And Methodologies

Brainstorming Sessions

What it does: Provides a forum for group dialogues, allows for initial suggestions about possible dangers without judgement or filters.

How it works:

  1. Form a multidisciplinary group of staff.
  2. Ask a question that is clear, concise and focused.
  3. No criticism of the ideas, they just need to be free flowing.
  4. Record all suggestions
  5. Clean, organize and categorize after

Ideal for: Generating different views, finding unexpected dangers, raising awareness on teams

Strengths: Captures some of the more prominent ideas; can be useful for understanding the opinions of those who are loudest or most assertive; group dynamics encourages others to speak; can be good for understanding ideas that are well thought out

Brainstorming helps identify risks that can be exploited by competitors, which a company’s executive team might not have considered, and this was what a tech company discovered through brainstorming.

Structured Interviews

How it is done: One-on-one or small group discussions with an expert on a specific topic with a set of questions.

How it works:

  1. Formulate specific questions relating to specific risk areas
  2. Interview specialists throughout the company.
  3. Ask follow-up questions, to dig deeper.
  4. Record patterns and insights that are different.
  5. Make comparisons between the findings from interviews

Ideal for: Risks that are complex and technical, capturing expert input, specific domains in details

Advantages: Good for providing a structured view of potential risks and hazards; Can be time consuming; requires a skillful interviewer; May not capture risks or hazards outside the scope of the prepared questions.

Real-life scenario: Nurses, doctors and billing personnel at a healthcare organization were interviewed and questions were asked in a well-structured way to understand patient safety issues which only frontline workers could truly identify.

Assumption Analysis

What it does: It’s an honest look at your strategic plans and operations and what assumptions you make.

How it works:

  1. Include key assumptions in your strategy or operations (e.g., “our biggest customer will stay our biggest customer”)
  2. Discuss the soundness of each assumption
  3. Determine what it would mean if the assumption turned out to be incorrect
  4. Evaluate the probability of failure of the assumption.
  5. Plan for contingencies of critical assumptions.

Best used for: uncovering strategic risks, uncovering dependency which is not obvious, stress testing plans

Constraints: Intellectual honesty (organisation may not want to question core assumptions); may feel abstract

Real life example: When a retailer took a look at the assumptions, they found that they had based all of their operations on the assumption that malls will continue to be a significant amount of traffic, which is a high-risk assumption given the e-commerce age.

Failure Mode And Effects Analysis (FMEA)

What it does: A systematic process which is used to consider how systems and/or processes might fail.

How it works:

  1. Draw the process or system on a map in detail.
  2. Find possible failure modes (how things could go wrong)
  3. Evaluate impact for each failure
  4. Appraise probability and detectability
  5. Ensure the most severe and likely issues are prioritized.
  6. Create risk mitigation strategies for top risks.

Appropriate for: Operational risk, Technical risk, processes that have safety implications, Product quality risks

Limitations: Assumes that the system has technical understanding, time-consuming for complex systems, may not capture interdependencies.

An airline applies FMEA to uncover thousands of failure points, ranging from the performance of the engines and planes to crew communication, in order to prevent accidents.

SWOT Analysis

What it is: A framework that looks at Strengths, Weaknesses, Opportunities and Threats.

How it works:

  1. Summarise strengths and weakness within the organization
  2. Recognize opportunities and threats outside of the organization
  3. Identify any weaknesses that can be taken advantage of.
  4. Consider external threats in regards to yourself
  5. Take into account multiple factors

Use when: you need to make broad assessments of your environment; you need to make strategic plans; you want to evaluate your business model

Rediscovers: May be surface level, frequently generates lists of common items; may not rate the severity.

Real business example: A manufacturing company’s SWOT showed that they lacked digital skills and that the threat of the disruption of the Industry 4.0 posed a significant strategic risk to the company.

Checklists And Frameworks

What it does: Lists of risks that have been done for you and are applicable to your industry and/or role.

How it works:

  1. To use industry-standard checklists (e.g., NIST cybersecurity framework)
  2. Identify and read published frameworks for your sector
  3. Systematically work through each item
  4. Make adjustments for the context
  5. Mark the appropriate and inappropriate items

Avoid if: You need to customize certain practices; you are unsure of what to do; you are on a budget.

Restrictions: Restriction on novel and industry-specific risks (checklist bias, checking boxes without real consideration)

Real-life scenario: A financial services company uses regulatory checklists to stay compliant and not leave regulatory-related risks uncovered.

Understanding Risk Assessment

After identifying risks, the second step is assessment, determining which risks actually matter. If you’re looking for a broader approach to managing risks across an organization, read our Enterprise Risk Management Framework guide.

A two-dimensional approach to risk assessment.

There are two dimensions behind all formal risk assessment techniques:

Likelihood (Probability)

What is the probability that this risk will ever happen?

  • Remote/Rare: May occur but is very unlikely
  • Likely: May occur, although not necessarily.
  • Probable: The chances of this happening are more than 50/50.
  • Expected: Likely to happen, or to have happened, or to have been intended or planned for.

Impact (Severity)

If this risk is realized, what would be the impact (severity)?

  • Minor: Small or mild effect.
  • Moderate: Moderate effect that can be managed within the school setting
  • Major: Major impact – requires response
  • Negligible: No impact on main activities.
  • Catastrophic: Threat to organization’s existence.

These dimensions are combined to form a risk profile which helps to inform decision-making.

Also Read: Risk Management Analysis

Qualitative Risk Assessment

What it means: An evaluation made according to the expertise and qualitative scales instead of numerical data.

How it works:

  1. Assign a score to each risk, based on defined scales of likelihood and impact.
  2. Using a risk matrix, indicate which quadrant each risk is in.
  3. Identify with color coding for instant visual identification e.g. green = low risk, yellow = medium risk, red = high risk.
  4. In your organization: Standardize rating terminology and definitions

Note: Use best for initial risk screening, when there is no historical data, or complex risks where quantities may be hard to determine.

Disadvantages: Sloppy, inaccurate, not comprehensive enough

Limitations: Bias; not easily comparable between organisations; not reflective of actual probabilities

Risk Matrix (Qualitative)

Impact / Likelihood Remote Possible Probable Expected
Negligible
Minor Green
Moderate Green Yellow Yellow Orange
Major Yellow Orange Red Red
Catastrophic Orange Red Red Red

Quantitative Risk Assessment

What it does: It provides the actual probability and expected monetary value based on the numerical data and statistical analysis of the information.

How it works:

  1. Collect data to track frequency & severity of events
  2. Use statistical techniques to approximate a probability distribution
  3. Compute mean values (probability x dollars)
  4. Conduct sensitivity analysis to gain insights into variables that have the greatest impact on risk
  5. Create scenarios and correlations with the model.

Best suited to: High value risks; where there is a significant amount of historical data; where there are complex interdependencies between the risks.

Disadvantages: It may be difficult to obtain objective data; might require costly equipment or resources; can be difficult to prioritize controls precisely; sometimes may not be possible to cost-benefit analyze controls.

Restrictions: Needs a lot of historical information, could produce false precision, historical data may not be able to predict future

In business context: An insurance company uses loss history to quantify the probability and the cost of various loss situations, and this information is used to determine insurance premiums.

Semi-Quantitative Assessment

Numerous organizations take both of the above measures:

  1. Employ qualitative measures of likelihood and impact
  2. Apply scales to numbers (e.g. Remote = 1, Possible = 2, Probable = 3, Expected = 4)
  3. Identify risk scores (probability x consequences/impacts)
  4. Score and prioritise, but take expert advice to decisions.

This allows for a balance between objectivity and practicality; this can be extremely useful if there is no complete quantitative data.

How To Create Your Risk Register

A risk register is the single place for risks that are identified and assessed. It converts information into actionable intelligence.

The components of an essential risk register are essential to its creation.

A detailed risk register will contain:

1. Risk Description

  • Explicit and specific statement of the failure modes
  • Don’t use jargon such as “market risk”.
  • Rather: “Our luxury products are no longer as popular as before because of a slowdown in consumer spending caused by economic recession, and the number of consumers has been decreased by over 20%”.

2. Risk Category

  • The strategic, operational, financial, compliance, technology, etc.
  • Assists in arranging and covering all bases

3. Root Cause

  • What could be the cause of this risk?
  • Knowing the causes helps to reduce the impact

4. Likelihood And Impact Assessment

  • Your organization’s ratings on the scales
  • Documented Assumptions – Ratings

5. Current Risk Level

  • The likelihood is multiplied by impact to get the calculated value.
  • Identifies what is important to manage

6. Responsible Owner

  • Individual Accountable Person (IAP): Person or persons designated to act as the leader of this risk management strategy.
  • Clearly defines accountability (not spread out)

7. Existing Controls

  • See what we already are doing to reduce this risk?
  • Mix of study and practical skills that does not enter undue risk.

8. Mitigation Actions

  • What other actions will we be taking?
  • Who will be responsible for putting them into practice?
  • What’s the timeline?

9. Residual Risk

  • Risk level following the work undertaken to mitigate the risk
  • Determines if controls are effective or not

10. Review Status

  • When was the last time that this risk was reviewed?
  • Has there been a change in status from the previous assessment?

Sample Risk Register Entry

Risk ID STRAT-2024-07
Opportunity Opportunity to win over key technical talent from competitors
Category Operational
Issue Low upward mobility for experienced engineers, and a competitive market for them.
Likelihood Probable (3)
Impact Major (4)
Current Risk Level 12 (High)
Responsible Owner EMEA Human Resources Director; CEO UK & Ireland
In Place Controls Limited retention bonuses for critical roles, competitive salary reviews
Risk Reductions Introduce Career Development program; implement Innovation Time; develop technical leadership track
Expected Residual Risk 8 (Medium)
Next Review Q3 2024

Practical Implementation: Step By Step Approach

From theory to practice there is a structured implementation process.

Phase 1: Preparation (Weeks 1-2)

Outline scope and context:

  • What will we assess? (Specific project, department, enterprise-wide?)
  • How long is the time frame? (Next quarter/next 5 years?)
  • What do we want to achieve as a strategic group?
  • What constraints exist?

Secure leadership commitment:

  • Time and honesty are necessary for risk identification
  • Leaders need to role model the importance of risk reporting, not risk punishment.
  • Sufficient budget and resources need to be provided

Form the risk identification team:

  • Include cross-functional representation
  • Include frontline staff, not just management!
  • Have a risk coordinator lead the process

Phase 2: Identification (Weeks 3-5)

Conduct identification activities:

  • Have brainstorming sessions with other groups
  • Interview subject matter experts.
  • Look back at what has happened in the past and how you have responded to incidents.
  • Examine your plans and assumptions

Document comprehensively:

  • Take a photo of all identified risks.
  • Write down who found it and the technique used (i.e. source).
  • Present evidences to back up considerations and beliefs

Consolidate and organize:

  • Group similar risks
  • Eliminate duplicates
  • Organize by category

Phase 3: Assessment (Weeks 6-7)

Assess each risk:

  • Use your own scales of rating on the likelihood
  • Use your agreed scales to rate the impact
  • Calculate risk level
  • Document reasoning

Validate assessments:

  • Are risk scores accurate or do experts agree?
  • Do there appear to be risks that are under- or over-emphasized?
  • Do the assumptions made in the assessment make sense?

Identify relationships:

  • So which risks are dependent upon others?
  • Which might give rise to other hazards?
  • Document these interdependencies

Phase 4: Prioritization And Reporting (Week 8)

Prioritize for action:

  • High risk items require a prompt mitigation plan.
  • Items in the medium risk category must be assigned specific owners and monitoring.
  • Some products are low risk, and might only require monitoring rather than active mitigation.

Create risk register:

  • Document all findings
  • Assign ownership
  • Establish review schedule

Report to leadership:

  • Provide an overview of the major threats.
  • Explain assessment methodology
  • Recommend mitigation priorities
  • Outline current monitoring plan

Identifying Risks And Assessing Them Using Tools And Technologies

Though a great deal of judgment is essential, tools can be used to aid in efficiency and consistency.

Spreadsheet-Based Approaches

Risk Registers in Excel/Google Sheets:

  • Easy to use, known by most organizations
  • Suitable for smaller organizations or particular departments
  • Issues: Low scalability, collaboration problems, poor reporting

Suitable for: Start-ups, special project risks, resource-limited organizations.

Enterprise Risk Management Software

Enterprise platforms: (IBM OpenPage, Archer, AuditBoard):

  • Single points of collection of all risks.
  • Automate workflows to review and approve.
  • In-depth reporting and insights.
  • The integration of other enterprise systems should be achieved.
  • Role-based access controls

Suitable for: Large organizations, regulated industries such as financial services, complex risks.

Advantages: Will generate substantial rewards if successful; may be complex and challenging to implement; maintenance will be necessary.

Hybrid Approaches

Many of the organizations employ combination solutions:

  • Strategic and Enterprise Risk Management Software, centralized solution.
  • The operational risks are recorded on the departmental spreadsheets.
  • Consolidation and reporting on a regular basis

Common Mistakes In Risk Identification And Assessment

This section covers typical pitfalls in identifying and assessing risk. You can learn from other people’s mistakes and make your success quicker.

Mistake 1: Lack Of Perspective Diversity

The challenge: What the senior executives identified as risks don’t necessarily reflect reality at ground level. Business context is something that only technical experts who identify risks miss.

The answer: Make sure to intentionally incorporate a variety of viewpoints. Establish (and maintain) psychological safety to encourage individuals to raise concerns.

Mistake 2: Mixing Up Risks With Issues

The problem: A risk is an event that may occur. An issue is an occurrence, a matter. Adding them together can create confusion as to what is really in need of mitigation.

The answer: Set definitions. Any risks are forward-looking; problems must be addressed right away.

Mistake 3: Over-Reliance On Historical Data

The problem: This has never happened before doesn’t mean that it can’t happen. By definition, black swan events were unexpected.

The answer: Use a blend of historical analysis and scenario planning to the future. Of particular significance in a dynamic context.

Mistake 4: Insufficient Risk Ownership

The issue: There is no effective mitigation of risks to committees or any generalized “management” that are not precisely defined. The results are not clearly “their” and not obviously “yours.

The answer: Every risk should have a named, accountable and individual owner.

Mistake 5: One-Time Versus Ongoing Assessment

The challenge: In many organizations risk identification happens only once, a risk register is established and then not looked at again.

The answer: Create a schedule for review periods (at least quarterly for the majority of organizations). Risks change as things change.

Mistake 6: Confusing Probability With Impact

The issue: Equating a high risk that has a low impact with a low risk that has a high impact, is a mistake—they should be treated differently.

The answer: Keep to the two-dimensional approach. A catastrophic but rare risk requires a different mitigation as compared to a frequent but minor risk.

Advanced Concepts: Interdependent Risk & Dependencies

As organizations grow in their risk management capabilities, they find that risks cannot be considered individually.

Risk Interdependencies

  • Cascading risks: A risk occurs that leads to other risks. If the information security risk is breached, it may lead to regulatory fines (compliance risk) and loss of customers (market risk).
  • Risks that are correlated: When there are several risks that increase together. Economic recession adds to the credit risk and operational efficiency pressures.
  • Addressing one risk may create another: There are risk paradoxes to be mitigated. Operational complexity risk is reduced with an increase in centralization but at the same time single-point-of-failure risk is increased.

Such relationships need to be understood so that mitigation strategies are not implemented that simply cause risk to be transferred to other regions.

Risk Landscape Assessment Using Scenario Approach

What it does: Examines the possibility of several risks coming together, or one after another.

How it works:

  1. Find a likely combination of risks.
  2. Produce a model of impact of scenario
  3. Recognize warning indicators
  4. Develop contingency plans

Real world scenario: If there are production issues and geopolitical instability in the region that the key supplier is in simultaneously, the supply chain manager imagines what that would mean.

Industry-Specific Considerations

The character of the risk is different in each industry, necessitating industry-specific approaches to the identification of risk.

Financial Services

Any of the factors, including unique risks, could cause Schneider Electric to incur losses and material damage.

Examples of methodologies: Stress testing, value-at-risk (VaR) modeling, scenario analysis

Regulatory requirements: Basel III/IV, Dodd-Frank requirements

Key capability: A key capability is the ability to quickly identify counterparty and systemic risks.

Manufacturing And Operations

Unique challenges: issues with supplies, product quality, safety concerns, equipment failures

Methodologies: FMEA, Fault tree analysis, Safety audits

Regulatory aspects: OSHA, industry criteria.

Capability: Safety awareness to mitigate risks – finding hazards before incidents.

Healthcare

Unique Risks: Patient safety, medical error, liability, regulatory non-compliance

Key methodologies: Root Cause Analysis, Patient Safety Event Reviews

Regulatory frameworks: The Joint Commission standards and HIPAA

Critical capability: Clear incident reporting and learning systems.

Technology And Software

Unique risks: Cybersecurity, Data privacy, Technology obsolescence, Key person dependencies

Key methodologies: Threat modeling, penetration testing, architecture reviews

Compliance standards: GDPR, CCPA, industry-specific standards

Capability: Emerging technical issues identified quickly.

Conclusion

The principles of risk management are risk identification and risk assessment. Mastery of these disciplines gives organizations great competitive benefits: they make better decisions, allocate resources more effectively, and develop organizational resiliency.

The Most Important Insights:

  • Structured processes outperform intuitive processes: Experience is important but structured processes have the ability to find more risks than intuitive processes.
  • There’s a need for diversity of perspective: No single view of the risk landscape will capture the whole picture. You need front line workers, technical experts, business leaders, and outsider’s points of view.
  • Assessment needs to be objective and it needs to be judgmental: Pure qualitative approaches are biased; Pure quantitative approaches are imprecise. Most organizations find their benefit from the semi-quantitative methods that are based on numbers but also include expert judgment.
  • Risk ownership leads to accountability: Each risk identified should have an identified owner with clear accountability for risk mitigation.
  • Risks evolve and your risk assessment must evolve: A single risk-identification exercise is not going to last long. Risk assessment is a continuous process, rather than a project.

What You Should Do Next

If you haven’t completed a formal risk identification and assessment within the last 12 months, then this is your chance. Everyone should begin small, and establish a clear scope (department, project or strategic initiative), then follow the step-by-step process outlined above, and develop momentum from early success. It is the organization that understands the risks that is in control of the future.

Frequently Asked Questions

Q1: What Is The Difference Between Risk Identification And Risk Assessment?

A: The difference is that risk identification is the process of determining what risks exist while risk analysis is the process of evaluating them. Risk identification is used to find out and describe potential risks (what could go wrong?). Risk analysis involves a deeper analysis of the causes and effects of identified risks. Assessment, along with risk management forms the backbone of it.

Q2: How Often Should We Review/Amend Our Risk Register?

A: It is common for minimum quarterly reviews to happen. Monthly reviews are appropriate for high-risk areas, shifting industries or transitioning organizations. Conduct regular reviews instead of once-a-time.

Q3: What Is The Best Method For Conducting A Risk Assessment: Qualitative Or Quantitative?

A: Most organizations find a mixture of both forms of approach semi-quantitative to be useful. Screen using qualitative assessment and use quantitative assessment to material risks only when historical data is available. Both are not always the best methods.

Q4: How To Promote Honest Risk Reporting Without The Development Of Blame Culture?

A: Leaders need to demonstrate the importance of risk reporting by their actions. If a risk is raised, it should not be asked ‘who is responsible for this?’, but ‘how do we address this?’. This gives candidates psychological safety to make candid risk discussions over time.

Q5: If We Do Identify Low Risk Items What Should Happen To Them?

A: Record them in your risk register, and give high and medium risks priority for active risk mitigation. Keep a check on the low risk of change in situations which could put them at a higher risk. Some organisations set up an annual review to systematically review the low risk items.

Q6: What Do We Do About Risks That We Do Not Control?

A: Organize them according to your influence. Take risks that are beyond your control. List specific mitigation actions for others for whom you have influence. For instance, it is not possible to manage the economy, but it might be possible to diversify revenue streams to minimise the impact of the economy.

Q7: What’s To Be Done With New And Unanticipated Risks?

A: Get familiar with new risk patterns in your industry regularly. Make your risk identification process flexible so as to accommodate the addition of new categories. To track emerging patterns, a more comprehensive risk review might be done every 2-3 years.

Leave a Comment