Risk identification is the first step in risk assessment or risk analysis, and a critical part of the risk management process.
“You can’t manage what you don’t measure,” the saying goes.
Identifying the extent and nature of the risks to your organization is key to risk management. By “risk,” we mean any threat or event that could hinder your organization from achieving its objectives.
The risk identification process, therefore, begins with understanding your organization’s objectives. It should then include all potential risks, threats, and events that could harm its ability to attain those goals, whether or not they are under your control.
Because risks change and new risks emerge over time, risk identification should not be a one-and-done process but one that is continual and ongoing throughout the lifecycle of the project, program, or organization being assessed for risk.
The risk identification process starts with interviewing project management and leadership to begin devising a list of risks. Team members should comprise a diverse cross-section of the organization. All stakeholders, not just project managers, should be consulted, for the most comprehensive list of risks.
Other sources of potential risks include:
- External and internal audit reports
- Committee reports
- Financial analyses
- Historic data analyses
- Loss data
- Key performance indicators (KPIs)
- Market and sector information
- Scenario analyses
- Forecasting and stress testing results
Types of identified risks might include:
- Project risk
- Operational risk
- Financial risk
- Legal risk
- Cybersecurity risk
- Reputational risk
Every risk identified as well as its root cause should be documented in a risk register for management, project team members, and stakeholders to use when deciding how to treat each risk—whether to accept/ignore it or mitigate it, and what risk mitigation strategies to use.