Risk Identification – Tip Sheet
Risk Identification – What Risks do I have?
The starting point:
The process of identifying risks is varied. It usually involves asking a number of questions:
 What can go wrong and how?
 What do you think will happen to you?
 What things might affect our ability to meet our business objectives?
 What has happened in the past?
 What has happened to others in a similar business, industry or organisation?
Remember: it is important to consult widely and not just to your desktop computer. No one
person knows everything. The results of an inclusive risk assessment will be more balanced than
one persons view on the world.
Consultation during the risk identification process can be achieved through:
 Risk workshops
 Interviews
 Surveys or questionnaires
 Statistical analysis – past losses, claims history or near misses
 Business reviews and / or audits
 Flowcharts
 Personal inspections
 Consultation with experts both within and outside the organisation – for example internal
managers and external risk experts
Categories of risk:
A structured approach using categories as a prompt is a popular method for risk identification.
Categories such as those listed below funnel thinking and act as a starting point to identify risks.


















Assets
Business Processes and Systems
Commercial
Compliance / Regulation
Contractual
Cultural Heritage
Environment
Financial
Fraud
General Management Activities
Operational
People
Products and Services
Project
Records Management
Reputation and Image
Security
Stakeholder Management



Strategic
Technology
Other
Risk Identification – Tip Sheet
Following the methodology of the AS / NZS ISO 31000:2009 identified risks are:
 Described – the risk description;
 A source or driver to the risk is identified where applicable; and finally
 A description of the consequence is provided.
Risk Description
A description of the risk, what can happen?
Language is important. Legislation is not in itself a risk – the risk is better defined as “breach of legislation.”
Likewise a building is not a risk: risks relating to a building may be: “damage to building,” “failure of building
integrity / collapse of building” etc.
Examples of appropriate language include:

Failure of

Failure to

Breach of

Damage to

Loss of

Exceeding (authority, delegations, contract price etc.)
Source
How the risk comes about – what causes the risk?
Drivers to the risk
Contributors to the risk
For example:
a)
The source of the risk damage to building could be:
 Natural disasters
 Flood
 Fire
 Earthquake
b) The source of the risk Breach of legislation could be:
 Lack of training and understanding of staff in relation to relevant legislation
 Increased workloads, pressures and staff burnout resulting in increased number of errors
and breaches of legislation.
 Inconsistency of the legislation – breach almost certain and almost impossible to avoid.
Impact from the event happening – the consequence
This is the result of if what can happen does happen. Essentially, this is the consequence of the risk.
Important to note:
 If there is no consequence then what has been described is not a risk.
 If nothing can happen then there is no risk.
The consequence should be described in its most normal form and not the extreme form. For Example: the
consequence of a paper cut in its most likely form is: injury/small cut not requiring first aid treatment. The
consequence in its most extreme form would be injury small cut, resulting in infection and blood poisoning
leading to death.