Risk Identification – Tip Sheet Risk Identification – What Risks do I have? The starting point: The process of identifying risks is varied. It usually involves asking a number of questions: What can go wrong and how? What do you think will happen to you? What things might affect our ability to meet our business objectives? What has happened in the past? What has happened to others in a similar business, industry or organisation? Remember: it is important to consult widely and not just to your desktop computer. No one person knows everything. The results of an inclusive risk assessment will be more balanced than one persons view on the world. Consultation during the risk identification process can be achieved through: Risk workshops Interviews Surveys or questionnaires Statistical analysis – past losses, claims history or near misses Business reviews and / or audits Flowcharts Personal inspections Consultation with experts both within and outside the organisation – for example internal managers and external risk experts Categories of risk: A structured approach using categories as a prompt is a popular method for risk identification. Categories such as those listed below funnel thinking and act as a starting point to identify risks. Assets Business Processes and Systems Commercial Compliance / Regulation Contractual Cultural Heritage Environment Financial Fraud General Management Activities Operational People Products and Services Project Records Management Reputation and Image Security Stakeholder Management Strategic Technology Other Risk Identification – Tip Sheet Following the methodology of the AS / NZS ISO 31000:2009 identified risks are: Described – the risk description; A source or driver to the risk is identified where applicable; and finally A description of the consequence is provided. Risk Description A description of the risk, what can happen? Language is important. Legislation is not in itself a risk – the risk is better defined as “breach of legislation.” Likewise a building is not a risk: risks relating to a building may be: “damage to building,” “failure of building integrity / collapse of building” etc. Examples of appropriate language include: Failure of Failure to Breach of Damage to Loss of Exceeding (authority, delegations, contract price etc.) Source How the risk comes about – what causes the risk? Drivers to the risk Contributors to the risk For example: a) The source of the risk damage to building could be: Natural disasters Flood Fire Earthquake b) The source of the risk Breach of legislation could be: Lack of training and understanding of staff in relation to relevant legislation Increased workloads, pressures and staff burnout resulting in increased number of errors and breaches of legislation. Inconsistency of the legislation – breach almost certain and almost impossible to avoid. Impact from the event happening – the consequence This is the result of if what can happen does happen. Essentially, this is the consequence of the risk. Important to note: If there is no consequence then what has been described is not a risk. If nothing can happen then there is no risk. The consequence should be described in its most normal form and not the extreme form. For Example: the consequence of a paper cut in its most likely form is: injury/small cut not requiring first aid treatment. The consequence in its most extreme form would be injury small cut, resulting in infection and blood poisoning leading to death.