How to identify risks?

Before starting any systematic risk management efforts, it is crucial to identify the risk that the company is exposed to.
The aim of the risk identification process is to establish a catalogue of risks or so called “risk register”. While this process usually is relatively intuitive there are few pitfalls that should be taken into consideration.

What constitutes a risk?

The first step in identifying a risk is to agree on a common definition of what a risk is.

ISO 31000:2018 defines risk as “effect of uncertainty on objectives”. After this the definition goes on to specify that “An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.”

While this definition is theoretically sound, we feel that it is too vague for practical use in many companies. Therefore, we generally advocate to use two conditions that tell whether something can be called a risk or not:

1. Uncertainty: Risk exists if there is uncertainty about the future events or developments.

2. Financial damage: Risk exists if this uncertainty may cause a significant financial loss or in other way cause the firm’s financial performance to be below the planned level.

Effectively this definition assumes that company’s primary objective is financial gain, so any uncertainty that might lead to financial loss is a risk.

At the same time as we can define what is a risk, we can also give examples of what does not constitute a risk.

Risk is not a foreseen/ expected adverse development
For instance, if the sales of given product group are expected to decline, this does not constitute a risk. On the other hand, a possibility that the sales are unexpectedly lower than planned is.

Risk is not a difficulty or challenge
A difficulty or a challenge is not an unexpected if the situation exists already now. Risk would be “possibility that the new market entry fails” instead of “challenging market situation”.

Getting the terminology straight

There is an unfortunate confusion about the risk terminology that should be rectified sooner or later. Below are some common terms and the explanation of what is their relationship with each other.

Threat – the source or the trigger of the risk event that causes the uncertainty. Threat without any risk exposure is not problematic.

Risk exposures – the amount that theoretically is at risk if threat realizes. In financial risk management the exposure is simply used to indicate how a relative (%) changes in value of the underlying variable (interest rate or exchange rate etc.) translates to profits or losses.

Risk – the collection of threats/causes and exposures that is treated and managed as a single whole.

Risk levels – risk level is the result of a risk assessment process that indicates how serious the risk is considering the probability of different loss amounts.planation of what is their relationship with each other.

Issues to keep in mind when identifying risk

More identified risks does not mean better identification
While it is a natural urge to identify as many risks as possible, this approach often leads to so many risks that in the end none of the risks get properly managed.

Key aim is to first find risks that have, in the worst-case scenario, the largest potential loss or financial impact. Try to avoid identifying risks that at worst have minor financial consequences. Such risk can be added when the risk management effort matures, but before that, it is crucial to find the ‘large’ risks.

Another way to reduce to keep the amount of risks more manageable is to remember that there might be several causes and several outcomes for the same risk. For instant, instead of listing, “shutdown of machine A”, “Shutdown of machine B” etc. we can simply identify a risk “machine interruptions”

The key of grouping smaller ‘risks’ together is to ensure that these smaller risks are either highly similar or that they can be effectively managed as a group. For instance, in the example above, a single person might be responsible for maintaining all the machines and thus he would naturally be responsible for risk management.

Risk should not ‘overlap’
When identifying risk, we should ensure that we do not accidently double or triple count the same risk. This can easily happen when many people are separately identifying risks and the risk are then collected to a joint catalogue.
For instance, consider a situation that a person responsible IT and person responsible for production have identified key risk in their respective departments.
Production side considers an interruption in the supply of semi-finished goods to be among the key risks. On the other hand, IT department sees the unavailability of enterprise resource management system to be critical risk. Key here is that many of the production interruptions bight be due to IT failures and thus such risk is accounted twice in the risk identification.
Counting the same risk multiple times causes additional burden in the risk management system and might lead to wrong results if risk estimates later on are aggregated.

Avoid too vague risks
Another major issue that hinders the risk identification process is the tendency of identifying risks that are too vague to be managed. Consider the “risk of decline in employee morale”. For such risk it is almost impossible to assign financial consequences. Likewise, it is hard to even know when the risk has realized. In short, the risk is too vague to be managed. A good substitute for such risk could be “an increase in employee sick days” or something similar, making the risk more tangible and manageable.

Lack of imagination
Most of the major disasters that happen to companies were one unimaginable and had never happened before. Therefore, when identifying risks, one needs to move the mindset from what has happened to what is in the realm of possibility. In doing this we have to overcome our natural mechanism of not worrying about everything that keeps us sane in everyday life.
For risks that are unlikely, Human psychology has the natural tendency to either dismiss the possibility of something going wrong completely (“that cannot happen”) or get overly paranoid about very low probability risks (flight accidents). At the risk identification stage, we want lean toward being paranoid about everything, and then only later on the risk assessment stage, start thinking about the actual seriousness of the threat. If rigorous analysis show that the risk is unrealistic, then we can still dismiss it.

Risk identification techniques

Risk identification can be done in two complementary ways:

– First method is to ask the people with knowledge about the functioning of the organization, what could go wrong. In this class of techniques one can use variety of specific approaches such as, risk workshops, brainstorming, questioners, self-reporting etc. For an organization in the early part of the risk management effort, the group-based methods are more suitable since they foster the risk culture. For more mature risk organization the individual approaches are more suitable since new risks that are identified are likely the once that are missed initially and are therefore likely identified during the normal course of work by single individual.

– Second class of methods are more analytical and engineering methods that are base on careful analysis of company’s or operations value creating process. These methods are better suited to find hidden critical failure points that might be missed in the intuitive level. Method in this class include structured what if analysis, Scenario analysis, fault tree analysis, bow-tie analysis, incident analysis and peer incident analysis.

Key points

Risk is presence of uncertainty that can cause financial damage.

Common failures in risk management are:
– focusing on generating as many risks as possible,
– identifying overlapping risks or double counting the same risk,
– identifying too vague risk and
– lack of imagination.

Risk identification can be done by asking people what they could happen or analysing the company’s process and finding hidden failure points that might lead to major losses.


Contact our team if you want to manage risks systematically.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.