This stage is about finding all the risks a business faces to ensure a comprehensive understanding.
These techniques, or mix of, can be used to identify risks. Internal activity does not require the involvement of anyone from outside the business as it predominantly is based on using knowledge from within the business. External activity would usually be led by someone from outside the business as it mostly relies on some form of specialist skill or technique.
- Questionnaires – Asking people within the business to identify risks. This can be a checklist. It should allow for wide ranging input.
- Workshops – Using a group to identify and discuss risks. It brings the business’s people together to brainstorm exposures and also allows for different levels and functions to co-operate.
- Business process analysis – Used to assess process flow dependencies. The creation of flow charts helps identify each part of a process that contains risk exposures and interdependencies.
- Risk assessments – Systematic rollout of standard forms, potentially at all levels of a business, to collate hazard and mitigation information. Risk assessment is defined as the process of identifying variables that have the potential to negatively impact an organisation’s ability to conduct business. Some assessments may require external input.
- Scenario analysis – Following the same approach as Workshops this applies to reviewing new business opportunities. It can also be undertaken as a desk exercise or involve a wider range of stakeholders.
- Physical inspection – Inspection by a risk professional of key risks, e.g. property, health and safety or environment.
- Research – Undertaken as a project, to add an objective view to a business. A key component will be comparing risk against other similar organisations.
- HAZOP analysis – Used for high hazard equipment. Structured examination of safety critical equipment to identify potential worst case scenarios. Identifies unacceptable deviations which can result in failure, then identifies causes and consequences.
Through applying all or some of these techniques a business will then have a schedule of identified risks.
It may be of benefit for identified risks to be grouped and / or classified by type. Doing this may simplify assessing them and help in understanding their significance and in identifying appropriate responses.
One method of grouping is to look at the drivers behind risk grouping externally and internally.
Once risks have been identified, and potentially grouped and categorised, the next stage is to consider how significant or serious they are, how likely they are to happen and what the consequence would be should they happen.