4.1 Risk Identification
After Scanning the Environment, the second step in the generic risk management process is to identify all the potential risks that could positively or negatively affect an organization’s objectives. Risk identification is defined by the International Organization for Standardization (ISO) as the “process of finding, recognizing and describing risks” (International Organization for Standardization, 2022).
Risks that have the effects of uncertainty on an organization can be internal or external to an organization. Traditionally, risks have been put into silos meaning that organizations isolate their risks within departments, business units, sectors or locations and address their risks at that level in the absence of sharing information with others in the organization. Enterprise Risk Management allows an organization to holistically manage all its key risks as well as opportunities that might exist. An organization practicing holistic risk management is taking a broad and integrated approach to managing its risks by ‘wrapping its arms around all of its risks and allowing them to communicate with each other.’ Holistic risk management allows the organization to see how potential risks and opportunities fit together across the four classifications of hazard, operational, financial and strategic risks (Elliott, 2018). Risks should also be identified holistically by an organization, as one risk will very likely influence the emergence of a second or even more risks within an organization. For example, a supply chain operating across North America would have a heavy reliance on information technology to coordinate its activities. If a fire occurred at a distribution centre, causing an interruption in data transmission, it could have a cascading effect on the organization’s overall ability to function efficiently. In this case, a fire, which is a hazard risk, would have a direct effect on the organization’s ability to distribute products, resulting in an operational risk. If there was inadequate communication within the organization regarding the situation, the adverse effects of the situation could be much greater.
When an organization conducts a risk assessment, it should identify all its risks before analyzing and responding to them using risk treatment techniques. The types of risks that should be identified are:
- Known risks: risks that the organization knows about or that have previously affected the organization.
- Emerging risks: risks that are not known to the organization.
- Inherent risks: risks that have not been managed or treated.
- Residual risks: the risk that remains after the risk has been managed or treated.
Image Description
A circular diagram, divided into four quadrants, each representing a different type of risk identification. The top left quadrant is maroon and labelled “Hazard Risk Identification.” The top right quadrant is green and labeled “Operational Risk Identification.” The bottom right quadrant is purple and labeled “Strategic Risk Identification.” The bottom left quadrant is blue and labeled “Financial Risk Identification.” An arrow in the center points clockwise, indicating the continuous process of holistic risk identification across all quadrants.
There are two holistic approaches to identifying risks available to an organization: a top-down or bottom-up approach. When a top-down approach is used, the senior management in the organization makes decisions on the risks that can have a positive or negative effect on the organization. The advantage of this approach is that senior management will have access to all relevant risk information in the organization from a high-level perspective. While this is an advantage, it is also a disadvantage because there might not be a true grasp of all the organization’s activities from that level, and there would also be a dependency on receiving accurate information from inside the organization. A bottom-up approach has the advantage of providing an abundance of information from personnel working within and throughout the organization. The disadvantages created would stem from not having access to all relevant information at that level and compiling the information to achieve a holistic perspective of the risks in the organization. The best overall approach to risk identification would be one that combines a top-down and a bottom-up approach.