Académique Documents
Professionnel Documents
Culture Documents
“Engaging InConsult
to undertake a project
implementation
review proved to be
an excellent choice.
The knowledge and
experience of their
consultant made the
Risk Identi cation Made Simple
Whilst a SWOT Analysis is a good fast way to discover new opportunities and identify threats, many
organisations have gone beyond this relatively simple approach and embraced more advanced forms of
identifying and assessing risks and opportunities.
The move by many organisations to adopt an Enterprise-wide Risk Management (ERM) approach has
directed organisations towards a more structured approach to identifying and managing risk. In this
context,
Tony Harb from InConsult explores the various risk identi cation and assessment approaches
organisations can choose from.
ISO/IEC 31010:2009
Did you know there is a whole standard dedicated to risk assessment techniques? ISO/IEC 31010:2009
Risk management – Risk assessment techniques is a supporting standard for ISO 31000 Risk
management – Principles and guidelines and provides guidance on how to select and apply systematic
techniques for risk assessment. It contains around 30 separate techniques…although some techniques
do cross over.
It’s not critical that managers know all 30, but knowing more about these techniques will help you better
align the risk assessment process with your risk assessment objectives.
1. Brainstorming
Brainstorming involves a group of people working together to identify potential risks, causes, failure
modes, hazards and criteria for decisions and/or options for treatment. Brainstorming should stimulate
and encourage free- owing conversation amongst a group of knowledgeable people without criticising
or rewarding ideas.
It is one of the best and most popular ways to identify both risks and key controls and is the basis for
most risk workshops.
2. Interviews
During a structured interview, interviewees are asked a set of prepared questions to encourage the
interviewee to present their own perspective and thus identify risks.
Structured interviews are frequently used during consultation with key stakeholders when designing the
risk management framework. As an example, structured interviews are good to gauge risk appetite and
tolerance when developing risk appetite statements.
http://www.inconsult.com.au/risk-identification-made-simple/ 1/3
12/23/2017 Risk Identification Made Simple | 10 Ways To Identify New Risks
3. Checklists
Checklists are pre-populated lists of hazards, risks or control failures that have been developed usually
from experience, either as a result of a previous risk assessment or as a result of past failures or
incidents.
Auditors often prepare checklists of key controls to aid in their assessment of control e ectiveness and
the internal control environment.
WARNING: We strongly recommend that risk checklists only be used as a secondary form of risk and
control identi cation. Relying entirely on checklists can restrict ‘risk thinking’. Remember back to year 6
when you used to look at the back of your maths book for the answers before attempting to solve the
problem…it’s a bit like that!
5. Scenario Analysis
Closely related to SWIFT. Here a scenario is a short story or description of a situation of how a future
event or events might turn out or look like. For each scenario, participants re ect and analyse the
potential consequences and potential causes when analysing risk.
Scenario analysis can be used to identify opportunities for fraud. For example, a scenario could be “A
sta member has just admitted to defrauding or company of $50,000 over 8 years through ctitious
expense claims…how can this happen?”
8. Direct Observations
Simply looking out for risks and being situationally aware is not included in ISO/IEC 31010 as a risk
identi cation technique. This relatively simple technique is used daily in the workplace by sta who may
observe risky situations and hazards regularly. It is also used by emergency services when attending to
an emergency and is a form of dynamic risk assessment. It is also heavily used by Workplace Health &
Safety professionals during inspections and audits.
A risk aware culture and well trained sta will improve people’s ability to observe potential risks and
implement controls before the risk eventuates into an incident.
9. Incident Analysis
Incidents are risks that have now occurred. Recording incidents in a register, conducting root cause
analysis and periodically running some trend analysis reports to analyse incidents, can potentially
enable new risks to be identi ed. In addition, a high frequency of like incidents can be a lead risk
indicator to a potentially larger problem.
10. Surveys
This method is also not included in ISO/IEC 31010 as a risk identi cation technique, however, it is similar
to structured interviews but involves a larger number of people. It can be used to collect a broad set of
http://www.inconsult.com.au/risk-identification-made-simple/ 2/3
12/23/2017 Risk Identification Made Simple | 10 Ways To Identify New Risks
ideas, thoughts and opinions across a range of areas covering risks and control e ectiveness.
One of the best ways for risk managers to use surveys is to assess the organisation’s risk culture.
Internal auditors can use surveys to assess the internal control environment. Some organisations use
annual sta surveys to gauge sta understanding of key risk and governance policies and procedures.
So, now that you know the di erent methods…it’s time to leave your comfort zone and try something
new.
—
Tony Harb B. Bus, FCA, MBA, MIIA (Aust) has over 20 years’ experience in risk management, nancial
control and audit. He can be contacted on 02 9241 1344 or tonyh@inconsult.com.au.
Share this:
http://www.inconsult.com.au/risk-identification-made-simple/ 3/3