You are on page 1of 3

12/23/2017 Risk Identification Made Simple | 10 Ways To Identify New Risks


Type to search, then press enter



“Engaging InConsult
to undertake a project
review proved to be
an excellent choice.
The knowledge and
experience of their
consultant made the

Risk Identi cation Made Simple
Whilst a SWOT Analysis is a good fast way to discover new opportunities and identify threats, many
organisations have gone beyond this relatively simple approach and embraced more advanced forms of
identifying and assessing risks and opportunities.
The move by many organisations to adopt an Enterprise-wide Risk Management (ERM) approach has
directed organisations towards a more structured approach to identifying and managing risk.  In this
Tony Harb from InConsult explores the various risk identi cation and assessment approaches
organisations can choose from.   

ISO/IEC 31010:2009
Did you know there is a whole standard dedicated to risk assessment techniques?  ISO/IEC 31010:2009
Risk management – Risk assessment techniques is a supporting standard for ISO 31000 Risk
management – Principles and guidelines and provides guidance on how to select and apply systematic
techniques for risk assessment. It contains around 30 separate techniques…although some techniques
do cross over.
It’s not critical that managers know all 30, but knowing more about these techniques will help you better
align the risk assessment process with your risk assessment objectives. 

1. Brainstorming 
Brainstorming involves a group of people working together to identify potential risks, causes, failure
modes, hazards and criteria for decisions and/or options for treatment. Brainstorming should stimulate
and encourage free- owing conversation amongst a group of knowledgeable people without criticising
or rewarding ideas.

It is one of the best and most popular ways to identify both risks and key controls and is the basis for
most risk workshops.

2. Interviews 
During a structured interview, interviewees are asked a set of prepared questions to encourage the
interviewee to present their own perspective and thus identify risks.
Structured interviews are frequently used during consultation with key stakeholders when designing the
risk management framework. As an example, structured interviews are good to gauge risk appetite and
tolerance when developing risk appetite statements. 1/3
12/23/2017 Risk Identification Made Simple | 10 Ways To Identify New Risks

3. Checklists 
Checklists are pre-populated lists of hazards, risks or control failures that have been developed usually
from experience, either as a result of a previous risk assessment or as a result of past failures or
Auditors often prepare checklists of key controls to aid in their assessment of control e ectiveness and
the internal control environment.
WARNING: We strongly recommend that risk checklists only be used as a secondary form of risk and
control identi cation.  Relying entirely on checklists can restrict ‘risk thinking’.  Remember back to year 6
when you used to look at the back of your maths book for the answers before attempting to solve the
problem…it’s a bit like that! 

4. Structured “What-if” Technique (SWIFT)  

This is a systematic, team based exercise, where the facilitator utilises a set of ‘prompt’ words or phrases
to stimulate participants to identify risks.
One organisation was looking at reducing service levels in a number of areas to reduce its operating
costs and SWIFT was used to analyse the impact of each reduced service level. Risks were then identi ed
and assessed. Where risks could not be reduced to a tolerable level, the service level was maintained.

5. Scenario Analysis  
Closely related to SWIFT.  Here a scenario is a short story or description of a situation of how a future
event or events might turn out or look like.  For each scenario, participants re ect and analyse the
potential consequences and potential causes when analysing risk.
Scenario analysis can be used to identify opportunities for fraud. For example, a scenario could be “A
sta member has just admitted to defrauding or company of $50,000 over 8 years through ctitious
expense claims…how can this happen?” 

6. Fault Tree Analysis (FTA) 

This method is similar to a form of creative thinking called reverse brainstorming. This technique is used
for identifying and analysing factors that can contribute to a speci ed undesired event (called the “top
event”). Causal factors are then identi ed and organized in a logical manner and represented pictorially
in a tree diagram.
For example, if you want to improve customer service, state the objective in reverse e.g. “How can we
really annoy our customers?” and from this statement, use brainstorming to identify causes that could
annoy customers. 

7. Bow Tie Analysis 

They say “a picture is worth a thousand words” and this method is a perfect example.   Bow tie analysis
is a diagrammatic way of describing, linking and analysing the pathways of a risk from causes to
e ects/consequences. 
Unlike the risk register, there are no numbers in this analysis i.e. there is no risk or control evaluation
involved. This keeps the focus on understanding the relationships between the causes, event and
TIP: After a brainstorming session, bow tie analysis is a great way to clean up the ideas generated and
consolidate the results into more appropriate risk statements. 

8. Direct Observations 
Simply looking out for risks and being situationally aware is not included in ISO/IEC 31010 as a risk
identi cation technique.  This relatively simple technique is used daily in the workplace by sta who may
observe risky situations and hazards regularly. It is also used by emergency services when attending to
an emergency and is a form of dynamic risk assessment.  It is also heavily used by Workplace Health &
Safety professionals during inspections and audits.
A risk aware culture and well trained sta will improve people’s ability to observe potential risks and
implement controls before the risk eventuates into an incident.

9. Incident Analysis 
Incidents are risks that have now occurred.  Recording incidents in a register, conducting root cause
analysis and periodically running some trend analysis reports to analyse incidents, can potentially
enable new risks to be identi ed. In addition, a high frequency of like incidents can be a lead risk
indicator to a potentially larger problem.

10.  Surveys 
This method is also not included in ISO/IEC 31010 as a risk identi cation technique, however, it is similar
to structured interviews but involves a larger number of people. It can be used to collect a broad set of 2/3
12/23/2017 Risk Identification Made Simple | 10 Ways To Identify New Risks
ideas, thoughts and opinions across a range of areas covering risks and control e ectiveness.
One of the best ways for risk managers to use surveys is to assess the organisation’s risk culture.
Internal auditors can use surveys to assess the internal control environment. Some organisations use
annual sta surveys to gauge sta understanding of key risk and governance policies and procedures. 

The Bottom Line 

Risk assessments need not be boring workshops.

Risk identi cation techniques vary in complexity and each method has advantages and
Whilst understanding all 30 plus risk assessment techniques outlined in ISO/IEC 31010:2009 Risk
management – Risk assessment techniques is ideal, for most situations, having a tool kit of 5-8
di erent techniques that can be used at the appropriate time is su cient.

So, now that you know the di erent methods…it’s time to leave your comfort zone and try something

Tony Harb B. Bus, FCA, MBA, MIIA (Aust) has over 20 years’ experience in risk management, nancial
control and audit. He can be contacted on 02 9241 1344 or 

Share this:

Copyright © InConsult Pty Ltd 2013 • Website design & construction by Highland Creative 3/3