Risk cannot be managed unless it is identified. Once the context of the business has been defined, the next step is to use this information to identify as many risks as possible.
The aim is to identify the risks that may affect, either negatively or positively, the objectives of the business and all its activity.
You will need to:
- Identify retrospective risks
- Identify prospective risks.
Identifying retrospective risks
Retrospective risks are seen in incidents or accidents that have occurred in the past.
Retrospective risk identification is the most common way to identify risk and the easiest. A risk is easier to understand if its impact has already been experienced. It is also easier to quantify its impact and to evaluate the damage. There are many sources of information about retrospective risk including:
- hazard or incident logs or audit reports
- customer complaints
- accreditation documents and reports
- staff or client surveys
- newspapers or professional media, such as journals and websites.
Identifying prospective risks
Prospective risks are harder to identify. These are things that have not yet happened, but might happen in the future.
Identification should cover all risks, whether or not they are currently managed. The plan will be to record all significant risks and monitor the effectiveness of their treatment.
Methods for identifying prospective risks include:
- brainstorming with staff and external stakeholders
- researching the economic, political, legislative and operating environment
- interviewing staff and clients to identify potential problems
- flow charting a process
- reviewing system design or preparing system analysis.
Risk categories will help break down the process for prospective risk identification. It is important to remember that risk identification will be limited by the experience and perspective of those conducting the risk analysis. Problem areas and risks can be best identified by the use of reliable sources.