Risk Assessment - Risk Identification

Risk Management – Article 15

Risk Assessment - Risk Identification

Keshav Ram Singhal



Clause 5.4.2 of ISO 31000:2009 provides guidelines on risk identification. Risk identification is a process of understanding risks that includes process of finding, recognizing and describing risks. This process involves the identification of (i) risk sources, (ii) events, (iii) causes of risk sources and events, and (iv) potential consequences of risk sources and events. Risk identification may involve (i) historical data, (ii) theoretical analysis, (iii) informed and expert opinions, and (iv) stakeholder's needs. Risk source is an element (alone or in combination) has the essential or natural potential to cause to risk. It can be tangible (physical) or intangible (non-physical). An event is occurrence (one or more) or change of a particular set of circumstances. An event can have several causes. Sometimes an event is referred as an incident or accident. An event without outcome (consequences) is also referred as a 'near miss', 'incident'. 'near hit' or 'close call'.

The purpose of risk identification is to find out what may happen or what situations may exist that may affect the objectives of the organization or system.

The organization should identify:
(i) risk sources,
(ii) areas of impacts,
(iii) events and changes in circumstances,
(iv) causes of risk sources and events, and
(v) potential consequences of risk sources and events

Risk identification should be judgemental and done with care, as a non-identified risk may not be included in further analysis.



The organization should determine whether or not the risk source is under the control of the organization. The organization should examine knock-on effects of particular consequences, cascade and cumulative effects. The organization should consider a wide range of consequences even if the risk source or cause may not be evident. The organization should consider possible and significant causes and scenarios that show what outcome (consequences) may occur.



Suitable to organization's objectives, the organization should apply risk identification tools and techniques. Relevant and up-to-date information along with appropriate background information is important for risk identification. Appropriate competent personnel having knowledge in risk management should be involved in risk identification process.

ISO 31010:2009 provides guidance on selection and application of systematic techniques for risk assessment that may be applied for risk identification, analysis and evaluation. Some of the techniques include Brainstorming, Structured or semi-structured interviews, Delphi, Check-lists, Primary hazard analysis, HAZOP, HACCP, ERA, SWIFT etc.

Next write-up …. Risk Assessment - Risk Analysis

Risk Assessment - An Overview

Risk Assessment - An Overview

Keshav Ram Singhal

Clause 5.4 of ISO 31000:2009 deals with risk assessment and its sub-clauses are as under:
5.4.1 - General
5.4.2 - Risk identification
5.4.3 - Risk analysis
5.4.4 - Risk evaluation



Sub-clause 5.4.1 (General) defines the term risk assessment as given in Para 3.4.1 of ISO Guide 73:2009. Accordingly, risk assessment is overall process of risk identification (process of finding, recognizing and describing risks), risk analysis (process to comprehend the nature of risk and to determine the level of risk, process that provides the basis for risk evaluation and decisions about risk treatment and includes risk estimation), and risk evaluation (process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable, and it's a process that assists in the decision about risk treatment).

Risk assessment provides us with an improved understanding of risks. Risk assessment provides us a basis for decisions about the appropriate approach to be used to treat the risks.

Next write-up …. Risk Assessment - Risk Identification