Risk Identification
Expert-defined terms from the Risk Management for Organizations course at London School of Business and Administration. Free to read, free to share, paired with a professional course.
Asset #
Asset
Concept #
Any resource of value owned or controlled by an organization that could be affected by risk. Related terms: asset register, valuation, critical asset. Explanation: Assets include physical items, information, personnel, reputation, and financial resources. Identifying assets is the first step in recognizing what could be lost or damaged. Example: A data center housing customer records is a critical asset for a cloud service provider. Practical application: Conduct an asset inventory during risk identification workshops to map every tangible and intangible resource. Challenges: Overlooking hidden or intangible assets such as brand equity can lead to incomplete risk profiles.
Assumption #
Assumption
Concept #
A statement accepted as true without proof, forming the basis of risk analysis. Related terms: risk assumption, baseline, scenario. Explanation: Assumptions simplify complex environments but must be documented because they can become risk sources if they prove false. Example: Assuming that a supplier will deliver components on time each month. Practical application: List all assumptions in a risk register and review them regularly for validity. Challenges: Unchecked assumptions may cause surprise failures when conditions change.
Audit #
Audit
Concept #
A systematic examination of processes, controls, and records to verify compliance and effectiveness. Related terms: internal audit, compliance audit, audit trail. Explanation: Audits uncover gaps in risk identification by revealing undocumented processes or control weaknesses. Example: An IT audit discovers that backup procedures are not documented, creating a hidden risk. Practical application: Integrate audit findings into the risk identification phase to enrich the risk catalogue. Challenges: Audits can be resource‑intensive and may miss emerging risks if scope is too narrow.
Brainstorming #
Brainstorming
Concept #
A collaborative technique where participants generate ideas freely to identify potential risks. Related terms: delphi method, focus group, facilitated workshop. Explanation: By encouraging divergent thinking, brainstorming surfaces risks that structured checklists might overlook. Example: A project team uses brainstorming to list possible delays, regulatory changes, and technology failures. Practical application: Conduct a facilitated session with cross‑functional stakeholders early in the project lifecycle. Challenges: Dominant personalities can bias the output; careful facilitation is required to capture all viewpoints.
Business Impact Analysis (BIA) #
Business Impact Analysis (BIA)
Concept #
An assessment that determines the consequences of disruption to critical business functions. Related terms: critical process, recovery time objective, risk assessment. Explanation: BIA identifies which assets and processes are most vital, guiding risk identification toward high‑impact areas. Example: A BIA reveals that loss of the online ordering system would cause a 30% revenue drop within 48 hours. Practical application: Use BIA results to prioritize risk identification efforts on the most consequential functions. Challenges: Accurate data collection is difficult; assumptions about recovery capabilities can skew analysis.
Capability Maturity Model (CMM) #
Capability Maturity Model (CMM)
Concept #
A framework that assesses the maturity of processes, including risk management practices. Related terms: process improvement, maturity level, continuous improvement. Explanation: Evaluating the maturity of risk identification processes helps identify procedural gaps and improvement opportunities. Example: An organization at CMM level 2 lacks formal risk identification templates, leading to inconsistent documentation. Practical application: Conduct a maturity assessment to define a roadmap for enhancing risk identification consistency. Challenges: Implementing higher maturity levels requires cultural change and sustained investment.
Cause‑Effect Diagram #
Cause‑Effect Diagram
Concept #
Also known as a fishbone diagram; a visual tool that maps potential causes of a risk event. Related terms: Ishikawa diagram, root cause analysis, risk mapping. Explanation: By structuring causes under categories (people, process, technology, etc.), The diagram aids systematic risk identification. Example: A cause‑effect diagram for a production delay highlights equipment failure, staffing shortages, and supplier quality issues. Practical application: Use the diagram during risk workshops to explore underlying factors of identified threats. Challenges: Requires knowledgeable facilitation; may become overly complex if too many causes are listed.
Checklist #
Checklist
Concept #
A predefined list of potential risk categories or items used to ensure comprehensive coverage. Related terms: risk register, template, standard operating procedure. Explanation: Checklists provide a systematic way to scan for common risks, reducing the chance of omission. Example: A cybersecurity checklist includes risks such as phishing, insider threats, and unpatched software. Practical application: Adopt industry‑specific checklists during the initial risk identification phase. Challenges: Over‑reliance on checklists can stifle creative identification of novel or emerging risks.
Compliance Requirement #
Compliance Requirement
Concept #
Legal, regulatory, or contractual obligations that an organization must satisfy. Related terms: regulation, policy, audit finding. Explanation: Non‑compliance creates risk; identifying these requirements is essential to capture regulatory risk. Example: A financial institution must comply with AML (anti‑money‑laundering) regulations, creating compliance risk if processes fail. Practical application: Catalog all applicable statutes and standards during risk identification to flag potential non‑compliance areas. Challenges: Keeping up‑to‑date with changing regulations across jurisdictions can be demanding.
Consequence #
Consequence
Concept #
The outcome or impact that results from a risk event occurring. Related terms: impact, severity, loss. Explanation: Understanding consequences helps prioritize identified risks based on potential damage. Example: The consequence of a data breach may include fines, reputational harm, and customer churn. Practical application: Quantify consequences using financial metrics or qualitative scales to inform risk ranking. Challenges: Estimating intangible consequences such as brand damage involves subjective judgment.
Control #
Control
Concept #
A measure or action designed to mitigate, avoid, or detect a risk. Related terms: preventive control, detective control, mitigation. Explanation: Identifying existing controls during risk identification reveals risk exposure levels. Example: An encryption protocol serves as a control against unauthorized data access. Practical application: Document controls alongside each identified risk to assess residual risk. Challenges: Controls may become outdated; regular review is needed to ensure effectiveness.
Critical Success Factor (CSF) #
Critical Success Factor (CSF)
Concept #
An essential activity or condition that must be achieved for an organization to meet its goals. Related terms: key performance indicator, objective, risk driver. Explanation: CSFs highlight areas where risk identification should be focused because failures directly threaten strategic objectives. Example: On‑time delivery is a CSF for a logistics company; risks to delivery schedules are therefore high priority. Practical application: Align risk identification workshops with CSFs to ensure strategic relevance. Challenges: Misidentifying CSFs can misallocate risk‑identification resources.
Delphi Method #
Delphi Method
Concept #
An iterative survey technique that gathers expert opinions anonymously to reach consensus on risk identification. Related terms: expert panel, round‑robin, forecasting. Explanation: By avoiding groupthink, the Delphi method surfaces diverse risk perspectives, especially for complex or future‑oriented threats. Example: A series of Delphi rounds identifies emerging cyber‑threats for a multinational corporation. Practical application: Use the method when internal expertise is limited or when external viewpoints are valuable. Challenges: Requires careful questionnaire design and time for multiple rounds.
Dependency #
Dependency
Concept #
A relationship where one activity, system, or resource relies on another. Related terms: interdependency, critical path, risk cascade. Explanation: Dependencies create pathways for risk propagation; identifying them reveals potential domino effects. Example: A manufacturing line depends on a single supplier for a key component; a supply disruption poses a risk. Practical application: Map dependencies in a process flowchart during risk identification to detect single points of failure. Challenges: Hidden or informal dependencies may be missed without thorough stakeholder engagement.
Enterprise Risk Management (ERM) #
Enterprise Risk Management (ERM)
Concept #
A holistic approach that integrates risk identification across all business units and levels. Related terms: risk appetite, risk culture, risk governance. Explanation: ERM ensures that risk identification is not siloed but aligned with the organization’s overall strategy. Example: An ERM framework mandates quarterly risk identification workshops for each department, feeding into a central risk register. Practical application: Adopt a top‑down and bottom‑up process to capture both strategic and operational risks. Challenges: Achieving consistent participation and data quality across diverse units can be difficult.
Event #
Event
Concept #
Any occurrence that may trigger a risk, whether internal or external. Related terms: trigger, incident, scenario. Explanation: Recognizing events helps in constructing risk scenarios and identifying early warning signs. Example: A new data‑privacy law enactment is an event that creates regulatory risk for companies handling personal data. Practical application: Maintain an event log to track occurrences that could affect risk exposure. Challenges: Distinguishing between significant events and routine occurrences requires judgment.
External Risk #
External Risk
Concept #
Risks originating outside the organization’s control, such as market fluctuations or natural disasters. Related terms: macro‑risk, environmental risk, political risk. Explanation: External risks often require scenario analysis and monitoring of broader trends during risk identification. Example: A sudden increase in oil prices poses an external risk to transportation costs. Practical application: Subscribe to external data feeds and conduct periodic horizon scanning to capture emerging external risks. Challenges: Predicting external events is inherently uncertain; over‑reliance on historical data may miss novel threats.
Fault Tree Analysis (FTA) #
Fault Tree Analysis (FTA)
Concept #
A top‑down deductive method that models the pathways leading to an undesired event. Related terms: logic diagram, failure mode, risk modeling. Explanation: By breaking down the event into basic causes, FTA aids systematic risk identification and root‑cause discovery. Example: An FTA for a power outage traces back to generator failure, fuel supply interruption, and maintenance errors. Practical application: Use FTA in high‑reliability industries (e.G., Aerospace) to map complex failure pathways. Challenges: Requires detailed technical knowledge; can become unwieldy for large systems.
Financial Risk #
Financial Risk
Concept #
The possibility of losing monetary value due to market, credit, liquidity, or operational factors. Related terms: market risk, credit risk, valuation risk. Explanation: Identifying financial risks involves assessing exposure to currency fluctuations, interest rates, and cash‑flow disruptions. Example: A company with significant foreign‑currency revenue faces financial risk from exchange‑rate volatility. Practical application: Incorporate financial risk indicators into risk identification dashboards for real‑time monitoring. Challenges: Complex financial instruments may obscure underlying risk exposures.
Hazard #
Hazard
Concept #
A source of potential damage, injury, or loss. Related terms: risk source, danger, threat. Explanation: Hazards are identified first; risk is then assessed by evaluating likelihood and consequence. Example: A wet floor in a factory is a hazard that could cause slips and injuries. Practical application: Conduct hazard walks in physical environments to capture tangible risks. Challenges: Non‑physical hazards such as cyber‑threats require different identification techniques.
Impact #
Impact
Concept #
The degree of effect a risk event would have on objectives. Related terms: severity, consequence, loss magnitude. Explanation: Impact assessment informs prioritization; high‑impact risks demand more mitigation resources. Example: A data breach impacting millions of customers has a high impact due to regulatory fines and brand damage. Practical application: Use a standardized impact matrix to score each identified risk consistently. Challenges: Balancing quantitative and qualitative impact measures can be subjective.
Incident #
Incident
Concept #
An unplanned event that may indicate a realized risk. Related terms: event, near miss, failure. Explanation: Recording incidents provides feedback for refining risk identification and understanding risk frequency. Example: A phishing email that bypasses spam filters is an incident that reveals a security risk. Practical application: Implement an incident reporting system that feeds directly into the risk register. Challenges: Under‑reporting due to cultural or fear factors can limit learning.
Interdependency #
Interdependency
Concept #
Mutual reliance among multiple systems, processes, or organizations. Related terms: dependency, risk cascade, systemic risk. Explanation: Interdependencies can amplify risk propagation; identifying them uncovers hidden systemic vulnerabilities. Example: Two data centers share a common power supplier; a failure at the supplier creates interdependent risk. Practical application: Use network‑mapping tools to visualize interdependencies during risk identification. Challenges: Complexity grows exponentially with each added interdependency, making analysis difficult.
Key Risk Indicator (KRI) #
Key Risk Indicator (KRI)
Concept #
A metric used to provide early warning of increasing risk exposure. Related terms: performance indicator, threshold, monitoring. Explanation: Selecting appropriate KRIs during risk identification helps organizations track risk trends proactively. Example: A rising number of failed login attempts serves as a KRI for cyber‑security risk. Practical application: Define KRIs for each major risk category and embed them in operational dashboards. Challenges: Poorly chosen KRIs may generate false alarms or miss critical risk signals.
Likelihood #
Likelihood
Concept #
The probability that a risk event will occur. Related terms: probability, frequency, risk rating. Explanation: Estimating likelihood is essential for risk prioritization; it combines historical data and expert judgment. Example: Historical data shows a 5% annual chance of a flood in the region, informing likelihood assessment. Practical application: Use statistical models where data permits; otherwise rely on expert elicitation. Challenges: Limited data or rapidly changing environments can make likelihood estimates unreliable.
Loss Event #
Loss Event
Concept #
The actual occurrence that results in a loss, confirming a risk. Related terms: incident, damage, failure. Explanation: Documenting loss events validates risk identification and helps refine future assessments. Example: A server crash that leads to five hours of downtime is a loss event for IT operations. Practical application: Track loss events in a centralized log and map them back to identified risks. Challenges: Attribution can be complex when multiple risk factors contribute to a loss.
Mitigation #
Mitigation
Concept #
Actions taken to reduce either the likelihood or impact of a risk. Related terms: control, prevention, contingency. Explanation: Identifying mitigation options during risk identification ensures that each risk has a planned response. Example: Implementing redundant servers mitigates the risk of a single point of failure. Practical application: Pair each identified risk with at least one mitigation strategy in the risk register. Challenges: Over‑mitigation can consume resources; cost‑benefit analysis is required.
Monitoring #
Monitoring
Concept #
Ongoing observation of risk indicators and control effectiveness. Related terms: KRI, audit, review. Explanation: Continuous monitoring validates that identified risks remain relevant and that controls function as intended. Example: Quarterly reviews of supply‑chain performance monitor for potential disruptions. Practical application: Establish a schedule and responsibility matrix for risk monitoring activities. Challenges: Data overload and alert fatigue can diminish the value of monitoring.
Operational Risk #
Operational Risk
Concept #
Risks arising from internal processes, people, systems, or external events that affect day‑to‑day operations. Related terms: process risk, human error, system failure. Explanation: Identifying operational risks focuses on efficiency, reliability, and compliance of core activities. Example: Manual data entry errors leading to inaccurate financial reporting constitute operational risk. Practical application: Conduct process walkthroughs and staff interviews to surface operational risks. Challenges: Low‑visibility risks, such as cultural issues, are harder to capture.
Opportunity #
Opportunity
Concept #
A favorable circumstance that can be leveraged to achieve objectives; often considered the positive side of risk. Related terms: risk‑reward, strategic advantage, benefit. Explanation: During risk identification, opportunities are recorded alongside threats to enable balanced decision‑making. Example: A new technology offers an opportunity to reduce production costs. Practical application: Include an “opportunity” column in the risk register to track potential upside. Challenges: Over‑optimism can lead to underestimating associated risks.
Probability Distribution #
Probability Distribution
Concept #
A mathematical function that describes the likelihood of different outcomes for a risk event. Related terms: statistical model, Monte Carlo, risk quantification. Explanation: Understanding the distribution aids in more accurate likelihood and impact estimation during identification. Example: Using a normal distribution to model variation in monthly sales revenue. Practical application: Apply probability distributions in risk‑modeling software to simulate potential outcomes. Challenges: Selecting an inappropriate distribution can misrepresent risk exposure.
Process Mapping #
Process Mapping
Concept #
Visual representation of workflow steps, inputs, and outputs. Related terms: flowchart, value stream, as‑is diagram. Explanation: Mapping processes reveals gaps, redundancies, and failure points that constitute risks. Example: A process map of order fulfillment highlights a manual verification step prone to error. Practical application: Use process mapping in early risk identification workshops to pinpoint risk hotspots. Challenges: Complex processes may require multiple layers of mapping, increasing effort.
Qualitative Assessment #
Qualitative Assessment
Concept #
Evaluation of risk based on descriptive criteria rather than numerical data. Related terms: risk matrix, subjective rating, scenario analysis. Explanation: When data is scarce, qualitative methods allow rapid identification and prioritization of risks. Example: Rating risk likelihood as “high,” “medium,” or “low” based on expert judgment. Practical application: Apply a risk matrix to rank identified risks for further analysis. Challenges: Subjectivity can lead to inconsistent rankings across assessors.
Quantitative Assessment #
Quantitative Assessment
Concept #
Numerical evaluation of risk using statistical or financial metrics. Related terms: expected loss, Monte Carlo simulation, value‑at‑risk. Explanation: Provides precise estimates of potential loss, supporting robust risk‑identification decisions. Example: Calculating an expected annual loss of $2 million from equipment failure based on failure rates and repair costs. Practical application: Use quantitative tools for high‑value or high‑frequency risks. Challenges: Requires reliable data; model assumptions can introduce bias.
Regulatory Risk #
Regulatory Risk
Concept #
The risk of non‑compliance with laws, regulations, or standards, leading to penalties or operational restrictions. Related terms: compliance, legal risk, audit finding. Explanation: Identifying regulatory risk involves cataloguing applicable statutes and assessing adherence gaps. Example: A pharmaceutical firm faces regulatory risk if its batch testing does not meet FDA standards. Practical application: Integrate regulatory checklists into the risk identification process for each business unit. Challenges: Frequent regulatory changes demand continuous monitoring and adaptation.
Scenario Planning #
Scenario Planning
Concept #
Development of plausible future narratives to explore how risks may evolve. Related terms: what‑if analysis, stress testing, future‑casting. Explanation: By constructing diverse scenarios, organizations uncover risks that may not appear in current data. Example: A scenario where a pandemic forces remote work for all employees, exposing cybersecurity gaps. Practical application: Conduct scenario workshops with senior leadership to broaden risk horizons. Challenges: Scenarios can become speculative; balancing realism with creativity is essential.
Stakeholder #
Stakeholder
Concept #
Any individual or group with an interest in or influence over the organization’s activities. Related terms: interest group, owner, customer. Explanation: Engaging stakeholders during risk identification captures diverse perspectives and hidden concerns. Example: Suppliers may identify supply‑chain risks that internal staff overlook. Practical application: Hold stakeholder interviews and focus groups as part of the risk identification phase. Challenges: Conflicting stakeholder priorities can complicate risk prioritization.
Strategic Risk #
Strategic Risk
Concept #
Risks that affect the organization’s ability to achieve its long‑term goals. Related terms: business risk, market risk, competitive risk. Explanation: Identifying strategic risks aligns risk management with corporate strategy and direction. Example: Entering a new market without adequate market research creates strategic risk. Practical application: Link risk identification outcomes to the strategic planning process. Challenges: Long‑term horizons increase uncertainty; forecasting accuracy diminishes over time.
Supply‑Chain Risk #
Supply‑Chain Risk
Concept #
Risks arising from the network of suppliers, logistics, and distribution channels. Related terms: vendor risk, logistics risk, disruption. Explanation: Mapping the supply chain uncovers dependencies and potential points of failure. Example: A single-source component supplier poses a supply‑chain risk if geopolitical tensions disrupt deliveries. Practical application: Perform supplier risk assessments and incorporate findings into the overall risk register. Challenges: Global supply chains involve many tiers, making comprehensive identification complex.
Threat #
Threat
Concept #
A potential cause of an unwanted incident that may result in harm to an asset. Related terms: risk source, hazard, vulnerability. Explanation: Distinguishing threats from vulnerabilities helps structure the risk identification process. Example: A ransomware group is a threat to the organization’s IT systems. Practical application: Compile a threat inventory based on intelligence sources and industry reports. Challenges: New threat actors can emerge quickly, requiring continuous intelligence gathering.
Vulnerability #
Vulnerability
Concept #
A weakness that can be exploited by a threat to cause harm. Related terms: weakness, exposure, gap. Explanation: Identifying vulnerabilities completes the risk identification triangle (asset, threat, vulnerability). Example: Unencrypted backup tapes represent a vulnerability for data confidentiality. Practical application: Conduct vulnerability assessments and map results to identified threats. Challenges: Hidden vulnerabilities, such as insider knowledge, may be difficult to detect.
Value at Risk (VaR) #
Value at Risk (VaR)
Concept #
A statistical technique that quantifies the maximum expected loss over a defined period at a given confidence level. Related terms: risk metric, Monte Carlo, financial risk. Explanation: VaR provides a quantitative measure that can be used during risk identification to prioritize financial exposures. Example: A portfolio has a 1‑day VaR of $5 million at 95% confidence. Practical application: Apply VaR calculations to high‑value financial risks identified in the risk register. Challenges: VaR assumes normal market conditions and may underestimate tail risk.
Work‑Breakdown Structure (WBS) #
Work‑Breakdown Structure (WBS)
Concept #
A hierarchical decomposition of a project into manageable sections. Related terms: project planning, task list, deliverable. Explanation: By breaking a project into components, a WBS reveals where risks may arise at each level. Example: A WBS for software development shows risk at the coding, testing, and deployment phases. Practical application: Use the WBS as a framework for systematic risk identification in project environments. Challenges: Over‑granular decomposition can lead to an overwhelming number of low‑significance risks.