According to ISO 31010 “Risk identification is the process of finding, recognizing and recording risks.” Risk (or hazard) identification is a structured process to identify and assess the risks we are dealing with on a day-to-day operation. We assess the risks they pose to people, the environment, assets or reputation. Once these risks have been identified and assessed, the risk register provides you with an overview of the most important risks and detailed information on how they can be managed.
How to identify risks – consider all business activities
The bowtie is not a specialized hazard identification method. In ISO31000, we choose a different method to identify our risks. Some common techniques are HAZID, What-if, PHA, and HAZOP.
Regardless on which method you use, it is important to answer the following questions:
- What are the activities we do as an organization that have the potential to cause harm?
- What are the causes for this potential harm?
- What are the potential outcomes?
- Some organizations also ask: What barriers do we have in place?
In this phase of risk identification, you consider all activities even if they are already under control. Once you have mapped all the activities with their potential outcomes and causes, we start identifying the risks of these activities. This means we start looking at our risk matrix.
Determine the probability and severity of your risks
In the risk matrix, we look at the probability and the severity of the potential outcomes. Which risk matrix you use, is already defined in the previous step of the risk management process; the scope, context and criteria. In the risk matrix (figure 1), you define a threshold of high, medium and low risks. This threshold is defined in the previous step. It is possible to assess the initial risk by using multiple matrices, e.g. people, assets, environment, and reputation. Each matrix can have a different threshold.
Figure 1: Example of a risk matrix.
The risks that are placed in the high-risk area or the medium risk area of the matrix will be analyzed in the next step of the risk management process; the risk analysis. The risks in the low risk area will stay in the risk register and need to be reviewed on a regular basis.
The next step
At the end of this process, you and your workgroup found, recognized and described the risks that your organization is dealing with, and you’re ready for the next step: risk analysis of the risks that are considered to be high or medium. During the next blog, we will dive into this 3rd step of the ISO 31000 model. We hope to see you then!