Risk Management – Article 15
Risk Assessment - Risk Identification
Keshav Ram Singhal
Clause 5.4.2 of ISO 31000:2009 provides guidelines on risk identification. Risk identification is a process of understanding risks that includes process of finding, recognizing and describing risks. This process involves the identification of (i) risk sources, (ii) events, (iii) causes of risk sources and events, and (iv) potential consequences of risk sources and events. Risk identification may involve (i) historical data, (ii) theoretical analysis, (iii) informed and expert opinions, and (iv) stakeholder's needs. Risk source is an element (alone or in combination) has the essential or natural potential to cause to risk. It can be tangible (physical) or intangible (non-physical). An event is occurrence (one or more) or change of a particular set of circumstances. An event can have several causes. Sometimes an event is referred as an incident or accident. An event without outcome (consequences) is also referred as a 'near miss', 'incident'. 'near hit' or 'close call'.
The purpose of risk identification is to find out what may happen or what situations may exist that may affect the objectives of the organization or system.
The organization should identify:
(i) risk sources,
(ii) areas of impacts,
(iii) events and changes in circumstances,
(iv) causes of risk sources and events, and
(v) potential consequences of risk sources and events
Risk identification should be judgemental and done with care, as a non-identified risk may not be included in further analysis.
The organization should determine whether or not the risk source is under the control of the organization. The organization should examine knock-on effects of particular consequences, cascade and cumulative effects. The organization should consider a wide range of consequences even if the risk source or cause may not be evident. The organization should consider possible and significant causes and scenarios that show what outcome (consequences) may occur.
Suitable to organization's objectives, the organization should apply risk identification tools and techniques. Relevant and up-to-date information along with appropriate background information is important for risk identification. Appropriate competent personnel having knowledge in risk management should be involved in risk identification process.
ISO 31010:2009 provides guidance on selection and application of systematic techniques for risk assessment that may be applied for risk identification, analysis and evaluation. Some of the techniques include Brainstorming, Structured or semi-structured interviews, Delphi, Check-lists, Primary hazard analysis, HAZOP, HACCP, ERA, SWIFT etc.
Next write-up …. Risk Assessment - Risk Analysis