According to ISO 31010 “Risk identification is the process of finding, recognizing and recording risks.”
Risk (or hazard) identification is a structured process to identify and assess the risks we are dealing with on a day-to-day operation. We assess the risks they pose to people, the environment, assets or reputation. Once these risks have been identified and assessed, the risk register provides you with an overview of the most important risks and detailed information on how they can be managed.
How to identify risks – consider all business activities
The bowtie is not a specialized hazard identification method. In ISO31000, we choose a different method to identify our risks. Some common techniques are HAZID, What-if, PHA, and HAZOP.
Regardless on which method you use, it is important to answer the following questions:
- What are the activities we do as an organization that have the potential to cause harm?
- What are the causes for this potential harm?
- What are the potential outcomes?
- Some organizations also ask: What barriers do we have in place?
In this phase of risk identification, you consider all activities even if they are already under control. Once you have mapped all the activities with their potential outcomes and causes, we start identifying the risks of these activities. This means we start looking at our risk matrix.
Determine the probability and severity of your risks
In the risk matrix, we look at the probability and the severity of the potential outcomes. Which risk matrix you use, is already defined in the previous step of the risk management process; the scope, context and criteria. In the risk matrix (figure 1), you define a threshold of high, medium and low risks. This threshold is defined in the previous step. It is possible to assess the initial risk by using multiple matrices, e.g. people, assets, environment, and reputation. Each matrix can have a different threshold.