2. Identify Risks

Risk Management Framework

The identification of key risks to the firm is a critical step in effective risk management and needs to be comprehensive. If a potential risk is not identified at this stage it is omitted from further analysis, which means a material risk may be given insufficient attention.

The risks that relate to the firm's context and business objectives must be identified, whether or not they are under the influence of the firm.

Identify what can happen, where and when it can happen

Review the key organisational risk categories from APES 325, which were considered when establishing the context, and generate a list of potential risks that may impact the firm achieving each objective identified as part of the context. Describe the risk event in qualitative terms, if it were to occur. It should succinctly describe an outcome such as:

  • "Failure to..."
  • "Inconsistent..."
  • "Loss of..."

The consequence of the risk should not be included in the event description. Where a risk description includes connectors such as "leading to..." or "resulting in…", assess whether the result is actually the consequence. Risks should not be a process, a negative control or a control activity not occurring, for example 'payment is not authorised'.

Tools and techniques

The following questions can be used to assist in identifying risks:

  • What could go wrong?
  • How could we fail?
  • What must go right for us to succeed?
  • Where are we vulnerable?
  • What assets do we need to protect?
  • Do we have liquid assets or assets with alternative uses?
  • How could someone steal from the firm?
  • How could someone disrupt our operations?
  • How do we know whether we are achieving our objectives?
  • On what information do we most rely?
  • On what do we spend the most money?
  • How do we bill and collect our revenue?
  • What decisions require the most judgment?
  • What activities are most complex?

Identify why and how can it happen

Consider the possible causes and scenarios of each risk identified.

  • Cause - identify the potential triggers that may result in the risk event occurring. A single risk event may have a specific cause or multiple possible causes. A single cause may be applicable to multiple risks.
  • Consequence - identify the possible impact should the risk event occur. A single risk event may have a specific consequence or multiple possible consequences. A consequence may be common across multiple risks.

Tools and techniques:

  • Ongoing risk identification - any staff member can identify and raise risks.
  • Desk-based risk assessment - involves a discussion and assessment of the risks and controls of a given activity or process with the personnel involved in the day-to-day operation of the activity or process. This is a useful technique if the activity or process is relatively straightforward and relies upon little input from others.
  • Facilitated workshops - suitable for the risk assessment of more complex activities. A risk workshop is an effective method of obtaining input from stakeholders with multiple viewpoints to improve the robustness of the outputs of the risk assessment process. Formal workshops require preparation and often a mediator to ensure their effectiveness. Workshops should include a diverse range of stakeholders and to include risk subject matter experts who are able to challenge the issues and ratings discussed.
  • Management review - a ‘top-down' review to verify the completeness and accuracy of the risks raised by key practice stakeholders. This may involve validation at a risk workshop, if management is present, or a separate review to ensure that any additional risks are identified and considered for further analysis.


The output of the identification stage in the risk management process is a list of risks identified with the associated causes and potential consequences. An example of how this can be documented in a risk register is shown:

Risk ID Date Raised Raised by Risk
Event Cause Consequence
1 15-Jul-12 John Citizen Regulatory Failure to meet compliance obligations Inadequate compliance training and/or poor compliance monitoring Increased costs due to fines for breaches and/or reputation damage
2 15-Jul-12 John Citizen Business continuity Loss of Practitioner Death or incapacity of Practitioner Failure of or diminution in value of the Practice
3 28-Aug-12 Jane Citizen Financial Failure to collect receivables in a timely manner Slow payment from debtors
Poor monitoring of outstanding debtors
Poor cash flow
Outstanding debts uncollectable
Loss of revenue

The firm should identify sources of risk, areas of impacts, events (including changes in circumstances) and their causes and potential consequences. The aim of this step is to generate a comprehensive list of material risks based on those events that might create, enhance, prevent, degrade, accelerate, or delay the achievement of objectives. It is important to identify the risks associated with not pursuing an opportunity. Comprehensive identification is critical, because a risk that is not identified at this stage will not be included in further analysis.

AS/NZS ISO 31000:2009