It is possible to start by defining a list of generic risks faced whatever the activity. In particular, this includes natural disaster, IT system failure, human error, fraud, etc.

An initial list drawn up by a central team will avoid a complete analysis of risks with business function operational managers, to concentrate on risks that are specific to their activity. This list could be based on regulatory texts and lists provided by professional partners (professional associations, insurance companies, etc.).

This list can then be completed during interviews with operational managers of processes who can define the types of risks to which they are vulnerable to give a precise definition. In this case you identify the processes and the stakeholders or org-units of the organization concerned by these risk types or these risk factors.

A risk identification questionnaire is prepared, from which each stakeholder selects risk types and risk factors of particular concern.

A questionnaire can therefore be produced and sent to the various stakeholders to enable them to identify risk events that concern them.

Replies to these questionnaires are then analyzed by experts in each of the subjects concerned, in consultation with the stakeholders concerned if necessary, to finalize risk identification.

It is then possible to remove from this generic list, which has been supplemented by risks specific to the activity, those risk events that do not apply to the particular field (example: a purely manual activity that does not require the services of an IT system.

 

It is possible to determine the risks of not achieving organization objectives or not satisfying regulatory or organization internal requirements using the description of organization processes.

To do this, we select the processes that contribute to achieving these objectives or satisfying these requirements. Next, determine the risks by analyzing the flows exchanged between the org-units participating in these processes as well as the operations executed by these org-units. From among these flows and operations, determine which ones could, in the event of malfunction, prevent the achievement of objectives or the satisfaction of requirements of the organization.

This approach can be supplemented by using other risk identification criteria such as risk type or risk factor lists if these are available.

If enterprise process diagrams already exist, they can help to identify risks.

Risk events can be associated with each of the modeled processes.

Risks associated with a process are visible in the Control & Risks section of the process Characteristics property page.

All types of stored history can be used, such as repositories of incidents, faults, claims, etc.

Identification consists of analyzing repositories to determine risk events. You should then specify for each risk its appearance context (process, organization org-unit, enterprise site, etc.).