CHAPTER 1Risk Identification Tools


The most dangerous risks are those we ignore, as they can lead to nasty surprises. Before organizing risks in a register, it is important to identify the risks that are specific to your own business, not just those based on an external list, and then assess, mitigate and monitor them.

Risk identification in an organization should take place both top‐down, at senior management level, looking at the large exposures and threats to the business, and bottom‐up, at business process level, looking at local or specific vulnerabilities or inefficiencies. These procedures are different but complementary, and both are vital because it is not sufficient to have one without the other. My favorite analogy for top‐down and bottom‐up risk management is the crow's nest versus the engine room of a boat, both of which are necessary for a complete view of an organization (see Figure 1.1).

Picture of a boat depicting top-down and bottom-up risk management using the boat analogy.

FIGURE 1.1 Top‐down and bottom‐up risk management: the boat analogy

Top‐down risk analysis should be performed between one and four times a year, depending on the growth and development of the business and the level of associated risks. The aim is to identify key organizational risks, the major business threats that could jeopardize strategic objectives. Top‐down risk identification sessions will typically include senior risk owners, ...

Get Operational Risk Management now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.