Skip to main content

1.7 Methods of Risk Identification

1.7 Method of Risk Identification

 

  • Risk practitioner can use following source for identification of the risk:


  • Review of past audit reports

  • Review of incident reports

  •  Review of public media articles and press releases

  • Through systematic approaches such as vulnerability assessment, penetration testing, review of BCP and DRP documents, interview with senior management and process owners, scenario analysis etc.


  • All the identified risks should be captured in the risk register along with details like description, category, probability, impact, risk owner and other details. 


  • Infact, maintenance of the risk register process starts with the risk identification process.


  • Primary objective of the risk identification process is to recognize the threats, vulnerabilities, assets and controls of the organization.


Risk Identification Process

 

Following are the steps of risk identification process:  


Step 1-Identify Assets

Step 2-Identify Threats

Step 3-Identify existing controls

Step 4-Identify vulnerabilities

Step 5-Identify consequences


Conducting Interviews

 

Following are some of the good practice for use of interview technique to identify the risk:

  • Risk practitioners should ensure that staff whose interview is being taken have sufficient authority and knowledge about the process.


  • To the extent possible, risk practitioners should study the business process in advance of the interview. This will help in smooth conduct of interviews and risk practitioners can concentrate on areas of concern.


  •  Interview questions should be prepared in advance and shared with interviewee so they come prepared and bring any supporting documentation, reports or data that may be necessary.


  • Risk practitioners should obtain and review relevant documentation like SOPs, reports and other notes which supports the statement of the interviewee.


  • Risk practitioners should encourage interviewees to be open about various risk scenarios.

 

Delphi Technique                      

 

Many organizations resort to Delphi technique in which polling or information gathering is done either anonymously or privately between the interviewer and interviewee.


Key aspects from CRISC exam perspective

 

CRISC Questions

Possible Answers

In which technique employees are allowed to identify risk anonymously?

Delphi Technique

Preparation of a risk register starts with

Risk identification stage

Primary objective of risk identification

To detect threats and vulnerabilities

Advantage of Risk Register

All identified risks are documented in one place

What is the first step in risk identification?

Information gathering



Video Tutorial - 1.7 Method of Risk Identification 

Flashcards - Methods of Risk Identification

Practice Questions - Methods of Risk Identification





 


 Practice Questions - Methods of Risk Identification