Skip to main content

1.7 Methods of Risk Identification

1.7 Method of Risk Identification

 

  • Risk practitioner can use following source for identification of the risk:


  • Review of past audit reports

  • Review of incident reports

  •  Review of public media articles and press releases

  • Through systematic approaches such as vulnerability assessment, penetration testing, review of BCP and DRP documents, interview with senior management and process owners, scenario analysis etc.


  • All the identified risks should be captured in the risk register along with details like description, category, probability, impact, risk owner and other details. 


  • Infact, maintenance of the risk register process starts with the risk identification process.


  • Primary objective of the risk identification process is to recognize the threats, vulnerabilities, assets and controls of the organization.


Risk Identification Process

 

Following are the steps of risk identification process:  


Step 1-Identify Assets

Step 2-Identify Threats

Step 3-Identify existing controls

Step 4-Identify vulnerabilities

Step 5-Identify consequences


Conducting Interviews

 

Following are some of the good practice for use of interview technique to identify the risk:

  • Risk practitioners should ensure that staff whose interview is being taken have sufficient authority and knowledge about the process.


  • To the extent possible, risk practitioners should study the business process in advance of the interview. This will help in smooth conduct of interviews and risk practitioners can concentrate on areas of concern.


  •  Interview questions should be prepared in advance and shared with interviewee so they come prepared and bring any supporting documentation, reports or data that may be necessary.


  • Risk practitioners should obtain and review relevant documentation like SOPs, reports and other notes which supports the statement of the interviewee.


  • Risk practitioners should encourage interviewees to be open about various risk scenarios.

 

Delphi Technique                      

 

Many organizations resort to Delphi technique in which polling or information gathering is done either anonymously or privately between the interviewer and interviewee.


Key aspects from CRISC exam perspective

 

CRISC Questions

Possible Answers

In which technique employees are allowed to identify risk anonymously?

Delphi Technique

Preparation of a risk register starts with

Risk identification stage

Primary objective of risk identification

To detect threats and vulnerabilities

Advantage of Risk Register

All identified risks are documented in one place

What is the first step in risk identification?

Information gathering



Video Tutorial - 1.7 Method of Risk Identification 

Flashcards - Methods of Risk Identification

Practice Questions - Methods of Risk Identification





 


 Practice Questions - Methods of Risk Identification



Popular posts from this blog

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

2.5 Project & Program Management

2.5 Project & Program Management ·          It is very important for a risk practitioner to monitor the risk related to the management of the projects.   ·          Some of major reason for failing of IT projects are:   §   Scope creep i.e. requirements are not properly defined at the initial phase. §   Lack planning resulting into over budget and unavailability of skilled resources. §   Lack of structured project management process. §   Systems not tested before implementation §   Compliance or regulatory issues   ·          Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.   ·          Major cause for a project failure is delay in completion. It may happen to make for the time lapsed...
Read more