Risk Identification & Assessment (Operational)


The risk identification and assessment process is a critical part of effectively managing risks or events as part of an organization’s operational risk. Risks are identified, and then classified by risk category. Each risk is then assessed based on its impact, and prioritized in order to direct management focus toward the most important (Deloitte & Touche LLP, 2012).

The process consists of 4 simple steps conducted by a Risk Committee:

  1. Identify potential risks that could impact the organization and classify each risk into categories.
  2. Rate each risk based on impact and likelihood, and provide rationale and understanding of root causes related to each risk (additional criteria can be rated- some processes include ‘speed of onset’ and ‘vulnerability’).
  3. Prioritize top-rated risks to ensure the right ones are managed going forward.
  4. Develop specific action plans to address the risks.


The Operational Risk Identification & Assessment model is meant for Operational Risk Managers and Operational Risk Consultants.


“Executives today face many challenges to their businesses, from uncertain economic growth to the speed of technological change. Add the clear and present risks of cyberattacks, changing customer behaviors, and you have a landscape in which the first-line owners of risk must also take the lead in managing that risk.” (PwC, 2017)

“Properly implemented, Risk Management can provide strategic and operational opportunities by focusing activities on what is important to an organization. Risk management creates value by providing opportunities for process improvement; controlling the risks that can hurt the organization most, breaking down silos, and helping the organization achieve its objectives”  (Wallis, 2014).


1)  NOODLE & TAG: Identify the key risks that could impact your organization and categorize each risk by category using the following tags (can be customized):


2)  COMBINE to eliminate duplicates and move forward with only unique risks

3)  MULTI-CRITERIA RATE each risk based on Impact and Likelihood. In the comments section, provide rationale for why each risk was rated the way it was.

Screen Shot 2018-03-21 at 1.46.36 PM.png

4) PRIORITIZE: Identify high priority risks for management attention. 

5) ACTIONS: Develop specific action plans to address the risks.


  • Prioritized list of risks to receive management attention
  • Critical thinking skills developed that enable a risk culture
  • Valuable insight into why risks were rated the way they were
  • Shared understanding and alignment on risks to the organization.
  • List of potential risks that can be revisited during each risk identification and assessment cycle 


This exercise will enable:

Quality- Gain critical insight into your organization and proactively manage the risks that impact achievement of strategic goals – no surprises. Increased perspectives will reduce risk.

Efficiency- Engage busy stakeholders when it’s convenient for them to contribute – 24/7, reducing meetings and bringing the right people to the table.

Engagement- Conversation analytics allow individual stakeholders to know how they rated risks versus how others did, igniting rich discussion and deeper alignment. Provide a safe space for stakeholders to evaluate and provide candid thoughts and rationale. 

Agility- Develop a shared understanding about the organization's or department's key risks. Evaluate and focus management attention and resources on the most important risks. 


Deloitte & Touche LLP. (2012). Risk Assessment in Practice. Deloitte. https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Governance-Risk-Compliance/dttl-grc-riskassessmentinpractice.pdf 

PwC Risk in Review. (2017). Managing Risk from the front line. PwChttps://www.pwc.com/us/en/risk-assurance/risk-in-review-study/survey-findings-risk-management-trends.html

Wallis, P. (2012).  Risk Management, Achieving the Value Proposition. Government Finance Review. http://www.gfoa.org/risk-management-achieving-value-proposition  

RiskDave HorseyRisk, pn7, TTLPC