Risk Identification

Definition

Risk Identification

the ongoing risk management task of identifying the significant risks to the success of an endeavor

Classification

As illustrated in the preceding figure, Risk Identification is part of the following inheritance hierarchy:

• Type: Abstract
• Superclass: Engineering Task
• Subclasses: None

Responsibilities

The typical responsibilities of Risk Identification are to:

• Identify all significant risks associated with an endeavor including their associated risk factors:
  • Assets that are at risk
  • Business processes that are at risk
  • Threats to these assets and business processes
  • Vulnerabilities to these threats

Preconditions

Risk Identification can typically begin when the following preconditions hold:

• The endeavor has started.
• The system, application, or center exists.
• At least one of the associated team(s) are:
  • Initially staffed.
  • Adequately trained in risk management tasks and techniques.
• The risk management plan (RMP) is complete.

Completion Criteria

Risk Identification is typically complete when the following postconditions hold:

• All significant risks have been identified including the:
  • Assets at risk.
  • Business processes at risk.
  • Threats to these assets and business processes.
  • Vulnerabilities to these threats.
• The initial risk repository has been created and approved.

Steps

Risk Identification typically involves members of the endeavor’s teams performing the following steps in an iterative, incremental, parallel, timeboxed, and ongoing manner:

• Identify risk factors:
  • Identify all assets that are at risk:
    • Applications:
      • Systems.
      • Software.
    • Components:
      • Hardware components.
      • Software components.
      • Data components.
      • Personnel components (a.k.a., wetware such as people who operate the applications).
      • Documentation components (a.k.a., paperware such as manuals and administrative procedures).
      • Facilities
    • Supplies: paper forms, magnetic media, toner cartridges, etc.
    • Money
    • Intangibles:
      • User and customer organization goodwill
      • Organisation confidence
      • Organisation reputation and image
  • Identify all business processes at risk.
  • Identify all threats to these assets:
    • Harm can happen to the assets and business processes.
    • Harm can happen to the owner of the assets and business processes (e.g., through lack of income or use).
  • Identify all vulnerabilities to these threats.

Techniques

Risk Identification can be performed using the following techniques:

• Checklists of risks and their factors
• Brainstorming of risks and their factors
• Cross Functional Teams to provide multiple viewpoints so that a comprehensive list of risks and their factors is developed.
• Documentation Studies of risk identification literature and previous risk management plans
• Incremental Development of the risks and their factors
• Interviews with stakeholders and domain experts
• Iteration of the identified risks and their factors
• Joint Application Development (JAD) of the risks and their factors
• Parallel Development of the risks with other tasks and other teams
• Reuse of previously identified risks

Work Products

Risk identification typically results in the production of all or part of the following work products:

• Initial Risk Repository containing:
  • An initial list of unprioritized potential risks:
    • Assets and business processes at risk
    • Threats to these assets and business processes
    • Vulnerabilities to these threats

Guidelines

• Perform this task concurrently with the risk analysis task.
• Safety risks can be identified by the safety team.
• Security risks can be identified by the security team.
• Consider all risks, both accidental (safety), intentional (security risks), and environmental.
• Risk identification requires both managerial and technical expertise.