Skip to main content

1.7 Methods of Risk Identification

1.7 Method of Risk Identification


  • Risk practitioner can use following source for identification of the risk:

  • Review of past audit reports

  • Review of incident reports

  •  Review of public media articles and press releases

  • Through systematic approaches such as vulnerability assessment, penetration testing, review of BCP and DRP documents, interview with senior management and process owners, scenario analysis etc.

  • All the identified risks should be captured in the risk register along with details like description, category, probability, impact, risk owner and other details. 

  • Infact, maintenance of the risk register process starts with the risk identification process.

  • Primary objective of the risk identification process is to recognize the threats, vulnerabilities, assets and controls of the organization.

Risk Identification Process


Following are the steps of risk identification process:  

Step 1-Identify Assets

Step 2-Identify Threats

Step 3-Identify existing controls

Step 4-Identify vulnerabilities

Step 5-Identify consequences

Conducting Interviews


Following are some of the good practice for use of interview technique to identify the risk:

  • Risk practitioners should ensure that staff whose interview is being taken have sufficient authority and knowledge about the process.

  • To the extent possible, risk practitioners should study the business process in advance of the interview. This will help in smooth conduct of interviews and risk practitioners can concentrate on areas of concern.

  •  Interview questions should be prepared in advance and shared with interviewee so they come prepared and bring any supporting documentation, reports or data that may be necessary.

  • Risk practitioners should obtain and review relevant documentation like SOPs, reports and other notes which supports the statement of the interviewee.

  • Risk practitioners should encourage interviewees to be open about various risk scenarios.


Delphi Technique                      


Many organizations resort to Delphi technique in which polling or information gathering is done either anonymously or privately between the interviewer and interviewee.

Key aspects from CRISC exam perspective


CRISC Questions

Possible Answers

In which technique employees are allowed to identify risk anonymously?

Delphi Technique

Preparation of a risk register starts with

Risk identification stage

Primary objective of risk identification

To detect threats and vulnerabilities

Advantage of Risk Register

All identified risks are documented in one place

What is the first step in risk identification?

Information gathering

Video Tutorial - 1.7 Method of Risk Identification 

Flashcards - Methods of Risk Identification

Practice Questions - Methods of Risk Identification


 Practice Questions - Methods of Risk Identification

Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: Acceptance deviation from risk appetite

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statistical methods are us

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with lates