Every risk management process stands or falls on one step: identification. A risk you never wrote down cannot be analyzed, treated, or monitored. It simply waits.
The uncomfortable truth about major incidents is how rarely they're true surprises. After the fact, someone almost always says: we knew about that. The knowledge existed — in a technician's head, in a complaint email, in a near-miss nobody logged. Risk identification is the discipline of collecting that scattered knowledge before the incident, not after.
Here's how to do it well.
Start from objectives, not from fear
The fastest way to produce a useless risk list is to ask a room, "What are you afraid of?" You'll get a random mix of pet worries and yesterday's headlines.
The better opening question: What are we trying to achieve — and what could prevent it? Anchoring identification to objectives (launch the product in Q3, keep uptime above 99.9%, pass the audit, retain key staff) does two things. It keeps the exercise relevant, and it defines the boundary. Without objectives, everything is a risk, and a list of everything is a list of nothing.
The core techniques
No single method finds all risks. The skilled approach combines several, each catching what the others miss.
The risk workshop
The workhorse of identification. Gather six to ten people who know the business from different angles — operations, finance, IT, sales, HR — and work through your objectives or processes systematically. Structure beats free association: walk through categories (strategic, operational, financial, compliance, technological, people) or through the value chain step by step.
Two facilitation rules make or break workshops. First, no evaluation during collection — the moment someone says "that would never happen," people stop volunteering. Second, capture cause and consequence, not just labels. "Cyber risk" is a category. "A phishing email compromises an admin account, leading to encrypted production systems and a multi-day outage" is a risk you can actually assess and treat.
Interviews
Some of the most important risks never surface in groups — because they're politically awkward, because they implicate a department, or because the person who knows is quiet. One-on-one interviews with key people, under explicit confidentiality, reliably surface risks that workshops don't. The magic question: "What do you know that would worry the management team if they knew it too?"
Checklists and risk catalogs
Generic risk catalogs — covering everything from supplier failure to key-person dependency to regulatory change — are unfashionable but effective. Their power is negative: they don't tell you what your risks are, but they stop you from forgetting whole categories. Use them as a final sweep after creative techniques, never as a starting point, or you'll inherit someone else's risk profile instead of discovering your own.
The pre-mortem
A technique borrowed from decision science, devastatingly effective for projects. Instead of asking "what could go wrong?", tell the team: It's eighteen months from now. The project has failed completely. Write the story of what happened.
The reframing is psychologically clever. Prospectively, people defend their plans; retrospectively — even in imagination — they become insightful critics. Pre-mortems consistently surface risks that standard brainstorming misses, especially the uncomfortable ones involving the team's own assumptions.
Process and site walks
Desk-based identification misses what's visible on the ground: the backup that runs to a drive in the same room, the fire door propped open, the "temporary" workaround now in its third year. Walking the actual process — physically or through the systems — grounds your register in reality.
Data mining your own history
Incident logs, customer complaints, audit findings, near-misses, insurance claims: your organization has been generating risk data for years. A near-miss is a free lesson — the incident that almost happened shows you a risk with proven likelihood and zero damage. Organizations that systematically review near-misses tend to surface risks long before they turn into incidents.
Writing risks down properly
A risk register full of two-word entries ("IT failure", "staff turnover") is nearly worthless — nobody can rate, treat, or own a category. Force a structure. The simplest one that works:
Because of [cause], [event] may occur, leading to [consequence for objective].
For example: "Because our deployment process has no automated rollback, a faulty release may take the customer portal offline for several hours, leading to SLA penalties and reputational damage."
One sentence, and suddenly the risk has an assessable likelihood (how often are releases faulty?), an assessable impact (what do SLA penalties cost?), and an obvious treatment direction (build the rollback).
Quantity is not quality
A common failure mode: the 400-row register. Identification workshops can become competitive, and the register swells until it's unmanageable — at which point people stop maintaining it, and the whole process dies of obesity.
Resist. Merge duplicates ruthlessly. Roll trivial risks into broader entries. Park the genuinely minor items on a watch list. Most organizations are well served by a register of 20–60 well-described risks, of which the top 10–15 receive active management attention. Depth beats breadth: five risks that are properly understood, owned, and treated create more safety than a hundred that are merely listed.
Make it a rhythm, not an event
The biggest identification mistake isn't technique — it's timing. An identification exercise done once, at project start or during an ISO push, captures a photograph of a moving object. New markets, new hires, new suppliers, new technology: each brings risks that didn't exist at your last workshop.
Practical rhythm for most organizations: a full identification workshop annually, a lightweight review each quarter ("what's new, what's changed, what's gone?"), and standing triggers — every new project, major contract, or organizational change gets a quick risk scan as part of its approval.
And build the informal channel: make it normal, even celebrated, for anyone to raise a risk at any time. The frontline employee who says "this worries me" is your cheapest and best sensor. Organizations where raising a risk is rewarded find their risks early. Organizations where it's punished find them in the newspaper.