Back to Basics: Risk Identification and Evaluation

Author
Felicity Tindall
Date
February 9, 2026
Share

Understanding and managing risk is a cornerstone of effective organisational governance. In this session, we focus on two critical stages of the risk management process: risk identification and risk evaluation. These stages build on the foundational concepts of objectives, goals, and communication covered in our previous article.

The Three Lines of Defense

Before diving into risk processes, it’s helpful to understand the three lines of defense model, which outlines how risk responsibilities are distributed across an organisation:

  1. First Line – Operational Management
    Individuals in operational roles are responsible for owning and managing risks daily. This includes identifying risks, implementing controls, and ensuring adherence to policies and procedures. Their deep knowledge of the organisation supports a strong risk culture.
  2. Second Line – Risk and Compliance Functions
    This line provides oversight and guidance. Teams set policies, frameworks, and tools to ensure consistent risk management across the organisation. They report to senior management and, where resources allow, maintain independence from operational management.
  3. Third Line – Internal Audit
    The internal audit function offers independent assurance that risk management processes are effective. This line is entirely separate from the first and second lines, providing senior management with an objective assessment.

Risk Identification

Risk identification is the process of recognising potential events that could prevent an organisation from achieving its objectives. Risks can arise in all areas of life—personal, operational, or strategic.

  • Operational risks: Internal failures, system breakdowns, or loss of staff skills.
  • Strategic risks: Threats that affect the entire organisation, such as major contract failures or workforce retention issues.
  • Personal examples: Daily life risks like buying a new car or planning a trip illustrate that we continuously manage risk, often subconsciously.

Articulating Risks

A simple framework helps structure risk articulation:

Cause → Risk Event → Consequence

Examples:

  • Cause: Prolonged staff sickness → Risk Event: Lack of skills → Consequence: Failure to deliver services.
  • Cause: Broken locks → Risk Event: Tiger escapes → Consequence: Public injury.

Using relatable scenarios, like a hungry mouse attempting to get cheese with a mousetrap, illustrates the balance of risk appetite versus potential consequences.

Tools for Identification

Risk identification is most effective through team discussions, workshops, surveys, and mind mapping. The goal is to identify risks that have the highest potential impact or highest likelihood of occurrence.

Risk Classification

Once identified, risks can be classified for better management. A commonly used method is PESTLE, which categorises risks as:

  • Political: Legislation or regulatory changes
  • Economic: Market shifts, inflation, cost of living
  • Sociological: Demographic or cultural trends
  • Technological: Cybersecurity, AI, or tech failures
  • Legal: Compliance with laws and regulations
  • Environmental & Ethical: Sustainability, CSR, ecological concerns

This structure helps organisations consider a wide spectrum of potential risks.

Risk Evaluation

Once risks are identified, they must be evaluated for significance to determine their acceptability or need for further action.

Key Components:

  1. Assessing Likelihood and Impact
    • Likelihood: The probability of a risk event occurring
    • Impact: The severity of consequences if the event occurs
  2. Using Risk Matrices
    Organisations often use impact vs. likelihood tables to score and prioritise risks. For example, a minor impact combined with a high likelihood could receive a moderate risk score, guiding management action.
  3. Considering Multiple Perspectives
    Evaluation should account for financial, operational, reputational, and legal impacts, ensuring a comprehensive assessment.
  4. Determining Acceptability
    Risk evaluation also involves comparing assessed risks against organisational tolerance levels or criteria to decide whether action is required.

Example: Risk of Sailing Across a Channel

An individual planning to canoe to France illustrates risk evaluation:

  • Objective: Reach France for lunch
  • Risks: Capsizing, getting lost, or poor preparation
  • Evaluation: Assess likelihood and potential consequences to decide whether to proceed, mitigate, or abandon the plan

This demonstrates how evaluating risks beforehand helps achieve objectives safely and effectively.

Conclusion

Risk identification and evaluation are fundamental for proactive risk management. By understanding potential risks, articulating them clearly, classifying them, and evaluating their significance, organisations can make informed decisions to safeguard objectives and resources.

The next stage, risk response, involves determining mitigation strategies.

You might also like.

March 10, 2026

How to Implement a Risk Management Framework in 90 Days

Many organisations recognise the importance of managing risk effectively but struggle to move from informal processes and spreadsheets to a
start of risk planning
Read now >
February 13, 2026

Supporting Local Government Reorganisation and Devolution

Local Government Reorganisation (LGR) and devolution bring significant change for councils -new structures, new responsibilities, and new ways of working.
Read now >
February 9, 2026

Back to Basics: Risk Identification and Evaluation

Understanding and managing risk is a cornerstone of effective organisational governance. In this session, we focus on two critical stages
Read now >