2.2 Risk indentification

Some of the risks are obvious and often repeated, whilst others may require special expertise and dedication. For example, the same type of risks are repeated in project activities, while risks caused by external changes or threats may be unique.

How to identify risks

Risk identification is part of an organization’s risk management model. The identification may be continuous, regularly repeated – for example in workshops – or project-specific. Investment or development projects always involve a risk identification phase.

In addition to free thinking, different tools and techniques may be used to identify risks, examples of which are given below.

Interviews and surveys

Interviews and surveys help to identify risks from people with different perspectives and expertise. People from your own organization, customers, partners and external experts can participate in them.

One popular survey technique for identifying difficult and complex risks is Delphi. It first collects views on one or more questions from an expert panel anonymously and independently of each other. After analysing the answers, the experts can access all the answers and modify their own positions based on them. The process is repeated until the panellists reach a common view on the given questions.

Risk workshops

The methods described above may be used to identify risks related to the operation of a company or other organization in workshops. The risk workshops for investment and development projects focus especially on identifying the project’s risks while considering the connections to the greater risk landscape.

 Data analytics

One’s information systems and publicly available data help to identify trends and dependencies that the aforementioned methods do not necessarily bring to the fore. Artificial intelligence tools can facilitate data-based analysis and open up new opportunities for risk management.


Scenarios are possible descriptions of the future. A popular way to produce scenarios is through workshop work. Here is a simple model in which to implement them:

  • In the preparation phase, the organizer determines the purpose and scope of the workshop. Usually, scenarios are related to predicting the future of a certain organization or part of it.
  • At the workshop, the participants first think about change factors that could impact the organization’s future. The perspectives of the aforementioned PESTLE analysis, combined with the perspectives of customers or partners, help to structure change factors.
  • Next, the participants rate the uncertainty and impact of the change factors. From these, the two to three most critical factors are selected through discussion.
  • If there are two more influential yet uncertain factors, for example, a certain regulation and the ability of artificial intelligence, extremes are defined for them. In other words, the regulation will tighten or ease and AI’s capabilities will grow exponentially or remain at the current level
  • The end result is a quadrilateral, where the participants define four future images or stories. They all involve opportunities and risks that risk management must respond to.

Root cause and Bow tie analysis

The identification of risks is facilitated by getting to know their root causes. Root cause analysis aims to discover which events can lead to the realization of a risk. The analysis reveals new risks, which may be reduced by controlling the probability of the original risk occurring.

Bow tie is a method that combines risk root cause analysis and risk management methods in the same framework. The method gets its name from the visualization that resembles a bow tie.

In the accompanying fictional example, the loss of a key person has been identified as a risk – a central event. On the diagram on the left are threats, which are the root causes of a risk. To combat threats, a number of preventive measures, proactive protections, have been devised.

On the right side of the diagram are the consequences of the loss of a key person. They are preceded by restorative protections that aim to prevent the consequences from occurring.

Bow tie analysis

Other methods

Methods for identifying risks are described below, such as SWOT intended for organizational assessment and PESTLE intended for assessing the operating environment. In addition, risk management related to one of an organization’s management processes, i.e. project management, has been presented. Other processes and functions of the organization may also involve special risk management, which can be combined in a suitable way with the risk management of the entire organization (ERM).

Other risk identification methods include e.g. Structured What-if Technique (SWIFT), Hazard and operability studies (HAZOP studies) and Failure modes and effects analysis (FMEA and FMECA). There are descriptions of these in industry literature and standards.


SWOT analysis is a traditional way to identify the strengths, weaknesses, opportunities and threats of an organization or project.

Weaknesses and strengths are related to one’s own functions; that is, they are internal; threats and opportunities are directed at the organization externally.

Organizations usually carry out SWOT analyses in workshops that they organize, for example, at different levels or in units of the organization. There are also digital tools with which an analysis can be performed anonymously with a large group.


PESTLE analysis helps to identify risks related to the operating environment. Its perspectives are as follows:

  • Political factors, for example, the stability of the market, changes in the government or atmosphere.
  • Economic factors, such as the cost of capital, the availability of financing or general confidence in the economy.
  • Social factors, for example, a change in the age structure, urbanization or valuations.
  • Technological factors, such as technological breakthroughs, the life cycle of technologies or trust in technologies.
  • Legislation, for example, changes in EU legislation, national legislation or local and industry regulations.
  • Environmental factors, such as zero-carbon requirements, customer expectations or the actions of environmental organizations.

PESTLE is a management tool, although people from different tasks and units of the organization may participate in producing its content.

Project risk identification

Development project risks are often related to the following factors:

  • Schedule – The project’s schedule may be subject to uncertainty due to, for example, dependencies
  • Scope – The project is possibly too broad or the demarcation is unclear
  • Availability of resources – The project requires resources that are either scarce or not yet available
  • Financing – The financing of the project is uncertain or the project budget is uncertain
  • Content – The content of the project is complex or consists of many pieces
  • Strategic fit – It is difficult to demonstrate the direct link of the project to the organization’s strategy
  • Difficulty of implementation – Putting the results into practice may fail