Skip to content
Skip to main content

About this free course

Download this course

Share this free course

Risk management
Risk management

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

1 The basics of risk identification (What do I need to identify?)

There is a range of approaches for identifying risks, but first consider what it is you are looking to identify.

Activity 2 Identifying a risk

Timing: Allow approximately 10 minutes

Select the terms that, when set out in the boxes below, define the process of risk identification. Drag the correct terms into the three boxes.

Active content not displayed. This content requires JavaScript to be enabled.
Interactive feature not available in single page view (see it in standard view).


The short answer is the Root Cause, the Event and the Consequence, or more precisely the Root Causes, Event and Consequences. The addition here is really important: where possible you need to understand all of the causes of a risk and all of the potential consequences. This is critical because only by doing this can you ensure that your treatments are comprehensive.

  • Root Causes – Root Causes are the elements that can lead to the event taking place.
  • Event – Events are the point at which control is lost but consequences have not happened.
  • Consequences – Consequences are the outcomes that can happen downstream of the event.
  • Hazard – A hazard is the set of circumstances in which the risk is present (e.g. there is a risk of explosion when filling a car petrol tank).
  • Controls – Controls are not part of a risk statement: controls are treatment of the risk. It is not uncommon for a control failure to be mistaken for a risk.
  • Incidents – An incident is a risk that has occurred. Incidents may provide ‘clues’ as to what risks may exist, but incidents may not provide the whole picture.
  • Concern – A concern relates to a set of circumstances that may result in a risk. However, they are often too poorly defined to allow for a risk to be created. Therefore further work is often required to establish the risk present.
  • Cost – Cost is not part of a risk statement, but it is often used as a way to measure risk.
  • Issue – An issue – similar to an incident – is a risk that has occurred, but typically may have more of an enduring nature (e.g. a fire (an incident) leads to a prolonged unavailability of computer servers (an issue)).