Identifying Strategic Risks and Opportunities in Your Business
Identifying Risks in Brief
Workshops, SWOT and PESTLE analysis, supplier review, incident data and management review all surface risks. The trick is to capture them once in a single register rather than across dozens of separate spreadsheets.
Identifying risks and opportunities
Identification is the practical first step in risk-based thinking. Before anything can be assessed or treated it has to be on the page. The standards do not prescribe a single method for finding risks and opportunities, but they do expect the organisation to be deliberate about it - to use defined sources rather than relying on whatever happens to come up in conversation.
Most organisations underperform here for one of two reasons. Either the risk register is built once at the start of the management system and rarely revisited, in which case identification is treated as a one-off exercise. Or the register is reviewed regularly but only existing entries are looked at, with no fresh sources of input considered. Both approaches lead to a register that drifts away from the real state of the business over time.
Where risks and opportunities come from
There are six main sources to work through when identifying risks and opportunities. These are the inputs that the standards expect to be considered, and that an external auditor will look for evidence of.
Interested parties. The needs and expectations of interested parties - customers, staff, regulators, suppliers, the local community and so on - are a primary source. Where an interested party has a legitimate expectation that the organisation cannot reliably meet, that is a risk. Where an interested party has a need that is not yet served, that may be an opportunity. The interested parties register, required by Clause 4.2 of every ISO management system standard, is where these are recorded and feeds directly into the strategic risks register.
Internal and external issues. The context of the organisation - covered by Clause 4.1 in every ISO standard - is the broader environment in which the business operates. Internal factors include company history and culture, staff knowledge and attitudes, strategic direction, organisational roles, operating procedures and resources. External factors are the political, economic, social, technological, legal and environmental conditions affecting the business. SWOT (Strengths, Weaknesses, Opportunities, Threats) and PESTLE (Political, Economic, Social, Technological, Legal, Environmental) are the standard tools and most strategic risk registers include a SWOT section to make the link explicit.
Process performance and operational data. Each significant process in the management system can fail in ways that affect the organisation's ability to deliver. Audit results, nonconformity trends, customer complaints, supplier performance, equipment downtime and quality data all surface risks that might otherwise stay hidden. A process that has had three nonconformities in six months is telling the organisation something about its risk profile.
Legal and regulatory obligations. Compliance failure is itself a risk. Pending or recent legislation may also create new risks or opportunities. The legal register is the natural input here - any legislation that requires action, any change in scope, any new regulatory body becomes part of risk identification. Organisations operating internationally must consider their obligations in each jurisdiction.
Incidents, near-misses and complaints. Things that have already gone wrong, or nearly gone wrong, are direct evidence of where risk is sitting. The issues and actions register, accident records, security incidents and customer complaints all feed identification. A near-miss that was not formally recorded as a risk is a gap in the register.
Specialised inputs by discipline. Each specialised assessment has its own identification sources. Workplace hazards are identified by walk-throughs, task analysis and consultation with workers. Information security risks come from threat intelligence, vulnerability scanning, asset reviews and incident logs. Business continuity disruption is identified through business impact analysis. Bribery risk emerges from due diligence on business associates. Consumer vulnerability is identified through frontline staff feedback, monitoring of touchpoints and case-by-case observation.
Methods for surfacing risks and opportunities
Listing the sources is one half of identification. The other half is having a process that actually surfaces what is there.
A facilitated workshop is the most common starting point. The senior team and key contributors work through SWOT, the interested parties review and the major business processes, capturing risks and opportunities as they emerge. This is how a strategic risks register is normally first populated and how it is refreshed at significant intervals - typically annually.
Continuous capture sits alongside the workshop. New risks and opportunities are added to the register as they come up through the year - from audit findings, management meetings, incidents, customer feedback, environmental changes, legislative updates. The register is owned by someone who is empowered to add entries without waiting for the next formal review.
Targeted reviews are useful where a specific concern arises. A change of ownership, a new product line, a major contract win, a regulatory change or a serious incident all warrant a focused identification exercise rather than waiting for the annual cycle. The output of these targeted reviews flows into the register the same way.
Cross-discipline checking matters where multiple registers exist. A workplace hazard recorded operationally may have strategic implications that should be reflected on the strategic register - say, a recurring injury type that suggests a wider operational issue. An information security threat may warrant a corresponding strategic-level entry. Without cross-checking, the strategic register can become disconnected from what is actually happening in the specialised disciplines.
Common identification mistakes
Three patterns come up repeatedly at audit and they all reduce the value of the register.
The first is generic risks copied from a template. "Loss of key staff", "supply chain disruption", "cyber attack" without any specific context to the organisation are not really identified risks - they are categories. A useful entry says which key staff, which supply chain, which systems, and how that maps to the organisation's actual operations. Generic entries cannot be assessed meaningfully and cannot be treated effectively.
The second is one-direction thinking. The register lists threats but not opportunities, or treats opportunity entries as throwaway items. The clause requires both. A register with 30 risks and one opportunity entry is the most common imbalance.
The third is the closed-loop register. New entries are not added because the register is treated as a fixed document. Audit findings, incidents and changes in the business environment do not flow in. The register becomes a snapshot of one moment, frozen in place. The fix is operational rather than methodological - someone owns the register and is expected to keep it current.
When auditing identification I look for evidence that the organisation has been deliberate about it. Has the SWOT actually been worked through, or just filled in. Has the interested parties review been used to surface risks, or sits in isolation. Are there entries in the register that clearly came from audit findings or incidents. Are there opportunities, not just threats.
I also look at the dates. A risks register where every entry was added on the same day a year ago tells me the identification is happening once a year and not in between. That is a finding even before I look at what is on the register.
We get most of our useful risk additions from operational data, not workshops. Audit findings flag things, complaints flag things, near-misses flag things. The workshop is good for the strategic stuff - market changes, big-picture threats - but the day-to-day risk identification happens through the issues and actions register feeding into the risks register.
The opportunity side is harder. We have had to be deliberate about it. We now ask at every management meeting what opportunities we are not capturing, and the question itself has improved what we record.
If your risks register has not changed since this time last year, your identification process has failed. Businesses change all the time. The register should reflect that.
Practical Compliance Guidance
The IMS1 Manual Section 2.5 covers the identification process at the management system level - the sources of risk and opportunity, who is responsible, and how the registers connect. The interested parties register and the strategic risks register sit at the top of this and are usually populated together.
The alphaZ documents below are the practical inputs and outputs of the identification process. F-IMS22 surfaces interested party expectations, F-IMS23 records the resulting risks and opportunities, and the specialised registers handle their own disciplines.
| alphaZ document | How to use it |
|---|---|
| ISO 9001/14001/45001 IMS Toolkit | Integrated toolkit including IMS1 and the registers used to identify and record risks and opportunities across multiple disciplines. |
| ISO 9001 Management System Toolkit | Quality-only toolkit covering the core identification documents - F-IMS22, F-IMS23 and IMS1. |
| F-IMS22 Interested Parties Register | Records interested parties and their needs and expectations. The starting point for identifying risks and opportunities tied to what others expect of the organisation. |
| F-IMS23 Opportunities and Risks Register | The strategic register including a SWOT analysis section. Where identified risks and opportunities are recorded with their rating, controls and residual position. |
| ER1 Issues and Actions Register | Captures live issues, near-misses and improvement opportunities. A regular feed into the strategic risks register where issues reveal underlying risk patterns. |
| ER14 Hazard and Risk Assessment Register | The starting point for workplace hazard identification - a structured list of hazard categories with prompts for the assessments that follow. |
| ER15 Information Security Risks Register | Includes a threat intelligence sheet for capturing information security threat sources and a structured asset/threat/vulnerability identification approach. |
| ER16 Business Continuity Risk Register | Identifies critical functions and the disruption risks that could affect them, with structured prompts for context, dependencies and interested parties. |
| F-IMS38 Climate Change Review | Structured review of climate change impacts and risks relevant to the organisation. A defined input source for identifying climate-related risks and opportunities. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation relevant to identifying risks
Several pieces of UK legislation require organisations to identify specific categories of risk. These obligations sit alongside the ISO requirements and the same identification process can usually evidence both. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.
- Management of Health and Safety at Work Regulations 1999
- Health and Safety at Work etc. Act 1974
- Bribery Act 2010
- Data Protection Act 2018
