Risk identification is one of the most important parts of effective risk management. If an organisation cannot clearly identify the uncertainties that may affect its objectives, it cannot manage them, assure them or make informed decisions about them.
Yet risk identification is often misunderstood. Risk registers can become populated with vague concerns, control failures, incidents, audit findings or operational issues rather than true risks. The result is a risk profile that appears comprehensive but does not necessarily help leaders understand what could affect the organisation’s success.
Good risk identification turns uncertainty into insight. It helps organisations understand what they are trying to achieve, what could help or hinder those objectives, and where action may be needed.
This article explains why effective risk identification should begin with objectives. It also explores why risks are often confused with issues or control failures, and how that confusion can weaken management action.
Start with Objectives
Risk can be understood in line with the Institute of Internal Auditors’ definition:
Risk is the positive or negative effect of uncertainty on objectives.
This definition highlights three important points:
- risk is linked to objectives;
- risk involves uncertainty; and
- risk may create opportunity as well as harm.
A risk matters because it could affect something the organisation is trying to achieve. It may relate to something that could happen, may not happen or may happen differently from expected.
Risk identification should therefore start with objectives. An organisation should ask:
- What are we trying to achieve?
- What could help or hinder achievement?
- What assumptions are we relying on?
- What could change internally or externally?
- What would the consequence be if this uncertainty materialised?
Starting with objectives helps ensure that risk discussions remain focused on what matters most. It also helps prevent risk registers from being populated with generic concerns, control weaknesses or issues that are not clearly linked to business objectives.
For example, an organisation may have the following objective:
Improve customer service by using AI-enabled tools to provide faster, more consistent responses.
The uncertainty is whether the AI tool will support that objective. The organisation may not yet know whether the tool will provide accurate responses, protect customer and organisational data, operate fairly, comply with relevant expectations or be used appropriately by staff.
If implemented well, the tool may improve response times, increase consistency, reduce manual effort and enhance the customer experience. If implemented poorly, it may provide inaccurate or inappropriate responses, frustrate customers, increase manual rework, create compliance concerns or damage trust.
The risk could therefore be expressed as:
There is a risk that AI-enabled customer service tools do not operate accurately, fairly, securely or reliably due to insufficient governance, oversight or data quality controls, resulting in poor customer outcomes, operational disruption, regulatory challenge or reputational damage.
This keeps the risk conversation linked to the original objective. It avoids starting with a generic statement such as “AI risk” and instead asks:
What are we trying to achieve, and what uncertainty could affect our ability to achieve it?
Risk, Issue or Control Failure?
Be clear on how you’re defining your risks. We think of risks, issues and failed controls as:
A risk is a potential event or circumstance that has not yet fully materialised.
An issue is something that has already happened and requires management action.
A control failure is a weakness in the design or operation of a process intended to manage risk.
Conclusion
Good risk identification starts with a clear understanding of what the organisation is trying to achieve. From there, the focus should be on the uncertainty that could help or hinder those objectives.
Distinguishing risks from issues and control failures is essential. Issues may require immediate action, and control failures may need remediation, but the underlying risk explains why the matter matters. That clarity helps leaders focus on outcomes, make better decisions and design more proportionate responses.


