Risk Identification

Overview of Issue

The identification of key risks (i.e. what can go wrong?) is the first step in risk management. The following diagram outlines the steps in risk identification, risk assessment, and risk management. The red arrow indicates the focus of this Risk Note.

How bad?

Refer to related Risk Notes for details:

  • Risk – Concepts and Misconceptions, Risk Assessment, Risk Management and IRM/ERM.

Key Points

  • Key risks should relate to an organization’s strategic objectives.
  • The standardized taxonomy of Canadian healthcare risks can help organizations focus on the most pertinent risks and enable industrywide benchmarking


Things to Consider


Focus on organization objectives

  • An understanding of the organization’s context and strategic objectives is one of the most important steps in successful IRM implementation. This will help to prevent the impractical indexing of all risks within the organization (Fraser, 2017).
  •  With key organizational objectives confirmed, the next step is to identify what can go wrong – what risks could prevent an organization achieving these objectives.
  • The following table outlines common strategic objectives/risk categories in Canadian healthcare organizations and sample objective statements.
Category chart

Limit the number of risks

  • Recognize risk identification will never be “perfect” as risks are often interrelated and clear delineation between risks is not always possible. While comprehensive risk identification is critical to ensure all pertinent risks are included in the analysis, a list with several hundred or more risks will be difficult to operationalize.
  • Where possible, aggregate risks at a high level (e.g. “hospital acquired infections” versus separate risks for different types of infections). Consider limiting numbers by focusing on the most “material” or significant ones; those that might require the attention of senior leadership or the Board (e.g. risks that could results in catastrophic impacts).

Don’t start from scratch

  • Most healthcare organizational risks are already well known. Leadership teams do not need to start from scratch; rather they can build their list of key risks starting with the wealth of information that is available from internal and external sources such as incident reports, published literature, claims, and accreditations.
  • Organizations are encouraged to consider HIROC’s Taxonomy of Healthcare Organizational Risks that was developed in collaboration with subscribers. Adoption of this standardized taxonomy will help ensure leadership due diligence and enable aggregate trend analysis, benchmarking and knowledge sharing.