Risk identification considers risks at various levels of the organizational structure, including the overall entity and its subunits, and processes such as sales, human resources, marketing, production, and purchasing. Entity-level risk identification is typically conducted at a relatively high level and, generally, does not include assessing transaction-level risks. Conversely, the identification of risks at a process level is inherently more detailed and would include transaction-level risks.

In addition, risk assessment considers risks originating in outsourced service providers, key suppliers, and channel partners that directly or indirectly impact the entity's achievement of objectives.

Management considers risks in relation to internal and external factors. Risk is dynamic; therefore, to determine the frequency of its risk assessment process, management generally considers the rate of change in risks to the achievement of objectives, other operational priorities, and cost. Typically, the process is a combination of ongoing and periodic risk assessments. If the rate of change relating to an objective or internal and external factors increases, it is useful to accelerate the frequency of assessing the related risks or assess the risk on a real-time basis.

Risks at the entity level can arise from external or internal factors. External factors may include:

Internal factors include:

Identifying external and internal factors that contribute to risk at an entity level is critical to comprehensive risk assessment. Once the major factors have been identified, management can then consider their relevance and significance and, where possible, link these factors to specific risks and activities.

For example, an importer of apparel and footwear established an entity-level objective of becoming an industry leader in high-quality fashion merchandise. The entity considered general risks such as the impact of deterioration in economic conditions, market acceptance of products, new competitors in the entity's market, and changes in environmental or regulatory laws and regulations. In addition, the entity considered risks at the entity level such as:

Risks are identified at the transaction level within subsidiaries, divisions, operating units, or functions, including business processes such as sales, purchasing, production, and marketing. Dealing with risks at this level helps focus on the achievement of objectives and/or sub-objectives that have cascaded down from the entity-level objectives. Successfully assessing risk at the transaction level also contributes to maintaining acceptable levels at the entity level.

In most instances, many different risks can be identified. In a procurement process, for example, an entity may have an objective related to maintaining adequate raw materials inventory. The risks to not achieving this objective might include suppliers providing materials that do not meet specifications or are not delivered in needed quantities, on time, or at acceptable prices. These risks might affect entity-level objectives pertaining to the way specifications for purchased goods are communicated to vendors, the use and appropriateness of production forecasts, identification of alternative supply sources, and negotiation practices.

Potential causes of failing to achieve an objective range from the obvious to the obscure. Certainly, readily apparent risks that significantly affect the entity should be identified. To avoid overlooking relevant risks, this identification is best made apart from assessing the likelihood of the risk occurring. There are, however, practical limitations to the identification process, and often it is difficult to determine where to draw the line. For example, it may not make sense to conduct a detailed assessment of the risk of a meteor falling from space onto an entity's production facility, while it may be reasonable for a facility located near an airport to consider in some detail the risk of an airplane crash.

As with other processes within internal control, responsibility and accountability for risk identification and analysis processes reside with management at the overall entity and its subunits. The organization puts into place effective risk assessment mechanisms that involve appropriate levels of management with expertise.

As part of risk analysis, the organization assesses the significance of risks to the achievement of objectives and sub-objectives. Organizations may assess significance using criteria such as:

"Likelihood" and "impact" are commonly used terms, although some entities use instead "probability," "severity," "seriousness," or "consequence." "Likelihood" represents the possibility that a given event will occur, while "impact" represents its effect. Sometimes the words take on more specific meaning, with "likelihood" indicating the possibility that a given risk will occur in qualitative terms such as "high," "medium," and "low," and "probability" indicating a quantitative measure such as a percentage, frequency of occurrence, or other numerical metric.

Risk velocity refers to the pace with which the entity is expected to experience the impact of the risk. For instance, a manufacturer of consumer electronics may be concerned about changing customer preferences and compliance with radio frequency energy limits. Failing to manage either of these risks may result in significant erosion in the entity's value, even to the point of being put out of business. In this instance, changes in regulatory requirements develop much more slowly than do changes in customer preferences.

Management often uses performance measures to determine the extent to which objectives are being achieved, and normally uses the same or a congruent unit of measure when considering the potential impact of a risk on the achievement of a specified objective. An entity, for example, with an objective of maintaining a specified level of customer service will have devised a rating or other measure for that objective—such as a customer satisfaction index, number of complaints, or measure of repeat business. When assessing the impact of a risk that might affect customer service—such as the possibility that the entity's website might be unavailable for a time period—impact is best determined using the same measures.

A risk that does not have a significant impact on the entity and that is unlikely to occur generally does not require a detailed risk response. A risk with a higher likelihood of occurrence and/or the potential of a significant impact, on the other hand, typically results in considerable attention. But even those risks with a potentially high impact that have a low likelihood will be considered, avoiding the notion that such risks "couldn't happen here," as even low likelihood risks can occur. The importance of understanding risks assessed as having a low likelihood is greater when the potential impact of the risk might persist over a longer period of time. For instance, the long-term impact on the entity from environmental damage caused by the entity's actions may be viewed much differently than the long-term impact of losing technology processing in a manufacturing plant for several days.

Estimates of significance of the risk often are determined by using data from past events, which provides a more objective basis than entirely subjective estimates. Internally generated data based on an entity's own experience may be more relevant and provide better results than data from external sources. Even in these circumstances, however, external data can be useful as a checkpoint or to enhance the analysis. For example, a company's management assessing the risk of production stoppages because of equipment failure looks first at frequency and impact of previous failures of its own manufacturing equipment. It then supplements that data with industry benchmarks. This allows a more precise estimate of likelihood and impact of failure, enabling more effective preventive maintenance scheduling. Note, too, that using data from past events can provide incomplete conclusions where events occur infrequently.

In addition, management may wish to assess risks using a time horizon consistent with the time horizon of the related objectives. Because the objectives of many entities focus on the short- to mid-term, management analyzes risks associated with those time frames. However, some objectives extend to the longer term, and management must not ignore those risks that might be further into the future.

Management considers both inherent and residual risk. Inherent risk is the risk to the achievement of entity objectives in the absence of any actions management might take to alter either the risk's likelihood or impact. Residual risk is the risk to the achievement of objectives that remains after management's responses have been developed and implemented. Risk analysis is applied first to inherent risk. Once risk responses have been developed, as discussed below, management then considers residual risk. Assessing inherent risk in addition to residual risk can assist the organization in understanding the extent of risk responses needed.

In evaluating response options, management considers significance, including the effect on both likelihood and impact of the risk, recognizing that a response might affect them differently. For example, consider a company with a data center located in a region with heavy storm activity. It establishes a business continuity plan, which, while having no effect on the likelihood of a storm occurring, mitigates the impact of building damage or personnel being unable to get to work should a storm occur. On the other hand, the choice to move the computer center to another region will not reduce the impact of a comparable storm, but could reduce the likelihood of a similar storm occurring near that new location.

Resources always have constraints, and entities must consider the relative costs and benefits of alternative risk response options. Before installing additional procedures, management should consider carefully whether existing ones may be suitable for addressing identified risks. Because procedures may satisfy multiple objectives, management may discover that additional actions are not warranted or that existing procedures may be sufficient or simply need to be performed to a higher standard.

There is a distinction between risk assessment, which is part of internal control, and the choice of specific risk responses and the related plans, programs, or other actions, which are part of the management process and not internal controls. Internal control does not encompass ensuring that the optimal risk response is chosen. For instance, the management of one entity may choose to share technology risk by outsourcing certain aspects of its technology processing with an entity experienced in that field (recognizing that this may also introduce new risks to the organization), while another entity may choose to retain its technology processing and develop general controls over activities for managing related technology risks. Neither of these choices should be viewed as right or wrong, as both can be effective at managing technology risks. But where a risk response would result in the residual risk exceeding risk tolerances for any category of objectives, management revisits and revises the response accordingly.

Once management has chosen to reduce or share a risk, then it can determine actions to respond to the risk and select and develop associated control activities. The nature and extent of the risk response and any associated control activities will depend, at least in part, on the desired level of risk mitigation (which is the focus of Chapter 7). In some instances, management may select a response that requires action within another component of internal control—for instance enhancing a part of the control environment.

Typically, control activities are not needed when an entity chooses to either accept or avoid a specific risk. For instance, a mining company with significant commodity price risk may decide to accept the risk as it believes that investors are aware of and accept price risk exposure. In this case, management would not implement control activities relating to commodity price exposures, but would likely implement control activities relating to other external financial reporting assertions, including completeness and valuation. There may, however, be instances where the organization decides to avoid a risk, and chooses to develop control activities in order to avoid that risk. For instance, to avoid concerns over possible fair trade practices, an organization may implement control activities barring purchasing from certain entities. Management may also need to review the level of risk in light of changes that make it no longer desirable to accept that risk, for instance if the risk exceeds the organization's risk tolerance. When management chooses not to assess a risk or does not identify a risk, it is tantamount to accepting the risk without considering potential changes in the related level of risk and whether that risk remains within its risk tolerance.