Skip to main content - Skip to contact information

Risk Identification

Risk Definition


The effect of an event or trend, either positive or negative that will have a significant impact on operations and/or the fulfillment of the University’s objectives.


This phase consists of identifying the possible risks. Various methods can be used to identify risk such as: interview or focus groups, brainstorming, decision trees, historical information, incident reports, scenario analysis etc.

The ISO recommended method for stating a risk involves considering the three elements: event, cause and impact.   Since we define risk as the “effect of uncertainty, either positive or negative”, it is helpful define the risk in the context of preventing the achievement of an organizational objective, milestone or target.  

There are several tools located on the website to assist in the identification of risks such as Fire triangle, bowtie diagram, Five Whys.


Generally, risks can be classified into one of the following four broad categories—strategic, operational, reporting, and compliance.  For Program reviews, risks can be categorized within the criteria identified in the Summative Assessment Procedure.

  • Strategic risksare those risks which by their nature, could impact the achievement of high-level objectives within the integrated planning framework or the University’s ability to achieve its purpose or support of its mission. These risks could be financial, reputational or legal.
  • Operational risks, on the other hand, relate to (a) threats from ineffective or inefficient business processes for supporting, servicing, and marketing programs, and (b) threats of loss of assets, including reputation.
  • Reporting risksrelate to the reliability, accuracy, and timeliness of information systems, and to reliability or completeness of information used for either internal or external decision-making.
  • Finally,compliance risksaddress the inadequate communication of laws and regulations, internal behavior codes and contract requirements, and inadequate information about failure of management or employees to comply with applicable laws, regulations, contracts, and expected behaviours.


1 Australian and New Zealand Public Sector Guidelines for Managing Risk (HB 143:1999) defines risk as the "chance of something happening that will have an impact on objectives. It is measured in terms of consequences and likelihood."

The Canadian Institute of Chartered Accountants defines risk as "the possibility that one or more individuals or organizations will experience adverse consequences from an event or circumstance."

The Canadian Standards Association Risk Management: Guidelines for Decision-Makers (CAN/CSA -Q850-97) defines risk as "the chance of injury or loss as defined as a measure of the probability and severity of an adverse effect to health, property, the environment or other things of value."

The International Organization for Standardization (ISO) ISO 31000 defines risk as the "effect of uncertainty on objects”. Note 1- the emphasis is on effect rather than chance, similar to AS/NZS 4360, the definition is neutral in terms of negative and positive consequences.