Risk identification and analysis

During the risk identification phase, all possible risks are listed as scenarios. Risks are identified, analyzed and then categorized according to priority.

During this stage, the focus is on the main risks to the company. The checklist is often called the danger list. Most of the time, risks linked to individuals are limited. It is therefore important to concentrate on major risks to eliminate them as much as possible.

Internal and external risks

Graphic. List of internal and external risks which could affect a business

In principle, identifying risk begins with an analysis of strengths and weaknesses, i.e. a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats). This can be carried out as part of a meeting with interviews with the company’s key managers. The SWOT analysis is a simple tool that helps give an understanding of risk management within a company and shows existing links between major problems and the company’s objectives. Moreover, the objective of a SWOT analysis is to identify main internal and external factors that influence the company’s development and values.

The results of the meeting, interviews, benchmark analyses and information from other internal and external sources are used to create a database that includes all major information regarding risk. Risks are categorized by type and are attributed to the correct category in the risk model (see illustration below).

Opportunity and threat profile





to be ignored given the size of the organization; the budget is barely reduced

to be ignored given the size of the organization; the budget is hardly any different


the consequences are minimal and can be financed by the cash flow; the budget is slightly reduced

the budget is slightly higher than forecast for certain aspects


the annual accounts are down; the EBIT is less than expected

the annual accounts and EBIT are better than expected


the annual accounts are worse and worse; the EBIT is in danger (risk)

the annual accounts and EBIT are markedly higher than expected


the company’s existence is under threat; equity is almost or entirely gone

the annual accounts and EBIT are extraordinarily positive and considerably higher than expected

Source: Dr. Bruno Brühwiler, Management und Qualität, 5/2009

Once the risk catalog is defined, a general analysis should be performed for all identified risks. The risk analysis determines when a risk is manageable and therefore acceptable.

A risk tolerance threshold is often indicated in the risk environment. Risks above this threshold should not be tolerated, and risks below the threshold are acceptable.

A risk analysis is performed, generally, using two aspects:

  • Probability describes the likelihood of an event occurring. In principle, probability is calculated for a three-year period. This period is used as a basis when the company has a strategic planning cycle;
  • The consequences describe the concrete effect that this event would have. The analysis normally requires a financial value. As not all risks can be analyzed from a financial point of view, it is also possible to analyze them vis-à-vis their quality. To do so, you will need to use reputation, compliance, health and safety risks, as well as the expenses incurred by management to bring the situation under control, should the event occur.

The result of the risk analysis is represented graphically in the form of a risk map.

Risk map for fiduciary company xy

The example below highlights the main risks for a fiduciary company. The analysis is performed using two aspects: probability and consequences. Experience shows that companies often focus on approximately 10 main risks.

Graphic. Shows how to analyse risks based on their probability and seriousness

Sample danger list for a fiduciary company


Danger zone0

Danger sector

Description of risk


Potential damage2





Strategic threat

Current commercial activity

Depends on a few clients; losing a client would lead to dismissals


Threatens the company’s existence


Diversification of customer base by focusing on another sector; drawing up a marketing plan

December 20xx


Management and employees



Embezzlement by an employee/Company reputation affected

Extremely rare

Threatens the company’s existence


Verification of signatory powers. Verification of the authorization process. Verification of the monitoring process.

June 20xx


Management and employees

Unfair trade practices

Imprecise (lax, superficial, unprofessional) application of business standards


Threatens the company’s existence


Operational audits by superiors, survey of customers, training and professional development

Twice per year

Until June 20xx

Every two months


Operational threat

Dangers to production plants

Flooding of premises

Extremely rare

Threatens the company’s existence


New IT rooms on the 2nd floor of the building, ensure that the site transfer goes well

July 20xx

January 20xx


Financial threat

Liquidity and non-payments

Credit limit exceeded - higher bank interest




Improve processes for reminders and liquidity planning

October 20xx

0. Danger zones: strategic threat; operational threat; financial threat; management and employees
1. Frequent: weekly; possible = monthly, rare = annually; extremely rare = every five years; unlikely ≤ 5 years
2. Insignificant ≤ CHF 5,000; minimal ≤ CHF 10,000; sensitive ≤ CHF 50,000; critical ≤ CHF 100,000; threatens existence ≥ CHF 100,000

Different methods for analyzing risk

A company can choose between various methods for analyzing risk. These are categorized into five different groups.

There are numerous methods for evaluating risks, which are categorized into five groups:

  • Techniques for creativity: brainstorming, Delphi method, morphological matrix
  • Analyzing scenarios: root cause analysis, failure and mistake analysis, worst-case scenario analysis
  • Indicator analysis: Critical Incident Reporting Systems, Change-Based Risk Management
  • Hazard analysis: FMEA, hazard analysis, HAZOP, HACCP
  • Statistical analysis: standard deviation, confidence interval, Monte Carlo simulation

Source: Risikomanagement, Schweiz. Vereinigung für Qualitäts- und Management-Systeme (SQS), Zollikofen; 2008

Last modification 07.05.2021

Top of page