Risk identification is the process within risk management focused on finding,

recognizing, and describing potential risks that could impact a project or organization.

This inherently involves understanding and confirming the scope of the project or area

under assessment to ensure that all relevant potential risks within those defined

boundaries are considered. While defining the initial scope can be part of broader

planning or a specific "context establishment" phase (like in ISO 31000 or NIST's

"Frame Risk" stage), the practical activity of identifying specific risks for a project is

performed for that defined scope. Therefore, the risk identification step is directly

concerned with determining potential risks and necessitates the use and understanding

of the established scope.

· A. Risk mitigation: This step focuses on developing and implementing strategies to

reduce the impact or likelihood of risks that have already been identified and assessed.

It follows risk identification.

· C. Risk treatment: This is largely synonymous with risk mitigation or risk response. It

involves selecting and implementing measures to modify identified risks and occurs

after risks are understood.

· D. Risk monitoring and review: This is an ongoing process to track identified risks,

assess the effectiveness of treatment plans, and identify any new or changing risks. It

presumes prior identification and scoping.

1. NIST Special Publication 800-30 Revision 1, "Guide for Conducting

Risk Assessments":

o Page 9, Section 2.2.1 (Step 1: Prepare for Assessment): States that key activities

in preparing for a risk assessment include "identifying the scope of the risk

assessment."

o Pages 12-14, Section 2.2.2 (Step 2: Conduct Assessment - Task 2-1 & Task 2-2):

Details the tasks of "Identify Threat Sources and Events" and "Identify Vulnerabilities

and Predisposing Conditions," which are fundamental to identifying potential risks.

This step logically follows the preparation where scope is defined.

o URL: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

2. ISO 31000:2018, "Risk management Guidelines":

o Clause 6.3 "Scope, context and criteria" (Page 9): Describes the establishment of

scope as a precursor to risk assessment: "The purpose of establishing the scope,

context and criteria is to customize the risk management process, enabling effective

risk assessment and appropriate risk treatment. Establishing scope, context and

criteria involves: a) defining the scope of the process..."

o Clause 6.4.2 "Risk identification" (Page 10): Defines risk identification as: "The

purpose of risk identification is to find, recognize and describe risks that might help or

prevent an organization from achieving its objectives." This identification happens within

the established scope.

o URL: (ISO standards are typically purchased, but summaries and related guidance

often reference these clauses. A direct public link to the full standard isn't usually

available from ISO itself without purchase. However, the NIST Glossary references

ISO 31000 for its definition of risk identification.) Example reference through NIST:

https://csrc.nist.gov/glossary/term/risk_identification

3. MIT OpenCourseWare, "1.040 Project Management", Spring 2008, Lecture Notes on

Risk Management:

o Lecture "Risk Management", Slide 7 ("Risk Identification"): Lists "scope statement"

as an input to the Risk Identification process. This highlights that while scope

establishment might be a distinct input, the risk identification process actively uses

and "involves" this scope to identify relevant potential risks.

o URL: (Specific slide content can be found within the course materials if publicly

available. Example: https://ocw.mit.edu/courses/1-040-project-management-spring2008/ - The user would need to navigate to the relevant lecture on risk management.) A

more general reference from a similar context can be found in many university project

management course materials discussing the PMI PMBOK® Guide's processes, which

emphasize scope as an input to risk identification.