Why risk identification deserves board attention
In recent years, failures in governance have frequently been attributed not to a lack of awareness, but to a failure to act on information already available within the organisation. The lessons from cases like Credit Suisse and the Post Office Horizon programme show that risks are often visible and can be addressed when organisations have the right conditions for identification and escalation.
This highlights a critical issue for boards: risk identification is often treated as a procedural or operational task. In practice, it is a strategic enabler, essential to foresight, resilience, and execution. For boards and non-executive directors (NEDs), understanding and overseeing how risk is identified across the organisation is becoming just as important as monitoring how it is measured or controlled.
Risk identification and board oversight
Risk identification refers to the process of surfacing potential threats and opportunities that could affect the organisation’s ability to achieve its objectives. It is the first step in the risk management process, and it determines what ultimately gets assessed, escalated, and acted on.
While risk identification is typically the responsibility of executive teams and risk functions, boards set the tone and expectations. Oversight in this area involves asking who gets to define the risks, what feedback loops are in place, and how risk signals are brought into strategic conversations.
Recent poll data from over 230 risk professionals highlights this shift in expectation. Only 9% said risk and compliance teams should play the lead role in identifying risk. In contrast, 77% said it should be a collaborative effort between risk, delivery, and leadership teams. Boards should reflect on whether their organisations truly enable this in practice.
Common weaknesses in risk identification
Several factors contribute to poor or delayed risk identification:
- Siloed thinking, where teams fail to share concerns across boundaries;
- Cognitive bias and groupthink, which filter how issues are perceived;
- Lack of psychological safety, where raising concerns feels risky or unrewarded;
- Over-reliance on static tools, such as risk registers or dashboards that reflect past rather than emerging threats.
These weaknesses can lead to blind spots that only become visible after an incident occurs by which point options are limited and consequences more severe.
Four questions for boards to consider
Boards can strengthen their oversight of risk identification by asking the following:
1. How inclusive is the organisation’s approach to surfacing risk?
Are there safe and accessible ways for concerns to be raised from across the business, including frontline staff, project teams, and external partners?
2. What tools are being used to support risk identification?
While 58% of poll respondents said they use heatmaps most frequently, 27% preferred scenario planning and 10% used bow-tie analysis. These tools provide structured ways to explore causes, consequences, and interdependencies and can support richer board-level discussion.
3. Are early signals brought into strategic decision-making?
Boards should ask how emerging risks are identified and tracked, and how they are integrated into planning, change initiatives, and resource allocation.
4. Does the culture enable concerns to be shared and acted on?
Boards influence how leaders respond to challenge. If difficult topics are consistently minimised or dismissed, risk identification will suffer. Transparency, trust, and constructive challenge should be supported at every level.
The board’s role in risk visibility
Boards are not responsible for identifying individual risks, but they are responsible for ensuring that the organisation has the culture, systems, and practices that make this possible. This includes encouraging open dialogue, challenging assumptions, and expecting structured insight on risks that are not yet fully formed.
By taking a more proactive role in risk identification, boards can improve oversight, reduce the likelihood of surprise events, and support better long-term decision-making.
About the author: Julien Haye is Managing Director of Aevitium Ltd, and Chief Risk Officer with over 26 years of experience in global financial services and non-profit organisations. He specialises in aligning culture, governance, and transformation to strengthen risk capability and decision-making. He is the author of The Risk Within and host of the RiskMasters podcast.
Find out more about risk management for boards:
