The Methodology
A six-phase, regulator-aligned process built on ISO 31000, ISO 31010, COSO ERM, and direct experience at global banks.
The Framework
Each phase builds on the last. Skip one and the process fails under regulatory scrutiny.
Formal PESTLE analysis of external context. Internal environment and risk culture assessment across the 7 COSO elements. Risk criteria definition and risk appetite alignment. Starting universe built from regulatory categories, industry loss data, and internal incident history. Straw man risk list prepared to seed workshops.
Top-down: Structured What-If Technique (SWIFT) workshops with pre-workshop independent assessment and multivoting prioritisation. Delphi Method for emerging/horizon risks (3–5 year, anonymous expert panel). Bottom-up: standardised templates with 10 specialist sub-processes (RCSA, Conduct Risk, ICT/Cyber, AML/CFT, Third-Party, Model Risk, and more). Mandatory reconciliation between top-down and bottom-up. Enterprise portfolio view assessing aggregate exposure.
Four-dimensional scoring: Impact, Likelihood, Vulnerability, Speed of Onset. Multi-dimensional impact: Financial, Regulatory, Reputational, Customer/Operational. Data Quality / Confidence Rating on every risk score. Inherent and residual risk with control effectiveness. Bow-tie analysis for the 5–10 most critical risks (expanded methodology with escalation factors). Cost-benefit assessment with ALARP principle.
Living risk inventory — not a point-in-time snapshot. 14-field inventory record per risk. One-page risk profiles for all material risks. Full audit trail on every change, assessment, and decision.
Mapping to all 8 COSO ERM components. Direct linkage to ICAAP/ILAAP/CCAR stress scenario design. Strategic planning integration. Board Risk Committee reporting (10-item principal risk report). Regulatory reporting and Pillar 3 disclosures.
Quarterly re-identification (not just re-assessment) per Fed SR 15-18. Annual full re-identification from scratch. Event-driven updates (loss events, M&A, regulatory changes, new business). Internal audit assurance over the process itself. Process performance indicators and continual improvement.
Most risk identification processes share the same structural weaknesses. This methodology was designed to close every one of them.
| Common Practice | This Methodology |
|---|---|
| Top-down identification only | Dual-track with mandatory reconciliation between top-down and bottom-up |
| 2D scoring (impact × likelihood) | 4D scoring: impact, likelihood, vulnerability, speed of onset |
| Single-dimension impact (financial only) | Multi-dimensional: financial, regulatory, reputational, operational |
| Risk scores with no confidence context | Data quality / confidence rating on every assessment |
| Static annual exercise | Living inventory with quarterly re-identification |
| Disconnected from capital planning | Explicit ICAAP / ILAAP / CCAR integration |
| No emerging risk process | Delphi Method for 3–5 year horizon scanning |
| No structured workshop method | SWIFT facilitation with straw man seeding |
| Risk interaction ignored | Bow-tie analysis, interaction matrices, concentration assessment |
| Process never independently validated | Annual internal audit assurance over the process |
Regulatory Alignment
The methodology maps to 16 regulatory frameworks across the BCBS, PRA, EBA, ECB, Fed, OCC, FCA, and ISO/COSO standards. Every regulatory requirement is traceable to a specific section of the process.
Built on Evidence
We analysed every major bank loss event from the 1970s to today and asked one question: what went wrong in the risk identification process? The answer was almost always the same.
Every phase of the methodology maps back to at least one real failure it would have caught. The dual-track approach, the reconciliation loop, the four-dimensional scoring — all exist because history showed what happens without them.
Barings (1995)
$1.3B — Governance bypass
Internal audit flagged the control failure. Management ignored it. Phase 1 foundation setting would have caught the segregation-of-duties gap.
Northern Rock (2007)
£26B — Complacency
No scenario tested wholesale funding closure. Phase 2 SWIFT workshops with proper straw man seeding would have surfaced this.
Wells Fargo (2016)
$3B — Cultural suppression
Whistleblower complaints treated as HR, not risk. Phase 2 bottom-up conduct risk sub-process would have escalated this.
The full Industry Loss Database is included in the free toolkit.
Get the Toolkit