FERM - Ch. 8: Risk Identification



Reading Source: Textbook - Financial Enterprise Risk Management

Topics Covered in this Reading:

  • Risk Identification Tools
    • SWOT Analysis
    • Risk Check Lists
    • Risk Prompt Lists
    • Risk Taxonomy
    • Risk Trigger Questions
    • Case Studies
    • Risk-Focused Process Analysis
  • Risk Identification Techniques
    • Brainstorming
    • Independent Group Analysis
    • Surveys
    • Gap Analysis
    • Delphi Technique
    • Interviews
    • Working Groups
  • Assessment of Risk Nature
  • Risk Register


I am having some trouble understanding how the Delphi technique works as a risk identification tool? Can someone explain this method further? Thanks :+1:


I think the Delphi technique is just an interview with an expert, and then you follow up, if I’m not mistaken, but I agree it was not extremely well explained in the reading.


My understanding of the Delphi Technique is that they are rounds of interviews conducted with subject matter experts, with each subsequent round refining the discussion topic. The first round would involve more of a broad discussion on the topics, and then subsequent rounds would refine the discussion matter even further until a consensus was formed.

For example: Someone is interested in determining the best practices to quantify tail risk. So the first round of interviews/questionnaire would gather information from SMEs on the techniques currently employed in the industry. Once this information was gathered and consolidated, a second round of interviews/questionnaire would be sent out to gather more details on say the top 3 methods identified in round 1, etc.


I think the ERM exam could easily ask us to perform a SWOT analysis on a specific company.

What do you think are the biggest Strengths, Weaknesses, Opportunities, and Threats for a company like Apple?

I would say:
Strengths --> Innovation, Brand reputation
Weaknesses --> High selling price
Opportunities --> Develop new products
Threats --> Competition

However I’m not sure if my opportunity is actually an opportunity, given that it seems internal (rather than external). Thoughts?


Hey @MattyM,

I like how you are trying to think about the material, and applying it to a real-world situation! This is how the SOA likes to test these types of concepts. I would probably say that the opportunity that you identified could be seen as both “internal” and “external”.

Internally, I think Apple has great products and continues to enhance their products via upgrades, for example, the IPhone 10 is the latest launch of an existing product.

Externally, Apple can develop new products or even get into new market segments, for example, Amazon purchasing Whole Foods to extend their reach and product shelf!

So depending on your perspective, it changes the answer. What do others think?


I also wanted to share with everyone a great video on YouTube explaining how a “Risk Register” can be created by a company; perhaps this example will help clarify it’s use.


When you get to the SDM exam we rip those risk register’s and other scoring matrix’s apart in the Failure of Risk Management book!


Warren Buffett, who is one of the largest shareholders of Apple now, says Apple has a lot of protection from competitors due to the high “switching costs” of moving away from an iPhone to another phone. That would be a strength.



My wife, a big Apple user, can attest to that! She has an iPhone, iPad, and a MacBook. Even when she is frustrated by something they do (i.e., remove the headphone jack from the iPhone), she’ll basically say “Well, I can’t switch, I don’t want to be half-Apple and half-Android.”

But this is also a sword that can cut both ways. I think you could argue that a Threat that Apple faces is an inability to grow market share in the face of extremely loyal consumer basis in Android. Not having fertile ground to grow means that you need to continually get your existing base to upgrade their existing devices in order to keep profits growing. If you can’t make a convincing argument that the iPhone 11 is worth $1000, you could face stagnation. So, in this case, Android’s Threat is keeping you hemmed into your current market.

On the exams, a lot of these types of questions are going to depend on how well you can argue, and how well-supported your arguments are! I’ve heard from graders that students will answer in unexpected ways, but if they can back up their ideas, they can get full credit. So fully support your answers!!


So, which risk risk identification techniques do you think are the most/least effective?

Given limited resources, how do we decide which technique to use?


So, which risk risk identification techniques do you think are the most/least effective?

Given limited resources, how do we decide which technique to use?

Depends on the task at hand I’d say. With limited resources, I think that Delphi would be difficult, given that it is time consuming and requires many experts (which may not be available with limited resources). Same with interviews, this can be time consuming/costly with limited resources.

This is totally a personal opinion, but I like Independent Group Analysis. It still incorporates personal brainstorming, so there will be opportunity for creative/unique ideas to be thought of. But then, the facilitator will combine all ideas into one list and allow for group discussion on these. There still is potential for “free riders”, but I think when you invest your own ideas in the brainstorming, you become a little more invested in the group discussion. I don’t think this takes up too many resources either.

But I guess it depends on the task, if the knowledge is not known well within-house, then another strategy might be required.


@Shy_Guy I agree with @pt320 that it does depend on the circumstances. I think that if we want to keep risk identification a ‘priority’ in the company, establishing a working group that will regularly communicate and touch base on it is very important; via monthly or quarterly meetings. Establishing a working group will naturally create buy-in amongst its members and that the idea of performing ‘risk identification’ exercises is not a ‘one-and-done’ thing.

Personally, I like the ideas behind the performing of a gap analysis to identify both where the company is today in its view of risks, and where it could or should be. It would be very important to get a wide range of views on this though which would be tough to do in a quick timeframe. I wonder if this method could survey parties external to the company, for example, an external peer reviewer or external auditor? Sometimes spending the resources to get this external view will provide more depth that what could be done in-house, in that they would have a view as to what other companies are doing across the industry.


Yeah. It’s a bit of a catch-22… any smaller company without resources for proper ERM methdologies is likely to have gaps in their approach. Any of the large companies likely have adequate programs with good representations in industry conferences, meetings with regulators, etc.