Why use categories?
A way of structuring a risk identification model is by using categories. A category is a risk cluster which clusters risks according to area of (possible) occurrence. I use the following three categories, and do further clustering within a category according to types (a post on this to follow later):
Environment (risks related to): in this category I put all identified risks to the objectives of the area in scope which occur outside of the scope (i.e. the external environment). You may find risks such as availability of budgetary means, legal changes, demographic evolutions etc here, as long as these risks occur outside of the scope of risk review, and can impact the objectives of the area within scope;
Operational activities (risks related to): in this category you can find all risks related to actual operational activities within scope of the risk management exercise. Risks related to process structure (bottlenecks) but also risks related to personnel motivation, ICT or integrity, to name a few, find their place here;
Interfaces and decision making (risks related to): this last categories contains all risks related to reporting about the operational activities. For example, the risk that the balanced scorecard system is not adequately structured and thus provides erroneous information on the process can be found in this category.