As PMI's Practice Standard for Project Risk Management precisely states, "a risk cannot be managed unless it is first identifed" and that means this must be the first to be executed. This risk identification activity will go on during the whole project and the risk register has to be considered a live document.
The risk identification tries to detect risks as early as possible but, at the same time, it must be implemented as an iterative process which allows the incorporation of additional risks at any point of the project.
A risk can have either a positive or a negative impact in the project, the first is called opportunity while the latter, a threat. Goal of risk management is to maximize the impact and likelihood of opportunities while the threats impact must be mitigated.
To avoid misunderstandings and misinterpretations on the identified risks, it is recommended to assign a risk owner since the time the risk is initially registered.
Notes taken during my study of "Practice standard for Project Risk Management" from PMI