How to Write a Risk Statement
I would say there are five rules to writing a risk statement:
- Write a complete sentence, consisting of a cause and effect.
- Link the two clauses by a phrase such as “leads to”; “causing’; “results in” (without using conditional terms like “might”; “may”; “could”).
- State the cause as an event, or as a set of conditions.
- State the effect upon the program goal, objective, or value criterion under consideration.
- Identify and state the risk that lies as far upstream as is practical to manage in the chain of cause and effect.
Risk Statement Examples
Manufacturing process, using a critical fabricated aluminum part sourced from a supplier which has just been bought out.
Changes to management of supplier X leads to faulty weld, heat treat and QA of our special-order welded 6061-T6 aluminum part.
Private school language program, expecting foreign student contingent from a country where political unrest is imminent.
Communication ties severed with institutional contact Mr. X within next 3 weeks results in inability to arrange permissions, visas and travel for September cohort.
Custom web security firm plans to set up a new office in Hong Kong. They are inexperienced in international business and getting help to apply for a business license.
Professional services Co. XYZ prepares deficient business license application, causing delay to planned September launch.
Explanation of Risk Statements
Notice that the statements could easily have read, for example, in Context A: “Customers injured” (characterizing this as a product liability issue); or in Context B: “September students don’t show up”; and in Context C: “Office opens late.” But the offhand, short keyword approach to risk ID doesn’t serve you very well.
I identified causal events, as far upstream, so to speak, as I could, in the hope of taking action to prevent the risk before it even matures.
So in Context A, I didn’t focus on the end product failing; nor on the faulty part entering our plant. I focused on the supplier’s new management somehow compromising the weld, heat treat and QA process. Can we take steps to guarantee that process?
In Context B, it was the communications drop that was going to cause our risk to manifest. Therefore, could we look at back-up communications channels?
In Context C, there is still time to do due diligence on firm XYZ and explore options, and so build extra assurance that the Hong Kong business license application will succeed.
At the same time, by describing the effect on our plan, I have made it possible to think more clearly of alternatives to the plan and post-event mitigation (contingencies).
You can imagine a risk register of, say, 50 risks on a critical initiative. If they are all just vague keyword phrases, then their assessment and associated treatment plans will be just as vague. But if the risk statements are complete, time-specific, directly targeted to goals, and indicate upstream opportunities for prevention and mitigation – then you will have a tightly defined risk profile that you can act on.
Risk Statements vs Risk Categories
I’m creating the first draft of the exam for an upcoming Enterprise Risk Management certification, and in the text they are using, the idea of writing a cogent risk statement is not addressed. But I think it is relevant: recent years’ risk management surveys show that people have little confidence in the effectiveness of their risk methodology.
There is a distinction between a risk category and a risk statement. Many people identify risks with two-word phrases: “reputation risk”; “construction risk”, and so on. These are not risk statements, they are general rubrics within which you must specify the risk. I’ve heard of consultants presenting lists of risk categories as if they represented the sum total of identified risks. The trouble with that is, while a two-word phrase is fast and easy to say, the threat that it denotes in relation to your organization is unsaid.
Now lists of risk categories, derived from loss history in a given industry (often sourced from brokers) are undoubtedly useful to help you identify relevant risks – but you have to use them correctly. They are not a substitute either for a comprehensive risk identification exercise, nor for writing complete risk statements.
A complete risk statement, whether or not inspired by or derived from a risk category, is formulated in direct association with a task, goal, objective or value criterion in your business or organizational plan. In the context of Enterprise Risk Management, the concept of risk goes beyond potential loss due to exposure of assets to hazards. The ISO 31000 defines risk as the “effect of uncertainty on objectives”. The older AS/NZS 4360 says: “the chance of something happening that will have an impact on objectives”.
You can find further discussion, with examples of good and poor risk statements, in the prior version of the ERM Guideline I wrote for BC government (section 2.3.2, page 20). You can email me if you want to see this — the current version doesn’t have it.
In this series on risk methodology, so far I’ve covered:
How to do Risk Assessment-Establish the Context–Part 1
How to do Risk Assessment-Establish the Context–Part 2
Pitfalls in Writing the Risk Context
Using Risk Categories