In early experimentation, we tried using just a few keywords to express a risk. The trouble with that is, a week later, the people around the table (even the one who came up with the line item) cannot remember the original idea of risk evoked by one or two keywords. Conversely, if you write a run-on sentence or even a paragraph, you end up cramming many notions of risk into one statement: that becomes very difficult to assess and even harder to manage. The ideal is to strike a balance, and write a two-part statement, using the following guidelines.
How to Write a Risk Statement
I would say there are five rules to writing a risk statement:
- In the chain of cause and effect leading to a risk event — and amid various contributory influences — identify the causal incident that best characterizes the risk, and lies as far upstream as is practical to manage it.
- Write a complete sentence, consisting of a cause and effect.
- Link the two clauses by a phrase such as “leads to”; “causes”; “results in” (without using conditional or modal terms like “might”; “may”; “could”; but simply using the present tense).
- State the cause as an event, or as a set of conditions.
- State the effect as the hindrance to or prevention of the specific program goal, objective, or value criterion under consideration.
Risk Statement Examples
A manufacturing process uses a critical part, sourced as a special order from a supplier which has just been bought out.
Changes to internal management at supplier X leads to faulty selection or non-functional substitution of our critical part.
A private school language program expects a foreign student contingent, represented by Mr. X, from a country where political unrest is imminent.
Communication ties severed with institutional contact Mr. X within next 2 weeks results in inability to arrange student visas for September cohort.
Web security firm plans to set up office in Hong Kong and launch a new project in September. They are relying on an untested third party Co. X to help them obtain a foreign business license.
Professional services Co. X prepares deficient business license application, causing delay to planned September launch.
Explanation of Risk Statements
Notice that the statements could easily have read, for example, in Context A: “Customers injured” (characterizing the eventual faulty product as a liability issue); or in Context B: “September students don’t show up”; and in Context C: “Office opens late.” But simply identifying the eventual detrimental outcome as the risk is not practical; it does not best indicate how to manage the risk.
By contrast, my risk statements identified causal events, as far upstream as I could, in the hope of taking action to prevent the causal event before it leads to some harmful downstream result.
So in Context A, I didn’t focus on the end product failing; nor on the faulty part entering our plant. I focused on the supplier’s new management somehow missing the special order (perhaps because it largely depended upon a relationship with a person no longer there).
In Context B, (assuming students are allowed to travel) it was the specifically the communications drop that was going to cause our risk to manifest.
In Context C, there is still time to do due diligence on Co. X and explore options, and so build extra assurance that the Hong Kong business license application will succeed.
In each case, I described the effect of the risk event on our plan or process, but also took care to identify the cause as early as possible.
You can imagine a risk register of, say, 50 risks on a critical initiative. If they are all just vague keyword phrases, then their assessment and associated treatment plans will be just as vague. But if the risk statements are complete, time-specific, directly targeted to goals, and indicate upstream opportunities for prevention and mitigation – then you will have a tightly defined risk profile that you can act on.
Risk Statements vs Risk Categories
There is a distinction between a risk category and a risk statement. Many people identify risks with two-word phrases: “reputation risk”; “construction risk”, and so on. These are not risk statements, they are general rubrics within which you must specify the risk. I’ve heard of consultants presenting lists of risk categories as if they represented the sum total of identified risks. The trouble with that is, while a two-word phrase is fast and easy to say, the threat that it denotes in relation to a specific goal is left unexplained.
Now lists of risk categories, derived from loss history in a given industry (often sourced from brokers) are undoubtedly useful to help you identify relevant risks – but you have to use them correctly. They are not a substitute either for a comprehensive risk identification exercise, nor for writing complete risk statements.
A complete risk statement is formulated in direct association with a task, goal, objective or value criterion in your business plan. It must be formulated using the above guidelines in order to make a long list of such statements susceptible to aggregation, ranking, and mitigation.