Have you ever been given an assignment at work without clear instructions?
It can be dizzying to try and figure out what your first steps to be. At best, it’s disconcerting not knowing if you’re on the right track, and at worst, you don’t even know what your desired end result should be or look like.
Without a clear statement on exactly what the risk entails, everyone throughout the organization will struggle to understand what their next steps should be.
A risk statement can be defined as a concise description of the risk, which can be easily understood by everyone.
To be easily understood, the statement should not consist of fancy risk jargon but rather the everyday business terms used throughout the company. If additional time is needed to explain terminology or the “real” meaning of the risk statement, then it is not clear.
While anyone should easily be able to comprehend it, the risk statement needs to be speaking to four main audiences: the risk/ERM unit, business managers and staff, senior executives, and the Board.
With this statement in hand, business units and other relevant stakeholders will be able to take action and properly assess the risk. And let me be clear, when I say risk, I am also including opportunities. You can use this same structure for great opportunity statements. (It also becomes unwieldy to constantly say “risk/opportunity statement” or “risk statement or opportunity statement.”) So as you continue to read, know that I am including opportunity identification and assessment in this mix…
An effective risk statement will include the following three components:
- Event – this is the trigger for the risk and what connects the other two components. Without a catalyzing event, the rest of the risk statement is irrelevant. Although succinctness is important, using a single word or short phrase like “cybersecurity” or “market turmoil” is not helpful in describing an event. After all, cybersecurity for example can cover 20 or more potential events.
- Root cause – by far the hardest part of the risk statement, the root cause is the base reason for why something is happening. There are several ways to identify the root cause for something, but fundamentally, it consists of asking “why?” until you get to the bottom of it. Without a root cause, there will be nothing you can really do to address a risk since you won’t know what’s causing it. You can only have one root cause per risk; otherwise, the mitigations (or controls or whatever term your organization uses) will be scattershot in addressing the risk.
- Consequence – the consequence consists of the impacts the company will experience as a result of the event enabled by the root cause. There can be multiple consequences to an individual risk, which can range from a minor financial loss to bankruptcy and everything in between. Identifying consequences can be as simple as “poor customer experience” or “additional regulatory scrutiny,” so don’t feel compelled to get detailed with this part. Just remember that this part will help drive the assessment work and any related conversations.
The structure of a risk statement basically follows an if/then format like below. This setup satisfies all the requirements of an effective risk statement – e.g., it is concise, actionable, clearly articulates the cause and impact, and, most of all, is easily understood.
A real-life risk statement for an industry I closely work with, the Florida property insurance market, could be something like the following – “If the Legislature fails to pass market reforms, due to other priorities, then multiple carriers may become insolvent and Florida homeowners may face much higher premiums.”
This is a basic structure on risk statements, but it is by no means the only one to consider.
In this article, risk expert and consultant Julian Talbot discusses the 4Cs (condition, criteria, cause, consequence) and the CASE approach (consequence, asset, source, event) as other models you can use to develop risk statements.
To reiterate what I said previously about opportunities, ERM is not solely about risks in the negative sense, and risk statements are no different. Opportunities can, and should, be outlined using this approach, so decision-makers can clearly understand what they are assessing before moving forward. Statements like “…offers an opportunity to…” or “Potential to…” are a couple of ways to express this. As an example, the flip side of the risk statement above would look like this: “A potential to drastically change the Florida property market, due to pending legislative bills, may result in continued carrier solvency and competitive pricing for homeowners’ policies.”
Whatever model you end up with, remember that risk statements will naturally involve some trial and error. You will not hit it out of the park on the first try, so don’t feel like you have failed and give up if it takes several passes to arrive at a clear, actionable risk statement, especially if you’re new to drafting them.
How does your company use risk statements to help managers and executives clearly understand the parameters of the risk or opportunity?
To share your thoughts on this topic, please feel free to leave a comment below, join the conversation on LinkedIn, or send a comment privately to email@example.com.
If your company is struggling to develop risk statements that allow for a seamless transition between the identification and assessment phases, consider reaching out by email or through my online calendar to discuss ways to get unstuck and keep moving forward.
Sign Up For Our Newsletter
Sign Up For Our Newsletter
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.
Most Recent Posts
Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…Read More
As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…Read More
Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…Read More
Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…Read More
On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…Read More
Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…Read More
Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…Read More
One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…Read More
It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…Read More
If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…Read More