This blog was originally posted on ERM Insights by Carol.
Have you ever been given an assignment at work without clear instructions?
It can be dizzying to try and figure out what your first steps to be. At best, it’s disconcerting not knowing if you’re on the right track, and at worst, you don’t even know what your desired end result should be or look like.
This situation could happen between identification and assessment phases of ERM…
Without a clear statement on exactly what the risk entails, everyone throughout the organization will struggle to understand what their next steps should be.
A risk statement can be defined as a concise description of the risk, which can be easily understood by everyone.
To be easily understood, the statement should not consist of fancy risk jargon but rather the everyday business terms used throughout the company. If additional time is needed to explain terminology or the “real” meaning of the risk statement, then it is not clear.
While anyone should easily be able to comprehend it, the risk statement needs to be speaking to four main audiences: the risk/ERM unit, business managers and staff, senior executives, and the Board.
With this statement in hand, business units and other relevant stakeholders will be able to take action and properly assess the risk. And let me be clear, when I say risk, I am also including opportunities. You can use this same structure for great opportunity statements. (It also becomes unwieldy to constantly say “risk/opportunity statement” or "risk statement or opportunity statement.”) So, as you continue to read, know that I am including opportunity identification and assessment in this mix…
An effective risk statement will include the following three components:
- Event – this is the trigger for the risk and what connects the other two components. Without a catalyzing event, the rest of the risk statement is irrelevant. Although succinctness is important, using a single word or short phrase like “cybersecurity” or “market turmoil” is not helpful in describing an event. After all, cybersecurity for example can cover 20 or more potential events.
- Root cause – by far the hardest part of the risk statement, the root cause is the base reason for why something is happening. There are several ways to identify the root cause for something, but fundamentally, it consists of asking “why?” until you get to the bottom of it. Without a root cause, there will be nothing you can really do to address a risk since you won’t know what’s causing it. You can only have one root cause per risk; otherwise, the mitigations (or controls or whatever term your organization uses) will be scattershot in addressing the risk.
- Consequence – the consequence consists of the impacts the company will experience as a result of the event enabled by the root cause. There can be multiple consequences to an individual risk, which can range from a minor financial loss to bankruptcy and everything in between. Identifying consequences can be as simple as “poor customer experience” or “additional regulatory scrutiny,” so don’t feel compelled to get detailed with this part. Just remember that this part will help drive the assessment work and any related conversations.
The structure of a risk statement basically follows an if/then format like below. This setup satisfies all the requirements of an effective risk statement - e.g., it is concise, actionable, clearly articulates the cause and impact, and, most of all, is easily understood.
A real-life risk statement for an industry I closely work with, the Florida property insurance market, could be something like the following: “If the Legislature fails to pass market reforms, due to other priorities, then multiple carriers may become insolvent and Florida homeowners may face much higher premiums.”
This is a basic structure on risk statements, but it is by no means the only one to consider.
In this article, risk expert and consultant Julian Talbot discusses the 4Cs (condition, criteria, cause, consequence) and the CASE approach (consequence, asset, source, event) as other models you can use to develop risk statements.
To reiterate what I said previously about opportunities, ERM is not solely about risks in the negative sense, and risk statements are no different. Opportunities can, and should, be outlined using this approach, so decision-makers can clearly understand what they are assessing before moving forward. Statements like “…offers an opportunity to…” or “Potential to…” are a couple of ways to express this. As an example, the flip side of the risk statement above would look like this: “A potential to drastically change the Florida property market, due to pending legislative bills, may result in continued carrier solvency and competitive pricing for homeowners’ policies.”
Whatever model you end up with, remember that risk statements will naturally involve some trial and error. You will not hit it out of the park on the first try, so don’t feel like you have failed and give up if it takes several passes to arrive at a clear, actionable risk statement, especially if you’re new to drafting them.