750 words.

A proliferation of non-expert methods vs High Quality Risk Assessment

The methods to be used in Enterprise Risk Management are not very well specified in the standards. Risk assessment has become a proliferation of ad hoc practices. The risk reports developed in a non-expert manner turn out rather bland and tend to sit on a shelf, because no one takes the document to be a compelling basis for action. The result is ERM has acquired a reputation as "bureaucratic and non-value-adding". [1]

If we accept that carefully developed and tested methods can, by contrast, lead to valuable results, then it is worthwhile studying the details of what I call High Quality Risk Assessment. For example, the question of how to formulate risk statements turns out to be decisive in the quality of the risk assessment. [2]

In early experimentation (when I was working at Risk Management Branch, BC province) we tried using just a few keywords to express a risk. The trouble with that is, a week later, the people around the table (even the one who came up with the line item) cannot remember the original idea of risk that one or two keywords was supposed to evoke. Conversely, if you write a run-on sentence or even a paragraph, you end up cramming many notions of risk into one statement: that becomes very difficult to assess and even harder to manage and act upon.

The ideal is to strike a balance, and write a two-part statement. I specify the following guidelines:

How to write a risk statement
I would say there are five rules to writing a risk statement:

In the chain of cause and effect leading to a risk event — and amid various contributory influences — you must identify the causal incident that best characterizes the risk, and lies as far upstream in the chain of cause and effect as is practical to intervene and prevent or manage the risk event.
Write a complete sentence, consisting of a cause and the effect.
Link the two clauses by a phrase such as “leads to”; “causes”; “results in”. Do not use conditional or modal terms like “might”; “may”; “could”, but just the present tense.
State the cause as an event, or a particular condition.
State the effect as the hindrance to or prevention of the specific program goal or objective, or as a compromise of the corporate value under consideration.

Risk statement examples

context A:
A manufacturing process uses a critical part, sourced as a special order from a supplier which is undergoing internal changes.
risk statement:
Changed internal management at supplier leads to their faulty selection or bad substitution of our critical part.

context B:
A private school expects a foreign student contingent to arrive from a country where political unrest is imminent.
risk statement:
Foreign government policy changes result in inability to arrange student visas for September cohort.

context C:
Web security firm plans to set up an office abroad. They are relying on an untested third party service to help them obtain a foreign business license by a specific date.
risk statement:
Professional services company's late or deficient business license application causes delay to planned launch.

Explanation of risk statements
My risk statements identified causal events as far upstream as possible, in the hope of taking action before some harmful downstream result.

In Context A, I did not focus on the end product failing, or on the wrong part entering the plant, but on the wrong part being selected by the supplier.

In Context C, I did not focus on the moment of the application failing, but on the service company's action.

In each case, I described the effect of the risk event on our plan.

You can imagine a risk register of, say, 50 risks on a critical initiative. If they are all just vague keyword phrases, then their assessment and associated treatment plans will be just as vague. Or, if they are overly complex, they will be unmanageable. But if the risk statements are specific, directly targeted to goals, and focused on upstream conditions susceptible to intervention, then you will have a tightly defined risk profile that you can act on.

Risk statements vs risk categories
There is a distinction between a risk category and a risk statement. Many people identify risks with two-word phrases: “reputation risk”; “construction risk”, and so on. These are not risk statements, they are general rubrics within which you must specify the risk in relation to a specific goal.

Conclusion
Formulate risk statements using the above guidelines. This gives you a highly valuable risk profile where the risk statements are amenable to aggregation, ranking and mitigation.

Notes
[1] The State of Risk Oversight: an Overview of Enterprise Risk Practices (ERM Initiative at North Carolina SU, in partnership with AICPA (2023).
[2] The full method for High Quality Risk Assessment is set out in Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation.