2 What should a ‘well written’ risk statement contain?
A risk must also have certain key elements, which generally are, as a minimum, root cause(s), an event and consequences. Recognising and identifying these elements is what constitutes a risk statement.
- A root cause – This is the origin of the risk, the reason(s) the risk exists. As an example, consider the root cause(s) of a fire – a supply of oxygen, a source of heat and a source of ignition. One interesting method of drilling down to the root cause of a risk is to keep asking ‘why’ in response to the feedback on a question. This interrogative technique is called the ‘Five Whys’ technique and is attributed to Sakichi Toyoda, the founder of Toyota Industries.
- An event – This is the risk itself, and normally the point where ‘control’ has been lost but the consequences have yet to occur. For example, the event for a fire is the fire breaking out, but no property being damaged or people harmed. In the business example the event will be a failure in awareness of contract liabilities.
- A consequence – This is often described as the ‘so what?’ of risk management. These are the ‘events’ that occur as a result of the risk. Consequences should be measurable against the organisation’s objectives. The consequences for a fire may be damage to property, injury or loss of life, financial losses to repair and financial losses due to not being able to operate. It is important to note that a risk may have more than one root cause and more than one consequence. You need to capture all root causes and all consequences when identifying a risk and also recognise that the same root cause may drive more than one event and that the same consequences may arise from more than one event.
It is also important to identify risk ownership. In most cases the owner of the risk is the person who feels the impact of the consequences. However, this doesn’t mean that the risk owner has to personally complete all of the activities to treat the risks, which will be discussed in Session 5. There are often a number of other parties who support the risk owner to manage the risk.