If the title of this article makes you shudder then you are my people. Ideally, this article is telling you to suck eggs. Alas, I still work with Heads of Risk who document issues as risks. It is not just business folk with limited risk training but so called risk professionals who can fall foul.

I haven’t seen a simple and easy to digest breakdown of how to craft a risk description so I thought I’d pull one together this morning.

The risk description should clearly and concisely explain the nature of the risk, its causes, and potential consequences. Here’s a breakdown of how to write an effective risk description:

Components of a Risk Description

1. Nature of the Risk: What could go wrong?

2. Cause of the Risk: Why could it go wrong?

3. Consequence of the Risk: What would be the impact if it goes wrong?

Example Structure

Risk Description:

• Nature of the Risk: Describe the event or condition that poses a risk.

• Cause of the Risk: Identify the root causes or contributing factors.

• Consequence of the Risk: Outline the potential impacts or outcomes.

Note: Ideally it is kept to one sentence. Two maximum.

Example Risk Description

Third Party Risk Description:

The risk of disruptions in service delivery due to third-party vendors failing to meet contractual obligations, which could result in operational delays, increased costs, and potential damage to customer relationships.

Breakdown:

• Nature of the Risk: The company may experience disruptions in service delivery.

• Cause of the Risk: Third-party vendors failing to meet contractual obligations.

• Consequence of the Risk: Operational delays, increased costs, and potential damage to customer relationships.

Another Example

Regulatory Change Risk Description:

The risk of failure to comply with new/amended regulatory requirements due to insufficient awareness and inadequate internal controls, which could result in legal penalties and reputational damage.

Breakdown:

• Nature of the Risk: The company may fail to comply with new/amended regulatory requirements.

• Cause of the Risk: Insufficient awareness and inadequate internal controls.

• Consequence of the Risk: Legal penalties and reputational damage.

Tips for Writing Risk Descriptions

1. Be Specific: Clearly define the risk event and its context.

2. Be Objective: Avoid using vague or subjective terms.

3. Be Comprehensive: Ensure all aspects (nature, cause, and consequence) are covered.

4. Be Concise: Keep it clear and to the point, avoiding unnecessary details.

Template for a Risk Description

“The risk of [describe the event or condition] due to [identify the cause], which could result in [outline the potential impacts].”

My Two Cents

Majority of risk descriptions in Australia seem to start of with “The risk that ….” I’m on a mission to remove the redundant “that” which exist in the world. If you can remove the word “that” and the sentence still has the same meaning then delete it. This is why I start my risk descriptions with the more grammatically correct “The risk of …”

Risk statement is also a term used interchangeably with risk description. I prefer risk description as I feel like a risk statement could mean a number of things whereas risk description can only ever be describing the risk.

Conclusion

Maybe it is an assumption that risk professionals know how to draft risk descriptions but in my experience even senior people don’t. Using the template above and being clear at the beginning of any activity where you are documenting/editing risks you can drive consistency in risk descriptions and make sure issues are not being captured as risks

Closing Thoughts

I think so many people struggle with risk descriptions because their is a lack of education and documentation in an organisation. Reading the above it is clear it is not a difficult task. Then why do so many continue to stuff it up? I encourage you to review your organisation’s maturity and analyse if it needs an uplift. Perhaps you can use the above to support you.

Now, what would you do differently and what help do you need to get there?