First and foremost a risk statement is a conversation between the risk owner and any stakeholders that have or should have an interest in the risk. It is also a record of your analysis, a baseline for initial and ongoing risk reporting and a to-do-list for the risk owner to monitor.
If your risk statement fulfils its role as a conversation between the risk owner and stakeholders, each stakeholder should have a clear appreciation of your position regarding the risk. That does not mean they have to agree with it, however, they will have enough information to engage with you and decide for themselves if they agree with the analysis or if they recommend changes.
In my view the articulation of the risk should be with regard to a specific objective and be made up of a range of sources of risk taken to one and no more than two levels below the objective (see the Sources column in the example). If in fact the achievement of the higher level objective is at high risk, then it may be warranted to continue well below the second level to get a clearer picture of what is driving the high risk level.
In my world of risk it therefore follows that you can capture a strategic risk profile for an organisation in 5 to 9 risk statements (risks) because most organisations have around 4 to 6 objectives. Then you may need to add some specific “risk” objectives such as one for safety if the organisation does not have a separate objective for safety or it is not sufficiently captured in a broader people objective.
Comments