The Key(s) to Writing Good Risk Statements

To effectively manage risk at an organization, risk must be identified and analyzed by an information systems professional. Risk factors should be communicated in a clear and concise manner so that they can be understood by all stakeholders. This can be achieved by writing an effective risk statement.

Indicators of a good, quality risk statement are that it can answer the following questions:

Summarizing risk identification and analysis in a statement is not a science and there is no specific formula to get it right. However, there is guidance provided in the International Organization for Standardization (ISO) standard ISO 31000:2009 Risk management—Principles and guidelines that can help to better articulate risk.

The key to writing a good risk statement is having a foundational understanding of risk components and their interrelationships. Understanding key risk-related terms, their definitions, the business and its objectives will result in more impactful risk articulation.

The key to writing a good risk statement is having a foundational understanding of risk components and their interrelationships.

Risk Terms and Definitions to Understand

To illustrate the application of risk terms and definitions in practice, one can consider a fictional bank with an objective to keep confidential customer information secure that is implementing a change to a highly complex customer account management system that handles customer information. The key definitions are:

Based on these definitions, a risk statement should look something like:

(Event that has an effect on objectives) caused by (cause/s) resulting in (consequence/s).

An alternative version reads:

(Event that has an effect on objectives) caused by (cause/s). This may result in (consequence/s).

The latter version is better to use if the risk statement sentence would be too long and needs to be broken up to improve clarity. This might happen, for example, if there are many key risk causes.

Taking the previous example to illustrate this, if the bank’s objective is to “keep confidential customer information secure” and the event is customer data leakage, corruption or unavailability caused by defective system changes, the risk statement could be:

Customer data leakage, corruption or unavailability caused by defective system changes resulting in financial fraud losses of UK £1 million and an Information Commissioner’s Office fine of UK £500,000, customer churn of 6.4%, and regulatory sanction by the Prudential Regulation Authority.

Data leakage, corruption and unavailability are information security failure events. That is, keeping information secure (the objective) has deviated from (the effect). The unauthorized, defective or unfit changes are the causes of this effect on objectives, while the consequences are defined in terms of what happens if the organization fails to meet its objective.

Conclusion

Risk can be more effectively understood and managed if it is clearly articulated. This can be achieved by referring to risk definitions while writing risk statements. Understanding the objectives at risk is also key. IS audit and control professionals must create concise risk statements that are information-rich and relevant to the situation and the audience to ensure that the risk statements have an impact and support effective risk management.

Editor’s Note

This article is excerpted from an article that appeared in the ISACA ® Journal. Read the full article, “Writing Good Risk Statements,” in vol. 3, 2014, of the ISACA Journal.

Endnotes

1 International Organization for Standardization, ISO 31000:2009, Risk Management—Principles and Guidelines, Switzerland, 2009
2 Ibid.
3 Ibid.
4 Ibid.
5 Oxford University Press, Oxford English Dictionary, UK, 2013
6 Op cit, International Organization for Standardization
7 Ibid.

Benjamin Power, CISA, CPA

Has worked in the IS audit, control and security field internationally for more than 10 years in the financial services, energy, retail and service industries, and government sectors. Power is an experienced risk and audit professional who has a practical background in IT development and management, enterprise governance and accounting.