The Key(s) to Writing Good Risk Statements
To effectively manage risk at an organization, risk must be identified and analyzed by an information systems professional. Risk factors should be communicated in a clear and concise manner so that they can be understood by all stakeholders. This can be achieved by writing an effective risk statement.
Indicators of a good, quality risk statement are that it can answer the following questions:
- What could happen?
- Why could it happen?
- Why should an enterprise care?
Summarizing risk identification and analysis in a statement is not a science and there is no specific formula to get it right. However, there is guidance provided in the International Organization for Standardization (ISO) standard ISO 31000:2009 Risk management—Principles and guidelines that can help to better articulate risk.
The key to writing a good risk statement is having a foundational understanding of risk components and their interrelationships. Understanding key risk-related terms, their definitions, the business and its objectives will result in more impactful risk articulation.
The key to writing a good risk statement is having a foundational understanding of risk components and their interrelationships.
Risk Terms and Definitions to Understand
To illustrate the application of risk terms and definitions in practice, one can consider a fictional bank with an objective to keep confidential customer information secure that is implementing a change to a highly complex customer account management system that handles customer information. The key definitions are:
- Risk—The effect of uncertainty on objectives 1
- Effect—A deviation from the expected. 2 The effect in the example is the deviation from the expected condition of customer information being kept secure. Expected conditions are those conditions that are expected by the bank’s stated objectives and policies.
- Uncertainty—The state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence, or likelihood. 3 Uncertainty in the example is from not fully understanding the consequences of the change due to the customer account management system being highly complex and inherently difficult to understand. The greater the complexity of the at-risk area, the greater the inherent uncertainty. The objective in the example is for the bank to keep confidential customer information secure.
- Event—An occurrence or change of a particular set of circumstances and can have several causes. 4 In the example, the event may appear to be the system change itself, but there is no direct effect on objectives if the change goes through without a problem. An event must have an effect on objectives. Data leakage related to problems with the change would be an event, as this directly affects the objective to keep confidential customer information secure.
- Cause—That which gives rise to any action, phenomenon or condition. 5 It is important not to mistake the cause for the event. In the example, defective changes, such as encryption algorithms not encrypting data as expected, cause data leakage. Defective changes do not have a direct effect on the objective of safeguarding customer information in and of themselves, and so should not be seen as an event in this case, but rather a cause. Data leakage, on the other hand, does have a direct impact on objectives so it would not be a cause in this scenario. A risk statement can contain multiple causes when applicable.
- Consequence—The outcome of an event affecting objectives. 6 This element of the risk statement is important because it highlights why one should care about the risk. It is crucial that this is relevant, plausible and, ideally, quantified to give this element meaning in real terms. A vague statement of “damage to reputation” is not enough. How will this damage to the organization’s reputation impact the organization? If the organization is an effective monopoly, reputational damage may not be an issue. The consequence ideally needs to be quantified using industry research data, internal management information or known cause-and-effect relationships, such as known fixed fines levied by regulators or known customer impacts for instances of customer data leakage. A good example of this is the maximum fine of UK £500,000 that can be levied by the UK Information Commissioner’s Office for confidential customer data leakage incidents or alternatively customer churn of 6.4% derived from industry research reports.
- Likelihood—The chance of something happening; risk is a combination of potential events and consequences along with the associated likelihood of occurrence. 7 In the example, “something” refers to the combination of potential events and consequences. Likelihood can be reasonably estimated through frequency analysis of similar events in the industry, specific technology from internal organization incident or issue databases and consultation with subject matter experts. So, considering the example, the risk analyst might look at the number of loss events in the past 12 months registered in an internal loss event database, an external database such as the Privacy Rights Clearinghouse, or a media scan, where causes related to poorly controlled changes are recorded. Looking at the frequency of these events over the total number of changes made would give a basic estimation of the likelihood of the event recurring.
Based on these definitions, a risk statement should look something like:
(Event that has an effect on objectives) caused by (cause/s) resulting in (consequence/s).
An alternative version reads:
(Event that has an effect on objectives) caused by (cause/s). This may result in (consequence/s).
The latter version is better to use if the risk statement sentence would be too long and needs to be broken up to improve clarity. This might happen, for example, if there are many key risk causes.
Taking the previous example to illustrate this, if the bank’s objective is to “keep confidential customer information secure” and the event is customer data leakage, corruption or unavailability caused by defective system changes, the risk statement could be:
Customer data leakage, corruption or unavailability caused by defective system changes resulting in financial fraud losses of UK £1 million and an Information Commissioner’s Office fine of UK £500,000, customer churn of 6.4%, and regulatory sanction by the Prudential Regulation Authority.
Data leakage, corruption and unavailability are information security failure events. That is, keeping information secure (the objective) has deviated from (the effect). The unauthorized, defective or unfit changes are the causes of this effect on objectives, while the consequences are defined in terms of what happens if the organization fails to meet its objective.
Conclusion
Risk can be more effectively understood and managed if it is clearly articulated. This can be achieved by referring to risk definitions while writing risk statements. Understanding the objectives at risk is also key. IS audit and control professionals must create concise risk statements that are information-rich and relevant to the situation and the audience to ensure that the risk statements have an impact and support effective risk management.
Editor’s Note
This article is excerpted from an article that appeared in the ISACA ® Journal. Read the full article, “Writing Good Risk Statements,” in vol. 3, 2014, of the ISACA Journal.
Endnotes
1 International Organization for Standardization, ISO 31000:2009, Risk Management—Principles and Guidelines, Switzerland, 2009
2 Ibid.
3 Ibid.
4 Ibid.
5 Oxford University Press, Oxford English Dictionary, UK, 2013
6 Op cit, International Organization for Standardization
7 Ibid.
Benjamin Power, CISA, CPA
Has worked in the IS audit, control and security field internationally for more than 10 years in the financial services, energy, retail and service industries, and government sectors. Power is an experienced risk and audit professional who has a practical background in IT development and management, enterprise governance and accounting.