How to generate a risk statement
Type in your risk identification elements to the left, then press the 'Generate Risk Statement' button below and your risk will appear here.
Copy and paste whichever of the four variations works best for your context.
Try changing the source of risk a few times or the risk event to see how the risk changes.
For example, an information breach due to untrained employees or petty criminals is a very different risk if the source is a foreign intelligence service or a competitor.
Why use CASE?
Terms such as terrorism, mechanical fault, cost overruns, data breach, or ransomware attack sound like risks. But they are too vague to evaluate, much less mitigate.
We need to understand at least the following four characteristics before we can analyze a risk:
-
Consequence – what is the likely impact of this risk?
-
Asset – what asset(s) are actually at risk?
-
Source – what are the hazards or threat actors might lead to the risk manifesting?
-
Event – what particular type of incident is being considered?
In this model, each term has specific meanings.
​
-
Consequence: This refers to the potential outcome or impact of a risk event. The consequence can be negative, such as financial loss, damage to reputation, or physical harm, or it can be positive, such as an unexpected gain or benefit. The consequence is often the primary focus of risk management efforts, as it represents the potential harm that the risk could cause.
-
Asset: This is the object of the risk, or what is at risk. An asset can be tangible, like a physical object, building, or piece of equipment, or intangible, like a brand's reputation, a company's intellectual property, or an individual's health or safety. Identifying the asset at risk is crucial to understanding the potential impact of the risk.
-
Source: The source can be a threat or a hazard. A source of risk is the potential cause or origin of the risk. The source of risk is critical to identify because it can help determine how the risk might be mitigated or managed. Sources of risk can include threats and hazards.
-
Hazards are of non-human origin and do not have intent. Hazards could include toxic chemicals, radiation, explosives, natural disasters, technological failure, or economic downturn.
-
Threats are of human origin and have the intent to harm. A threat actor could be a malicious individual, group, or nation-state. A threat actor may involve use hazard such as explosives, firearms, malware, etc.
-
-
Event: This is the specific incident or occurrence that represents the manifestation of the risk. An event could be a cyber attack, a data breach, a fire, a flood, a market crash, a product failure, or any other incident that poses a threat to the identified asset. The event is important to define because it helps to clarify the nature of the risk and can help to identify potential mitigation strategies.
If you are looking for inspiration, the following table has some examples of consequences, assets, sources, and events.
Consequences | Assets | Sources | Events |
|---|---|---|---|
death or injury | cash and financial assets | competitors | natural disaster |
legal penalties | intellectual property | malicious insiders | industrial accident |
loss of customers | data and information | economic downturns | product recall |
business interruption or acceleration of operations | brand reputation | technology failures | market crash |
decrease or increase in market share | customer relationships | supply chain disruptions | regulatory violation |
decline or improvement in employee morale | supply chains | regulatory changes | supply chain disruption |
theft or recovery of intellectual property | it infrastructure | terrorist attacks | insider threat |
damage or improvement to the environment | product inventory | pandemics or health crises | intellectual property theft |
regulatory fines or incentives | strategic partnerships | political instability | physical security breach |
loss or gain of competitive advantage | market position | accidents or human errors | legal dispute |
cybersecurity breach or improvement in cybersecurity posture | research and development | market fluctuations | it system failure |
product recall or successful product launch | operational processes | social unrest | terrorism attack |
loss or gain of strategic partnerships | licenses and permits | environmental hazards | employee strike |
service disruption or enhancement | natural resources | foreign intelligence services | ransomware |
data loss or recovery | capital equipment | data breaches | environmental catastrophe |
loss or acquisition of key personnel | business strategies | product failures | loss of key personnel |
infrastructure damage or upgrade | health and safety protocols | legal disputes | fraudulent activity |
operational inefficiencies or efficiencies | environmental sustainability initiatives | untrained staff | infrastructure failure |
damage or enhancement to reputation | employees and contractors | cyber criminals | cyber attack |
financial loss or gain | buildings and property | climate | data breach |
Next steps: Assessing the risks
Now that you've identified your risks, it's time to manage them effectively. You might find our risk assessment template a valuable starting point to organize and monitor your risks.
For a more comprehensive solution, consider this robust risk management software tool that can help you rate, evaluate, report, and mitigate your risks. Don't let potential threats derail your success. Take control and manage your risks today!
