top of page

How to generate a risk statement

Type in your risk identification elements to the left, then press the 'Generate Risk Statement' button below and your risk will appear here.

Copy and paste whichever of the four variations works best for your context.

Try changing the source of risk a few times or the risk event to see how the risk changes.

For example, an information breach due to untrained employees or petty criminals is a very different risk if the source is a foreign intelligence service or a competitor.

Why use CASE?

Terms such as terrorism, mechanical fault, cost overruns, data breach, or ransomware attack sound like risks. But they are too vague to evaluate, much less mitigate.

We need to understand at least the following four characteristics before we can analyze a risk:

  • Consequence – what is the likely impact of this risk?

  • Asset – what asset(s) are actually at risk?

  • Source – what are the hazards or threat actors might lead to the risk manifesting?

  • Event – what particular type of incident is being considered?

In this model, each term has specific meanings.

​

  1. Consequence: This refers to the potential outcome or impact of a risk event. The consequence can be negative, such as financial loss, damage to reputation, or physical harm, or it can be positive, such as an unexpected gain or benefit. The consequence is often the primary focus of risk management efforts, as it represents the potential harm that the risk could cause.
     

  2. Asset: This is the object of the risk, or what is at risk. An asset can be tangible, like a physical object, building, or piece of equipment, or intangible, like a brand's reputation, a company's intellectual property, or an individual's health or safety. Identifying the asset at risk is crucial to understanding the potential impact of the risk.
     

  3. Source: The source can be a threat or a hazard. A source of risk is the potential cause or origin of the risk. The source of risk is critical to identify because it can help determine how the risk might be mitigated or managed. Sources of risk can include threats and hazards.

    1. Hazards are of non-human origin and do not have intent. Hazards could include toxic chemicals, radiation, explosives, natural disasters, technological failure, or economic downturn.  

    2. Threats are of human origin and have the intent to harm. A threat actor could be a malicious individual, group, or nation-state. A threat actor may involve use hazard such as explosives, firearms, malware, etc.
       

  4. Event: This is the specific incident or occurrence that represents the manifestation of the risk. An event could be a cyber attack, a data breach, a fire, a flood, a market crash, a product failure, or any other incident that poses a threat to the identified asset. The event is important to define because it helps to clarify the nature of the risk and can help to identify potential mitigation strategies.

If you are looking for inspiration, the following table has some examples of consequences, assets, sources, and events.

Consequences
Assets
Sources
Events
death or injury
cash and financial assets
competitors
natural disaster
legal penalties
intellectual property
malicious insiders
industrial accident
loss of customers
data and information
economic downturns
product recall
business interruption or acceleration of operations
brand reputation
technology failures
market crash
decrease or increase in market share
customer relationships
supply chain disruptions
regulatory violation
decline or improvement in employee morale
supply chains
regulatory changes
supply chain disruption
theft or recovery of intellectual property
it infrastructure
terrorist attacks
insider threat
damage or improvement to the environment
product inventory
pandemics or health crises
intellectual property theft
regulatory fines or incentives
strategic partnerships
political instability
physical security breach
loss or gain of competitive advantage
market position
accidents or human errors
legal dispute
cybersecurity breach or improvement in cybersecurity posture
research and development
market fluctuations
it system failure
product recall or successful product launch
operational processes
social unrest
terrorism attack
loss or gain of strategic partnerships
licenses and permits
environmental hazards
employee strike
service disruption or enhancement
natural resources
foreign intelligence services
ransomware
data loss or recovery
capital equipment
data breaches
environmental catastrophe
loss or acquisition of key personnel
business strategies
product failures
loss of key personnel
infrastructure damage or upgrade
health and safety protocols
legal disputes
fraudulent activity
operational inefficiencies or efficiencies
environmental sustainability initiatives
untrained staff
infrastructure failure
damage or enhancement to reputation
employees and contractors
cyber criminals
cyber attack
financial loss or gain
buildings and property
climate
data breach

Next steps: Assessing the risks

Now that you've identified your risks, it's time to manage them effectively. You might find our risk assessment template a valuable starting point to organize and monitor your risks.

 

For a more comprehensive solution, consider this robust risk management software tool that can help you rate, evaluate, report, and mitigate your risks. Don't let potential threats derail your success. Take control and manage your risks today!

Best Sellers

bottom of page