Vague risk statements lead to poor risk response planning. When organizations or project teams fail to respond to significant risks (i.e., threats and opportunities), these groups fail to achieve their goals and reach their potential. Risk management starts with identifying risks and writing clear risk statements.
Why do people define risks poorly? I am convinced that most people simply don’t know how. Allow me to share some simple tips that can improve your ability to write clear risk statements.
Test Your Risk Statements
When I ask someone to identify a risk, individuals often respond with something like “there is a conflict between two executive sponsors” or “the estimates are incorrect” or “we are experiencing system outages.” But these are facts or conditions that are true, not statements of uncertainty. In other words, these are causes that give rise to uncertain events or conditions.
When asked to identify a health-related risk, someone might answer humorously, “Smoothie King’s Hulk Strawberry Smoothies.” But the smoothies are the cause of the risk.
The risk–the uncertainty–is that we may gain excessive weight leading to a higher chance of high blood pressure, heart disease, and cancer. (The calories are more than two Big Macs put together. And that’s just the small!)
As you write your risk statements, try this syntax:
I start by writing the risk portion–the uncertain event or condition.
When defining risks, think about what may or may not happen. Risks by definition are uncertain events or conditions, not things that have already happened. (Threats that have occurred are called issues; opportunities that have occurred are benefits. Issues and benefits require management too.)
Want to improve results with better risk statements for the enterprise, program, and project risks? Ask yourself the following litmus test questions:
- Is the risk tied to a corporate, department, or team goal?
- Does the risk statement focus on uncertain events or conditions?
- Is the risk clearly defined and specific?
- Does the risk statement drive clear response plans?
Let’s focus on the third criteria: Is the risk clearly defined and specific?
The Evolution of Risk Statements
Imagine that we are having a discussion about an enterprise risk – the aging workforce – at the FeelSecure Insurance Company. Someone makes the point that we are losing knowledge every time someone retires and walks out the door, especially with individuals with 30 years or more of experience.
So let’s write a risk statement.
Risk Statement Example
Look at this Risk statement:
Because Baby Boomers are retiring, the FeelSecure Insurance Company may lose valuable knowledge resulting in adverse impacts to our future.
Let’s test the risk statement.
- Is the risk tied to a corporate, department, or team goal? The risk does not apply to a specific goal.
- Does the risk statement focus on uncertain events or conditions? Somewhat but it could be better.
- Is the risk clearly defined and specific? No. The statement is general.
- Does the risk statement drive clear response plans? No.
You may be wondering:
How could we narrow the focus and write new risk statements specific to a department?
Improved Risk Statement
Here are some revised statements:
Risk statement: Because Claims personnel are retiring (a fact that gives rise to uncertainty), Claims may lose knowledge and skills concerning the Fleet claim process (uncertain condition) resulting in a possible increase in the Fleet loss ratio (impact to objective).
Risk statement: Ten percent of the Underwriters have retired in the last year (a fact that gives rise to uncertainty). The Underwriting Department may lose knowledge and skills for underwriting Commercial Package Policy (uncertain condition). This would lead to an increase in the Commercial Package Policy loss ratio (impact to objective).
Risk statement: Two of the five Cobol programmers have moved to other positions in FeelSecure. IT may not be able to complete the Cobol work for the upcoming strategic projects (uncertain condition), reducing our ability to move legacy homeowner policies to newer, more modern systems (impact to objective).
Better Risk Response Planning
Imagine trying to develop response plans for the first risk definition. You might say that we need to mitigate the risk, but the risk statement lacks specificity. We are not sure of how to respond to achieve our goals.
Now imagine defining response plans for the second risk definitions. The risk statements are clear and specific. Consequently, we know where to attack. The response plans may be defined in ways that produce stronger operational results.
Here are some examples of risk response plans to address knowledge gap risks:
- Identify specific knowledge and skills needed for the future.
- Find and bridge employee knowledge gaps
- Identify individuals nearing retirement (within the next three years) that possess the knowledge and skills.
- Hire back former employees as consultants.
- Identify the knowledge that needs to be transferred (e.g., customer knowledge, product knowledge, technical knowledge).
- Identify who you’re going to transfer the knowledge to or how you will capture the knowledge (e.g., video logs, documentation).
Review your risks in your risk register. Look for ways to make the risk statements clear and specific using the four litmus test questions. Like most things, the more you do this, the easier it gets. Then define risk response plans that will drive significantly better results.
Join the 21 Day Challenge
Receive daily emails--learn to identify, evaluate, respond to, and control project risks.
Spend five minutes per day for 21 days--discover practical risk management techniques that can help you turn uncertainty into success!