How to generate a risk statement
Type in your risk identification elements to the left, then press the 'Generate Risk Statement' button below and your risk will appear here.
Copy and paste whichever of the four variations works best for your context.
Try changing the source of risk a few times or the risk event to see how the risk changes.
For example, an information breach due to untrained employees or petty criminals is a very different risk if the source is a foreign intelligence service or a competitor.
Why use CASE?
Terms such as terrorism, mechanical fault, cost overruns, data breach, or ransomware attack sound like risks. But they are too vague to evaluate, much less mitigate.
We need to understand at least the following four characteristics before we can analyze a risk:
Consequence – what is the likely impact of this risk?
Asset – what asset(s) are actually at risk?
Source – what are the hazards or threat actors might lead to the risk manifesting?
Event – what particular type of incident is being considered?
In this model, each term has specific meanings.
Consequence: This refers to the potential outcome or impact of a risk event. The consequence can be negative, such as financial loss, damage to reputation, or physical harm, or it can be positive, such as an unexpected gain or benefit. The consequence is often the primary focus of risk management efforts, as it represents the potential harm that the risk could cause.
Asset: This is the object of the risk, or what is at risk. An asset can be tangible, like a physical object, building, or piece of equipment, or intangible, like a brand's reputation, a company's intellectual property, or an individual's health or safety. Identifying the asset at risk is crucial to understanding the potential impact of the risk.
Source: The source can be a threat or a hazard. A source of risk is the potential cause or origin of the risk. The source of risk is critical to identify because it can help determine how the risk might be mitigated or managed. Sources of risk can include threats and hazards.
Hazards are of non-human origin and do not have intent. Hazards could include toxic chemicals, radiation, explosives, natural disasters, technological failure, or economic downturn.
Threats are of human origin and have the intent to harm. A threat actor could be a malicious individual, group, or nation-state. A threat actor may involve use hazard such as explosives, firearms, malware, etc.
Event: This is the specific incident or occurrence that represents the manifestation of the risk. An event could be a cyber attack, a data breach, a fire, a flood, a market crash, a product failure, or any other incident that poses a threat to the identified asset. The event is important to define because it helps to clarify the nature of the risk and can help to identify potential mitigation strategies.
If you are looking for inspiration, the following table has some examples of consequences, assets, sources, and events.
death or injury
cash and financial assets
loss of customers
data and information
business interruption or acceleration of operations
decrease or increase in market share
supply chain disruptions
decline or improvement in employee morale
supply chain disruption
theft or recovery of intellectual property
damage or improvement to the environment
pandemics or health crises
intellectual property theft
regulatory fines or incentives
physical security breach
loss or gain of competitive advantage
accidents or human errors
cybersecurity breach or improvement in cybersecurity posture
research and development
it system failure
product recall or successful product launch
loss or gain of strategic partnerships
licenses and permits
service disruption or enhancement
foreign intelligence services
data loss or recovery
loss or acquisition of key personnel
loss of key personnel
infrastructure damage or upgrade
health and safety protocols
operational inefficiencies or efficiencies
environmental sustainability initiatives
damage or enhancement to reputation
employees and contractors
financial loss or gain
buildings and property
Next steps: Assessing the risks
Now that you've identified your risks, it's time to manage them effectively. You might find our risk assessment template a valuable starting point to organize and monitor your risks.
For a more comprehensive solution, consider this robust risk management software tool that can help you rate, evaluate, report, and mitigate your risks. Don't let potential threats derail your success. Take control and manage your risks today!