Close

On this page

There are two reasons for investing time into describing a risk in a precise and unambiguous way.

The first is it’ll help you validate that you’ve actually identified an event that’s a risk to your objectives.

It’ll also help you validate that your risk assessment was thorough and generated the information you need to manage the risk effectively. That is information about

  • the nature of the potential event
  • its causes
  • its likelihood
  • its consequences
  • the impact those consequences might have on various stakeholders and partners
  • potential indicators that could help you track changes in the likelihood and consequences of the risk
  • where the risk stands in relation to your organisation’s risk appetite and tolerances.

Second, and perhaps more importantly, it’ll help you share that information with others within and outside the organisation so that

  • it informs decision-making
  • your risk management work is accountable and transparent to others
  • other decision-makers and partners can quickly grasp what it is they’re managing, if they become involved
  • you can influence potential partners in managing the risk
  • other decision-makers don’t re-do work already done.

What do you need to describe?

A full description of a risk will capture all aspects of a risk: the event at the heart of your risk, the causes and consequences, and its likelihood.

This rich information is important for the work of controlling risk and accountability. The bigger the risk, the more people involved in its management, the higher the costs of controlling it, the more you need to know and the more information you need to share.

A full description of the risk is what you should aim for. We recommend, though, that you start with a simple statement of the event that’s a risk to your objectives, together with the causes and consequences of that event.

You can then work up your description iteratively and use it to

  • build your own understanding of risk, starting from the event and building up a picture of its causes and consequences
  • get buy-in from others, and
  • capture rich information about risk for effective management.

Once you have your full description, you can summarise it to make it clear how the risk relates to your objectives. This will be useful for

  • reporting to your responsible body and audit and risk committee
  • annual reports
  • strategy
  • policy
  • business planning

Whatever you do, remember - the point is to capture information from your risk assessment and share it for the purposes of managing the risk.

Image of a circular process. Starting at one o'clock and moving in clockwise direction the first text box says, Start with an initial statement of the event and its causes and consequences. The second text box says, Refine the description as you proceed with your analysis. The third text box at six o'clock says, Make sure your growing understanding of the risk is reflected in the description. The fourth text box says, Show how the consequences affect your objectives. The final text box says, Finish with a full description for your risk register. 

When do you describe?

Your complete description needs to hold information about

  • the event which you’ve identified as a risk to your objectives
  • your analysis of its causes, consequences and likelihood
  • your evaluation of the risk.

So the best time to focus on a good description is when you’re identifying, analysing and evaluating the risks to your objectives. The tools and techniques we gave you in the above topic will generate the information you need to manage the risk. This information needs to be captured in the description and communicated to others.

How you use these tools and techniques is up to you. You might use them in project meetings, board meetings, as part of a workshop or while analysing the costs and benefits of various options. Always be ready to refine your description when you have new information or when there’s a change in your objectives or context.

Always be prepared to review and refine your description as your risk changes or your knowledge of its causes, consequences and likelihood improves.

The bow tie technique

Use the bow tie to structure your analysis, at the beginning when you’re forming your initial statement and right through to a full description of your risk.

The bow tie is useful because it focusses on the causes and consequences that show how an event can matter to your objectives.

It also makes it clear to others what your reasons are for thinking this event could be a risk.

Image of a risk bowtie. At the centre is the event. On the left side of the event are three causes and on the right side are three consequences, creating a bowtie.

Don’t forget likelihood

The bow tie shows before and after the event so that you can distinguish causes from consequences. It doesn’t indicate anything about when this event might happen.

The bow tie helps, though, because unless you describe a potential event in specific terms, it’ll be difficult to talk meaningfully about when it could happen.

So, to complete your description of a risk, you’ll need to include your analysis of its likelihood. That could be an objective probability, or it could be an ordinal or relative evaluation, which will serve the purpose of prioritising risks for action and tracking change.

The back-to-the-future technique

The bow tie technique is great for breaking up risk into components and putting it all back together. You can use it to build a rich picture of your risk that can be communicated widely to decision-makers and management partners.

Sometimes, you need a more open way to generate the words to describe the risks to your objectives; for example, when you’re working with the members of your responsible body.

For these situations, you could use a facilitated workshop where you elicit the words you need with a series of questions. You can then take away the results to polish into a full assessment and description of the risks.

We recommend you frame this as looking back from a point in the future to now. So …

Looking back, we might say ...

Because of X, we could not reach our objective at all or in the way that we wanted to.

  • What is 'X' exactly?
  • How did it stop us from fully reaching our objective?
  • When did it happen?
  • Why did it happen?
  • How could we have seen it coming?
  • Was it bound to happen, or could we have done something about it?
  • What do we mean 'Because of'?
  • Why did it stop us from reaching our objective?
  • How did we want to achieve this objective? Within budget? In collaboration with partners?

Do it strategically

You should use these techniques here, and in the topic on identifying, analysing and evaluating risks, to drive your analysis, make your consultation rewarding, and communicate effectively with colleagues and partners.

Decide what you need to do for the stage of risk management you’re at.

If you need to start a group discussion on a range of potential risks, then use the bow tie technique just enough to isolate some plausible events for group discussion.

If you need to do a thorough analysis of causes and consequences so that you can work out how best to control the risk or minimise your insurable risk, then work the bow tie technique as hard as you can to capture information for management.

If you need to identify the risk indicators you need to watch, then use the bow tie to focus on causes and consequences.

And if you want to make sure you thoroughly understand a risk before opening a discussion with a potential partner about a shared risk, use the bow tie to map out the causes and consequences of a risk and how they play out in your shared context. This will help you get buy-in.

Make it a rich source of information for decision-makers

Risk management is about controlling, where you can, the risks to your objectives. A good description makes your job easier by sharing information with other people in your organisation. To do that, it should

  • be expressed in terms that are specific to your organisation
  • make sense in the internal and external context you’re working in
  • mobilise the right people who’ll be able to recognise the role they can play in managing the risk.
  • have clear links to your strategy.

A good description will also reveal when you’ve identified a risk that needs to be shared or which is of state significance. This is taking the wide view of your external context.

It’ll help you influence potential partners or escalate it quickly to the right decision-maker if it’s a state-significant risk. Even if your organisation’s not the control owner, it’ll give the risk owners and their partners a head start.

A good description is objective, but also evaluative. Your description should make it clear why this potential event needs the organisation’s attention.

Get the information into your risk register

Your risk register captures this information in a readily accessible form. It’s an important reference for the executive team and the responsible body as they steer the organisation towards its objectives. They need to see well-described risks.

Make sure your risk register is functioning well as part of your risk management framework and your work to stay within your responsible body’s risk appetite.

We also recommend that you invest in these skills and make it part of your risk culture that you return to and refine your assessment and description of your risks.

Here are two templates you can use for your risk register, depending on whether you’re at the Foundational level or Embedding and Optimising.

Keep it alive

Finally, risk description, like risk assessment, is iterative. Always be prepared to refine your description so that it’s informative, relevant to the audience, and useful for the task at hand.

Provide feedback

Did the information on this page meet your needs?