Risk Statement: Definition, Formula & Examples

A risk statement (or statement of risk) describes what could go wrong (or right), why it might happen, and what the consequences would be. It is a standard part of the risk management process, used to make threats and opportunities concrete enough for a board to act on.

Risk statements tell staff which strategic priorities and operational processes matter most, why the organisation has chosen particular risk responses, and what to do if a risk materialises.

They also force clarity. Writing a risk statement often exposes gaps in action plans or reveals where risk management activity is not actually connected to the organisation’s mission. Risk statements are a component of the risk management process described in AS/NZS ISO 31000:2018, the international standard for risk management adopted in Australia and New Zealand.

Once drafted, each risk statement is typically scored for likelihood and impact using a risk matrix and recorded in the organisation’s risk register.

What is a risk statement for?

Risk statements apply across most areas of an organisation: capital and asset management, conflicts of interest, finances, governance, human resources, privacy, IT, and legal liability. They are also useful for policy development, organisational change, and program design.

On the external side, a well-written risk statement helps identify reputational risks and sets the foundation for conversations with partners and stakeholders. Boards dealing with ethics concerns or political advocacy work will find that a clear risk statement makes it easier to explain decisions to people outside the organisation.

Types of risk statements: broad vs specific

Risk statements can cover threats (negative impact) or opportunities (positive impact). They can also be broad or specific.

A broad risk statement covers a recurring concern — for example, “handling and storing sensitive information.” These statements tend to stay relevant over longer periods. A specific risk statement targets a particular incident or change — say, a new software integration that could fail. Specific statements are more actionable but need updating more often.

Practical Risk for Company Directors Course
Designed to equip you with practical knowledge and tools to confidently navigate the complexities of risk at the board level.

Learn more →

How to write a risk statement

“The key to writing a good risk statement is having a foundational understanding of risk components and their interrelationships,” says Benjamin Power, CISA, CPA. Risk statements have three components: the risk event, the risk cause, and the risk impact. A risk event is a situation that could create an issue for the organisation. The risk cause is the reason the risk event may happen, for example, a loss of financial resources or human error. Risk impact is the effect a risk can have on operations if they happen. An example might be a fine or damaged reputation.

A risk statement should describe a specific threat or opportunity and its consequence on the organisation. In some cases, the driver (reason) for the threat or opportunity can be included in the language. When crafting a risk statement, be clear and concise, and make sure the three key elements have been well defined: event, impact, and driver. Here are examples of how to write a risk statement for a threat vs an opportunity.

The consequences of a specific or broad risk clearly show why the risk is relevant to the business activities. As such, they should be quantified when possible, based on fact-finding, industry research data, and internal reports to better understand their relationship to the work.

Here is an example:

There are plenty of risk statement templates available online. The Western Australian Government publishes a Generic Risk Statement Database designed for emergency management, which can be adapted for organisational governance use.

Common mistakes in risk statements

Vague language. Statements like “there is a risk to our finances” give no actionable information. Name the specific event, driver, and consequence.

Missing the driver. Describing the event and impact without explaining the cause makes it harder to design a response.

Conflating multiple risks. Each risk statement should describe one event. Combining several risks into a single statement obscures priorities and complicates scoring in the risk register.

How to use a risk statement

A risk statement is usually added to the corporate risk profile, a document that provides context about the potential impact of each risk on organisational goals. One organisation may develop several risk statements for a variety of issues. Together they should help the reader understand what could happen, why it may happen, and why the organisation should care.

Risk statement writing is done hand in hand with the risk identification and assessment process, which involves documenting the risks and assessing the likelihood and severity of risks. It is meant to help risk managers fully understand the impact of certain risks and what drives them. Ideally, a risk statement can help board members effectively communicate the risks and their threats (or opportunities) to others. They are, therefore, an important element of internal and external communication strategies.

Frequently Asked Questions

Podcast Episode: Risk Statements

Prefer to listen?

Check out the Our Cat Herder Herding Cats discussion on Risk Statements.

Related Terms

Risk Appetite

Risk Matrix

Risk Register

Governance

Operating Plan

Additional Resources

Risk Statement Brainstorm Exercise (WA Emergency Management)

Keeping Your Reputation – Integrity Risks for NFPs

Practical Steps to Good Governance and Risk Management

Practical Risk for Company Directors Course