Elements of a Risk Statement
It may be helpful to build lists of assets that could be affected. These are potential Sources, Events, Resources that are at risk and the consequences incurred if they are breached. Linking them to create plausible scenarios can help to create risk statements.
Some examples:
Compromise of sensitive information (Resource) due to untrained staff (Source) inadvertently posting incorrect files to a public website (Event) causing competitive disadvantage and resulting in financial losses (Consequence).
IED Attack (Event) by Terrorists (Source) on one of our offices in Europe (Resource) causing multiple deaths (Consequence)
Writing a Risk Statement.
There is no set way to write a risk statement but there several pitfalls that can be easily avoided.
A one-word risk statement such as ‘Terrorism’ or a phrase such as ‘Hackers accessing our network’ will prove difficult, if not impossible, to establish agreement regarding its rating or priority.
When expressing negative risks, it can be useful to start with the term“Failure to...”,“Limited...”or“Loss of...”. For example:
Failure to protect Sensitive information (IP, intel reports, policy, etc.) from Foreign Intelligence Services exploiting audio and visual surveillance equipment.
Limited operating capital may lead to a lack of investment in security R&D with resulting negative impact on our objectives
Loss of revenue due to reliance on a single large installation which is vulnerable to physical attack may have a negative impact on our objectives
Similarly, positive risk can be expressed by using“...offers an opportunity to...”or “Potential to...”. For example:
Our experience with our corporate security operations center offers an opportunity to expand our managed services offerings and improve our finances.
Potential to operate in high-risk offshore environments more safely and at a lower cost than our competitors, due to our security team’s international experience.