Risk description

In order to fully understand a risk, a detailed description is necessary so that a common understanding of the risk can be identified and ownership/responsibilities may be clearly understood. Table 1.2 provides information on the range of information that must be recorded to fully understand a risk. The list of information set out in Table 1.2 is most applicable to hazard risks and the list will need to be modified to provide a full description of control or opportunity risks.

So that the correct range of information can be collected about each risk, the distinction between hazard, control and opportunity risks needs to be clearly understood. The example below is intended to distinguish between these three types of risk, so that the information required in order to describe each type of risk can be identified.

Table 1.2 Risk description

•    Name or title of risk
•    Statement of risk, including scope of risk and details of possible events and dependencies
•    Nature of risk, including details of the risk classification and timescale of potential impact
•    Stakeholders in the risk, both internal and external
•    Risk attitude, appetite, tolerance or limits for the risk
•    Likelihood and magnitude of event and consequences should the risk materialize at current/residual level
•    Control standard required or target level of risk
•    Incident and loss experience
•    Existing control mechanisms and activities
•    Responsibility for developing risk strategy and policy
•    Potential for risk improvement and level of confidence in existing controls
•    Risk improvement recommendations and deadlines for implementation
•    Responsibility for implementing improvements
•    Responsibility for auditing risk compliance