top of page
  • Julian Talbot

The CASE for the well-defined risk

It is critical to define risks precisely and unequivocally because it helps organizations better understand the potential consequences of risks and take more effective measures to mitigate or manage them.

CASE (Consequence, Asset, Source, Event) model for risk identification
The CASE for risk identification

Vague and hard-to-quantify risks are difficult to assess and may not be taken seriously, while specific and well-defined risks can be more easily understood and prioritized.

For example, suppose an organization lists "equipment failure," "cost overruns," or "risk of cyber attack" as risks. In that case, it may not be clear what assets are at risk, the potential consequences, or what measures need to be taken to prevent or mitigate the risk. This lack of clarity can make it difficult for the organization to take effective action to manage the risk.

Effective risk management requires a clear understanding of the potential consequences of these risks, as well as the likelihood of their occurrence.

One way to define and identify risks is using the CASE (Consequence, Asset, Source, Event) model.

This model requires organizations to consider four characteristics when analyzing a risk:

  1. Consequence: What is the likely impact of this risk on the organization?

  2. Asset: What assets are at risk?

  3. Source: What hazards or threat actors might lead to the risk manifesting?

  4. Event: What particular type of incident is being considered?

Organizations can create more specific and actionable risk statements using the CASE model.

For example, instead of saying "risk of cyber attack," an organization could use the CASE model to create a risk statement such as: "Failure to protect client data (Asset) from criminal hacker groups (Source) using phishing attacks (Event) could result in a fall in our share price (Consequence)."

By taking a structured approach to risk identification and definition, organizations can better understand the potential consequences of risks and take more effective measures to mitigate or manage them.

Suppose an organization uses the CASE model or a similar structured approach to define risks specifically and unequivocally. In that case, it can more easily understand the potential consequences of the risk, assess the likelihood of it occurring, and devise treatment plans to mitigate or manage the risk.

This can help the organization take a proactive approach to risk management rather than simply reacting to risks as they occur.

Defining risks precisely and unambiguously is a fundamental and often overlooked prerequisite to effective risk management because it helps organizations understand their risks and take targeted and effective action to mitigate or manage them.


We are working on embedding ChatGPT into the risk statement part of SECTARA to automate this process.

However, in the meantime, I've added a Risk Statement Generator under the RESOURCES tab on the SRMBOK website. If you follow this link, you'll find an automated way to build risk statements based on your four CASE elements.

bottom of page