Risk Identification is one of the most important steps in risk management. Obviously, only identified risks can be managed. But to be able to manage a risk properly, it is necessary to unambiguously describe the risk.
Is the phrase “Late delivery by subcontractor X” an unambiguous risk statement? I do not think so. It is quite good as a starting point for risk identification, but it is far from being a complete description of a risk. The first thing to notice is the use of the qualitative statement ‘late’. How ‘late’ is ‘late’? Certainly, it will make a difference whether the delivery is delayed by one day or by six weeks. Not only will the impact of the risk depend on the actual (expected) delay but also the probability – and consequently the rating of the risk’s severity. The next obvious problem with this statement is that it is impossible to discern whether it addresses a problem (i.e. a fact) or a possible event (i.e. a risk). Is it already sure that the subcontractor will deliver late, and some risk will derive from it? Or is it only a possibility? One cannot tell.
To derive a high quality risk statement a common approach is to employ a (formal) meta-language. In its simplest form a risk could be defined as follows:
<risk> := “It might happen that” <event|condition> “which will lead to” <impact>
Our example could then be reformulated to
“It might happen that subcontractor X will deliver three weeks late which will lead to a delay in implementation of two weeks.”
Now it is much clearer what the actual risk is. More detail can (and should be) added to the risk meta-language to sharpen the common understanding of the risk in the project. Remember: Only well-understood risks can be properly managed.