One of my fellow risk management thought leaders posted a great article on what he calls the Five Coulds which is not unlike the 5-Whys tools used in Lean Six Sigma; a root cause drill down technique.
I’ve been a proponent of root cause techniques for years. I used to find it quite tricky distilling the output of a risk workshop into risks and root causes because one risk is often the root cause or a downstream effect of/to another. When you accept the root cause methodology it makes it easier to define risks more succinctly.
The following paper Prudential Supervision of Insurance Undertakings, December 2002, (see link below) illustrates this concept in the context of insurance companies. I would like to draw your attention to Figure 3.3 on page 22 of this paper where the authors illustrate the causal chain of risks, root causes and downstream effects for insurance companies. I highly recommend this sort of approach when organizing your risks. Annex A on page 77, includes very useful definitions of the risks displayed on Figure 3.3 so use the two pages in tandem.
In summary, the root cause of all risks are external causes (political, social, legal, economic, market) or internal causes (management and governance). When you think about it, this makes a lot of sense.
If you have poor management and governance, you are likely to have weak processes which will cause poor decisions to be made leading to financial outcomes which ultimately harm your shareholders. Have a look at page 22 and it will all make sense.