Hi, 

If you define your risk names as very specific ("Risk of downtime of SAP for the Finance process"), then they wouldn't work as Risk Statements ever. In that case, simpler to make Risks. This is the quick & dirty way though 🙂

If you rethink your way of describing your Risks as something more general "Downtime of ERP system" then you can use "Finance process" as your entity and then reuse it for "HR process", "Accounting process", etc Now it makes sense to use Risk Statements and get all the good stuff about Risk Aggregation and Reporting.

While the name of the Risk would have to be the same as the Risk Statement, you still have fields (OOTB) for description or Additional Information to write down more specific details related to the Entity being reviewed.