Guest Post by Greg Caroll (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
ISO 31000:2018 stresses the need for risk management to be integrated into operational functionality and decision making, but little has be written on how to actually achieve this. Scenario Analysis is not a modern technology but how you can provide operational management with risk based decision marking collateral.
In my previous article I proffered the Top 10 Disruptive Technologies that will change Risk Management as we know it in the 2020s being:
10. Scenario Analysis– to provide operational management with decision marking collateral
9. Big Data– to identify trends and evolving risk
8. Neural Networking– to identify and map real world interrelationships
7. Predictive Analytics– to set up threat management & preventive action programs
6. Virtual & Augmented Reality– to gain a quantum leap in staff training and awareness
5. IoT – Intelligent Things– to monitor changes in environmental factors in real-time
4. Deep Machine Learning– to monitor customer and staff sentiment, etc
3. Automated Processes– robots to replace laborious risk assessments & reviews
2. Blockchain Distributed Trust Systems– to obsolete Cybersecurity & Supply Chain risk
1. The biggest single change will be ….
Over the next few weeks I will elaborate on each of these 10 technologies that are available now and organizations should be actively pursuing if they want to make Risk Management a value-adding component to their corporate strategies.
This week I will start with No. 10 – Using Scenario Analysis for Risk based Decision Making.
What is Scenario Analysis?
Scenario analysis is about using quantitative and qualitative information to construct multiple or alternative pathways that can lead to a risk event.
A risk event is a situation that causes the outcome of on an objective to be lost or compromised. If you accept that any situation or outcome is the result a number of contributing factors that influence the course of events, then by identifying the turning points and possible directions events can take, you can develop a number of potential scenarios that may occur. Working backwards you can identify the steps that can cause this loss of control and then the risk drivers and influences on these steps.
The risk event initially identified is just one possible outcome. Using scenario analysis you can then identify not only alternative outcomes but what exacerbates or can mitigate the outcome. This is invaluable collateral for operational decision makers who have the ability to directly affect events.
By ranking the probability of each of these scenarios and identifying their sensitivity to each of the influencing factors, not only can you develop an early warning system, but can also use it to identify the fastest or efficient path to an objective by acting on those influences.
Scenario analysis techniques are for constructing multiple scenarios or alternative views of the future. Let me try to explain this concept.
How to set up Scenario Analysis?
Scenario analysis consists of the three basic stages:
- Problem analysis to come up with an exact definition for the problem of the investigation
- System analysis to identify relevant external influences on the problem to be investigated
- Synthesis to examine the existing interdependencies between the influencing factors and to establish alternative scenarios
Problem analysis is where a group experts and stakeholders gain a common understanding of the problem and form a consensus on how the problem can be further bounded and structured.
System analysis expresses the problem as a system of interrelated dynamic components (subsystems), linked to its external environment. From every component, a number of influencing factors relevant to the problem are then identified.
The synthesis process establishes a logical and systematic way of looking at the range of possible configurations and choosing a set that include all plausible futures.
I recommend you research more on how to implement each of these stages in more detail or refer to my 2013 book “Mastering 21st Century Enterprise Risk Management’.
Spotting Trends That Trigger Alarm Bells
Risk is not a discrete value because uncertainty cannot be discrete. Unfortunately risk is commonly incorrectly portrayed as a discrete value in a “Risk Matrix” or “Heat Map”. Rather, it is a range of possibilities best represented as a Normal Distribution (or similar) curve (yes maybe with a long tail).
However, more important than its current position on the curve is its direction. Either improving or worsening.
Once a “Risk Matrix” or “Heat Map” is showing RED the damage is done, and you are already coughing up blood. To be able to identify direction a risk is developing, we need to know the influences and drivers of each risk and how their movement affects the risk.
We must avoid being like the man who fell from a 10 story building who was heard to say, as he passed a 3rd floor window, “so far so good”…
Scenario based Risk Management
In Scenario Based Risk Management, instead of like traditional risk registers based on a risk outcomes, you prepare a number of scenario analyses for each corporately significant risk event, producing best case, most likely, and worst case scenarios.
Better still also include ‘getting better’ and ‘getting worse’ scenarios. Against each scenario develop mitigation strategies, not as prescriptive actions but as collateral for operational management to use in their decision making.
Developing Scenario based Risk Management is how you implement risk based decision making. It provides a true proactive framework for risk identification, evaluation, assessment, monitoring and review of risk, proven in Defence and Aviation.
Scenario based Risk Management is the underpinning infrastructure that delivers the benefits of the other disruptive technologies, such as Big Data, Intelligent Things, and Machine Learning, in useable form to operational management.
Next week I will look at No. 9 – Using Big Data to identify trends and evolving risks.
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd. Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
His book “Mastering 21st Century Risk Management” is available from the www.fasttrack365.com website.