And now for something completely different

Armageddon – the day you never thought would arrive. It is likely to evoke feelings of fear in all of us. The stress hormone cortisol rises rapidly, your heart beats faster, vision becomes blurry, hands sweat, mouth goes dry. Panic sets in. You thought this would never happen to you.

Now, imagine experiencing the same scenario, only this time after a dress rehearsal. You know the part you have to play, everyone knows theirs too and you are confident you can ad lib if necessary. In other words, you are a risk manager and you have implemented scenario planning as a key tool in your risk management toolkit.

A conventional risk analysis might involve scenarios, but this means the models have a baseline projection with variations from the norm. There is quantifiable uncertainty and from that, risk managers will be able to perform standard, conventional risk analysis, usually with three types of scenario – that is, high, medium and low risk.

Scenario planning ignores this rule of thumb and instead challenges risk managers to develop a set of flexible frameworks, adaptable to changing baselines and alternative outcomes at each turn. In this issue of The Knowledge, experts argue that this is the way forward for risk managers, as it allows planning to be incorporated flexibly. Scenario planning is about looking beyond the usual evidence base that’s used for the risk analysis and asking the ‘what if?’ questions instead.

Our latest survey of risk managers shows that in the main, more than half (57%) use scenarios to test both emerging and existing risks as a combined product, while 33% test only existing risks.

In a world where it seems like a new risk emerges hourly, it is interesting to note that only 9.5% use scenarios to test new, emerging risks as a standalone risk.

When asked how many scenario tests are conducted each year, respondents gave answers ranging from a few to hundreds or thousands. Size of firm and appetite risk could be responsible for these differences, though it is not clear from the results.

When it comes to planning ahead, more than half (55%) expect an increase in scenario analysis in the next 24 months, with the rest expecting no change.

None of the respondents will be scaling down their use of scenario planning in the next two years.

The top two risk scenarios tested by respondents (networks/systems/power outage and cyber attack/data breach) reflect the increasing dependence on IT systems and the associated risks of this dependence. However, apart from these two and property damage – ranked among the handful of risks that the majority of respondents have tested for in the past year – there is no clear consensus on the important risks facing the industry.

Only 37.5% tested for major failure of plant, suggesting two possibilities. Either this is seen as less important than IT systems breaches or failures, or not many respondents rely on manufacturing plants.

Meanwhile, given the significant increases in regional and global regulatory burdens, it seems surprising that only half of our respondents test for this type of failure.

Influences
When asked to specify the principal factors influencing their choice of which scenarios to test, 79% of respondents opted for the risk register and emerging risk maps (for this and one other question, they could choose up to three answers).

Principal risk severity, impact and probability came next with 62%, followed by requests from the board, non-executive directors and any external stakeholders

(55%). Once again, regulatory requests and compliance were lower down the rankings, with only 29% identifying this as a key area.

To a question about how lifelike these scenario tests are, 62% of respondents chose one primary event with multiple impacts. Cascading events and resulting impacts (where one event leads to another) and primarily one event and one impact were fairly close, scoring 17% and 14% respectively.

The testing of end-to-end business processes including suppliers is one of the least-used risk scenarios, according to our survey. Only 17% bother with this method, compared to the 40% of respondents who test segments of a business process, but more than one internal functional area or business line.

Almost half of our respondents use risk scenario workshops as a way of scenario planning, whereas only 10% use surveys of key stakeholders. About a third use risk scenarios integrated into business planning.

Just over a third of respondents benchmark their scenarios against some form of external loss data or industry-wide information. Is this because they don’t care, or because the information is not readily available?

According to 63%, the main benefit of using scenario planning as a risk management tool was that it created a risk-aware culture across the business.