How effective is scenario analysis in reality? Respected figures from the Asia-Pacific risk community tell us how they put the theory to practical use.

This article first appeared in StrategicRISK The Knowledge published in association with Zurich Click here to read the full report


Jeff Yeo


How can scenario analysis be used to enhance risk management?
This is about identifying potential issues affecting the operations of business units and, through risk management, designing practical and realistic mitigating measures to handle them – an anticipative and proactive approach to pre-empt what might and could happen.

The first thing that comes to mind when I think about scenario analysis is ‘prediction’, but prediction with limited information on hand. It is about accepting and embracing uncertainty with limited certainty of information.

The identification of such scenarios could be done through meetings or workshops with key stakeholders and domain owners. These will then be presented to senior management for approval.

The testing of such scenarios is akin to business continuity planning. Ideally, the identified risks should be tested at least once a year and the assessment be reviewed from time to time, depending on the nature of the industry and the overall fluidity of the business environments.

The first thing that comes to mind when I think about scenario analysis is ‘prediction’, but prediction with limited information on hand.”

What are the key benefits of using scenario analysis?
Scenario analysis itself is a management tool to enhance decision-making and strengthen risk management. It is a systematic process of obtaining insights and inputs from domain experts and risk managers to derive reasonable assessments of the likelihood and impact of possible scenarios that could occur on business operations. A proper and robust scenario analysis boils down to asking the right questions and preparing for the unexpected.

What are the key challenges risk managers face in developing scenarios?
One challenge is the identification of risks that are relevant to the business. Scenario analysis helps to narrow and set the essential boundaries to segregate what is relevant against what is not.

There are two ways of identifying risk scenarios: (a) from the perspectives of the business’s objectives (specific) and (b) generic identification of what can go wrong (general). Both approaches are complementary and must be used simultaneously.

The generic approach is an easier place to start and creates a basket of possible scenarios. From the angle of business objectives, the identified scenarios can then be narrowed down to those that are relevant and more importantly, realistic. As a rule of thumb, ask:

  • What are the objectives of the scenario identification and analysis exercise?
  • What is the strategy or decision that my scenario analysis is going to influence?
  • Why has this scenario been chosen?
  • Who will be the stakeholders I need to work with as a risk manager?

The components of a risk scenario are:

  1. Event (operation failure, regulatory changes, climate changes, pandemic outbreak, etc)
  2. Threat (staff oversights, terrorism, etc)
  3. Stakeholders (department heads, process owners, external vendors, etc)
  4. Asset/resource affected (processes, infrastructure, staff, etc)
  5. Time factor (possible duration of downtime, etc)

With the identification done, the next step will be to determine the frequency of these scenarios occurring and the estimates of the business impacts in the event that these scenarios become a reality.

How should risk managers communicate and use the results of each scenario?
As risk managers, we all know and appreciate the importance of cascading risk management initiatives and creating a risk-awareness culture within our community; likewise for the outcomes of scenario testing.  The stakeholders who participated in the process may be aware, but the next in line are the operations managers. Staff who are actively involved in executing the day-to-day business operations also need to be brought up to speed.

Communication channels differ among organisations and companies. Nonetheless, those who may not be directly involved in the scenario planning and identification processes also need to be aware that such an exercise did happen as part of creating  risk awareness within the business entity.

In addition, for those who have actively participated in the processes, they would also need to have the skillsets and knowledge of performing assessment treatment and ultimately monitoring the likelihood of such scenarios.

Finally, but importantly, senior management awareness and assurance need to be communicated at meetings – the assurance being that such scenarios are being monitored and mitigating measures are available. Risk managers will need to work closely with relevant stakeholders in the monitoring and review of such cases
and to the senior management, in their strategic planning capacities, all of these scenarios will play a part in the game plan.



How can scenario analysis be used to enhance risk management?
Scenario analysis helps progress risk management beyond theoretical and subjective assessments (which can attract some criticism from some stakeholders) by assessing risks in a practical, real-world context.

It is particularly useful for assessing risks that are perceived as technical, for example cyber risks, to ensure they are clearly understood and get the attention they deserve from senior management and the board.

Both desktop and simulation exercises are useful depending on type of risk. For example, simulations are effective for crisis and business interruption risks, whilst workshop formats work better for financial risks.

Strategic and operational risks and any other risks that are subject to rapid change should be refreshed as frequently as possible.

What are the key benefits of using scenario analysis in risk management?
Scenario analysis makes the risk assessment process more tangible and less theoretical and importantly, it allows mitigations to be stress-tested. It can be a very powerful way of conveying the significance of key business risks and any deficiencies in their mitigation to get stakeholder buy-in, improved traction and budget commitment.

What are some of the key challenges risk managers will face in developing effective scenarios and how can they address these
A key challenge is determining the right scenarios to use. A small number of carefully selected pertinent and relatable scenarios will help to ensure the exercise is high impact. It is best to select various scenarios from foreseeable scenarios to worst case and black swan events, whilst avoiding highly improbable “meteor strike” scenarios. I would always include a black swan event scenario, but of course the challenge is that they are difficult to come up with by their very nature.

How should risk managers communicate and use the results of each scenario?
Directors place a very high value on real-world scenarios that provide context for risks to assist their understanding and it’s no different at senior management level. The senior leadership team should receive all results in detail to enable effective action to be taken, while directors should receive the analysis in summary form together with an action plan signed off by senior management.



How can scenario analysis be used to enhance risk management?
Incorporating a well-executed scenario analysis package into an organisation’s overarching enterprise risk management program turns the all-too-common and often mundane risk profiling and reporting process into a more dynamic risk management approach.

It moves an organisation away from simply looking at bubbles on a two-dimensional heat map to being confronted by and understanding the potential impact (both positive and negative) of a risk event.

Ideally, scenario analysis should be incorporated during both the standardised risk profiling cadence (performed with key executives) and when significant change activity occurs. Often the simplest and most effective way to deploy a scenario analysis program is to ask the board or executive situational questions: “We’re approaching the end of our three-year strategy and we’ve not delivered on our goals. Why?” This helps target realistic problems or opportunities to tackle in detail and provides some level of boundary to an approach that can quite easily become broad and adventurous.

What are the key challenges risk managers face in developing scenarios and how can they address these?
Often the problem with scenario analysis is that the scenarios become too broad and stretch beyond what management would deem to be a realistic or plausible event, i.e the likelihood of the scenario is considered to be extremely rare.

Risk managers need to balance not only the likelihood and consequence of scenarios but also consider the third element of speed (or velocity) with which a scenario can impact an organisation.

Again, asking situational questions and co-developing a scenario with executives during these sessions will lead to the natural development of plausible scenarios.

Utilising case studies, topical events or emerging trends that have impacted other organisations in your region or market are also beneficial to trigger discussion – again, it adds that element of ‘realism’ that turns the discussion into something that could realistically impact strategy.

How should risk managers communicate and use the results of  each scenario?
The results of scenario analysis need to be measured against an organisation’s risk appetite statement – if the impact of the scenario is material enough to deviate from what is acceptable, focus needs to be placed on potential treatment plans.

Where scenario analysis programs are embedded effectively, the results should seamlessly integrate into the overarching critical risk profile for the organisation.



How can scenario analysis be used to enhance risk management?
If I focus on cyber security, the vast majority  of incidents involve human error, and one of the most common methods of falling victim to a cyber attack is still through clicking on a malicious link in an email. Businesses can help train their staff on what to look out for and avoid by  running regular scenario tests (or phishing email simulations) that deliver immediate training to any staff who click on the link in the test email.

What are the key benefits of using scenario analysis in risk management?
The benefits of phishing email simulations are largely twofold. You provide any staff who click on the link with immediate training, thus reducing the risk that they will click on a ‘real’ malicious link, as well as gather data on the behaviour of your staff that can help you to understand where else you may need to focus your training efforts. If you run an invoice-themed simulation and 30% of your payments or procurement team click the link, then you know you need to focus on those areas. If only 5% click on the link, perhaps you can move on to other parts of your business.

What are the key challenges risk managers face in developing scenarios?
There are many vendors offering easy-to-use programs these days so setting up the scenarios is less of a problem, but depending on what programs you use, much of the data analysis can still be very manual, so it can take a lot of man-hours to get the insights you are looking for. I recommend closely considering this when choosing who to partner with for simulation testing.

How should risk managers communicate and use the results of  each scenario?
Phishing email scenarios provide data that everyone understands, so I recommend spreading the word far and wide. Cyber security is still a topic that many hide away from, so risk managers should use these kinds of insights as much as possible to push for a more secure business.