GRC Tuesdays: The Use of Risk Scenario Analysis
From the discussions I have, risk scenario analysis is unfortunately often considered to be a complex technical method involving many mathematical computations. This reputation is probably due to its use by financial institutions for capital allocation purposes.
Scenario analysis has been around for a long time, albeit sometimes not in a formalised manner, and to me it’s a great tool that not only supports the decision making process, but also can help different teams such as internal audit and compliance optimize their efforts.
First of all, let’s agree on what I mean by “scenario” in this post. A scenario here is taken in the sense of a succession of (risk) events leading to a wider impact scope than their individual occurrence.
An example of a scenario would be the simulation of the outcome of damaged infrastructure in an asset-intensive company. Should this event occur, it could in turn trigger associated risks such as inadequate employee safety leading to physical injuries, unplanned service interruptions leading to disruption in the supply chain, and so on.
Such a scenario would therefore enable the understating of what would be the impacts should maintenance or regular verifications not be carried out adequately on the infrastructure.
There are many intents that are pursued when creating a scenario, and amongst them can be:
- Understanding the chain of events and identifying root causes
- A risk owner might not be aware of the reach of her/his risk. Breaking silos to give an enterprise view of a risk is one of the intent of scenario analysis. Furthermore, scenarios help in uncovering the root causes of a risk. An isolated event like an increase in a river’s flow could lead to the flooding of the production facility located on the shore – hence, a disruption in the supply chain.
- Adopting an effective mitigation strategy
- Once the root causes and underlying risks are identified, then an appropriate response strategy can be defined and the causes specifically addressed either to reduce their likelihood of occurrence (in our first example, carrying regular maintenance on the asset to prevent issues) or reduce their potential impact (in our second example, planning a business continuity on a secondary production site).
- This can also help in deciding what type of insurance and associated coverage level could be purchased. Of course, these scenarios are subjective – as for any risk assessment exercise – and the total expected loss shouldn’t be the only guide to determine your required insurance level, but it can be a very useful criteria. For insurance more specifically, being able to get the full potential risk exposure can help ensure that the company is not overcovering (or undercovering) its risks, hence only purchasing the right level of coverage and therefore optimizing its insurance policies. Monte Carlo simulation that generates best and worst case scenarios is a perfect tool for this purpose as it provides the relevant data points for decision making.
- Supporting audit and compliance efforts optimization
- Risk-based auditing is more and more widely applied. With the help of scenarios, audit teams can focus their efforts in ensuring that the underlying risks are mitigated, and not just focus on the most visible tip of the iceberg.
- Similarly for compliance, preventative controls are a fantastic monitoring tool. Applied to the root causes, they can help notify relevant stakeholders in a timely manner.
Finally, I’d like to leave you with two thoughts: I don’t believe that scenarios should only address the “low probability – high impact” risks. Risk scenario analysis should be conducted on all risks that have a significant impact on your objectives. Also, these scenarios evolve in time with the changing context of the risks. To me, they should therefore not be “run once and forgotten until next year,” but should be regularly updated as they might reveal unforeseen root causes.
What about you? Do you use – or plan to use – risk scenarios in your companies? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
Originally published on the SAP Analytics Blog