Part 2 in the Controls and Risk Management series
Risk scenario analysis is often considered to be a complex technical method involving many mathematical computations. This unfortunate reputation is probably related to its use by financial institutions for capital allocation.
First of all, let’s agree on what I mean by scenario in this context: a succession of (risk) events that lead to a wider impact in scope than their individual occurrences.
An example of a scenario would be the simulation of the outcome of damaged infrastructure in an asset-intensive company. Should this event occur, it could trigger associated risks such as inadequate employee safety leading to physical injuries, unplanned service interruptions leading to disruption in the supply chain, and so on.
Such a scenario would enable the understatement of the potential impacts if maintenance or regular verifications were not carried out adequately on the infrastructure.
Many intentions can be pursued when creating a scenario, such as:
- Understanding the chain of events and identifying root causes
- A risk owner might not be aware of the reach of the risk. Breaking silos to give an enterprise view of a risk is one intention of scenario analysis. Furthermore, scenarios help uncover the root causes of a risk. An isolated event, like an increase in a river’s flow, could lead to flooding of a production facility located on its shore – and hence, a disruption in the supply chain.
- Adopting an effective mitigation strategy
- Once the root causes and underlying risks are identified, an appropriate response strategy can be defined and the causes specifically addressed, either to reduce their likelihood of occurrence (in our first example, doing regular maintenance on the asset to prevent issues) or reduce their potential impact (in our second example, planning business continuity at a secondary production site).
- This can also help in deciding what type of insurance and associated coverage level could be purchased. Of course, these scenarios are subjective – as they are for any risk assessment exercise – and the total expected loss shouldn’t be the only guide to determine your insurance requirements, but it can be a very useful criterion. For insurance more specifically, understanding the full potential risk exposure can help ensure that the company is not overcovering (or undercovering) its risks, rather purchasing the right level of coverage and therefore optimizing its insurance policies. Monte Carlo simulation that generates best- and worst-case scenarios is a perfect tool for this purpose as it provides the relevant data points for decision-making.
- Optimize audit and compliance efforts
- Risk-based auditing is more and more widely applied. With the help of scenarios, audit teams can focus their efforts on ensuring that the underlying risks are mitigated and not just focus on the most visible tip of the iceberg.
- Similarly, for compliance, preventative controls are a fantastic monitoring tool. Applied to the root causes, they can help notify relevant stakeholders in a timely manner.
Finally, I’d like to leave you with two thoughts.
First, I don’t believe that scenarios should address only “low probability/high impact” risks. Risk scenario analysis should be conducted on all risks that have a significant impact on your objectives.
Second, these scenarios evolve in time with changing context of the risks. They should, therefore, not be “run once and forgotten until next year,” but should be regularly updated, as they might reveal unforeseen root causes.
What about you? Do you use – or plan to use – risk scenarios in your company? I look forward to reading your thoughts and comments either here or on Twitter @TFrenehard
Please join us at the SAP Conference on Internal Controls, Compliance, and Risk Management in Copenhagen March 3–4, 2020, which will explore the theme “Connected Controls and Risks.”
This article originally appeared on SAP Community and is republished by permission.