risk management and scenario planning by james joseph wasil senior it strategist ohio bwc january 9,...

Risk Management and Scenario Planning

By James Joseph WasilSenior IT Strategist

Ohio BWCJanuary 9, 2014

Why is Risk Management Poised to take on Scenario Planning?

Organizations such as ISACA and PMI are taking on governance.

Governance seeks to ensure that strategies in the organization are working toward its mission and goals.

Risk Management is becoming more and more important and strategy must be a function of risk appetite in an organization.

Why is Risk Management Poised to take on Scenario Planning?

Faith is waning in traditional strategic planning efforts that generate forecasts that are usually wrong.

The most likely weakness in most strategies is underestimating risk.

Risk Management is evolving!

The Evolution of Risk Management

OFFENSIVE -

Risk / Reward-Driven

ERM

KEY QUESTIONHow do we make better decisions about uncertainties that affect our future?

KEY ACTIVITYEstablish overarching framework for managing the organization's most significant risks

KEY OBJECTIVEEnhance the achievement of strategic objectives and board risk oversight

INTEGRAT

ED

KEY QUESTIONWhat are the key threats we face in achieving our business objectives and how should we respond

KEY ACTIVITY

DEFENSIVE – Cost / Benefit-Driven

Risk Identification, analysis with coordination from other risk management functions

KEY OBJECTIVEEstablish process for proactively managing operational threats to the business

TRADITIONAL

KEY QUESTIONWhat are the insurable and contra tual risks we face, and what are we doing to mitigate them?

KEY ACTIVITYHazard based risk identification

KEY OBJECTIVETreat risk as an expense item, managed through an insurance biuying and/ or hedging function

From “Forging a Collaborative Alliance, RIMS & IA, 2012

Risk Management is in the business of developing and sustaining an organizational capacity for foresight (Maree Conway), and

The traditional business areas need to be incorporating this type of thinking into their strategic planning.

One way to incorporate foresight is through scenario planning.

Conjoining Strategic Planning Function and Risk Management

The Context of Business is Changing

“Traditional strategic planning models are increasingly viewed as not producing strategy that can deal with complexity, uncertainty and rapid change in the external environment.”*

*Maree Conway - Swinburne University of Technology, and Thinking Futures

Complexity

Ashby’s Law:

If a system is to be stable the number of states of its control mechanism must be greater than or equal to the number of states in the system being controlled.

Complexity

Ashby’s Law Restated:

The only way to destroy variety is through variety.

Variety (Complexity) Variety (Flexibility))

Strategic Flexibility

Strategic Flexibility

is the optimum combination of

strategic robustness and

strategic responsiveness

Concept from Lindgren and Bandhold

Robustness

Robustness is defined as “the potential for success under varying future circumstances or scenarios.” More specifically,

The likelihood that the organization will not need to change in order to meet the challenge is called the “robustness of the organization.”

Concept from Lindgren and Bandhold

Responsiveness

Responsiveness is defined as the ability to

1. rapidly sense change in the environment,

2. conceptualize a response to that change, and

3. reconfigure resources to execute the response.

Definitions are from Lindgren and Bandhold

OODA Loops*

Planning:

Observation

OrientationDecision

Action

* From John Boyd

• Faster cycling trend

•Need to fly by the wire by balancing stability and instability

Agility - Rate of Change

Just as in IT, strategy research has recently focused on the need for agile strategies, able to change upon the wind of a mere scent just blowing by.

Scenario planning has been identified as a method for accommodating rapid change

Bolstering Strategic Planning

Strategic planning does consider the future since strategy involves the future, however it typically does not consider the future in a systematic way.

From Maree Conway

RISK SCENARIO

PLANNING

UNCERTAINTY

What is Uncertainty?

Uncertainty is the lack of complete certainty - that is, the existence of more than one possibility (scenario). The “true outcome / state / result / value is not known* (perhaps until some future time)

* Douglas Hubbard. Parentheses by Wasil

Uncertainty

Uncertainty is “local”, i.e., my uncertainty is different from yours.

There are more uncertain things than certain things.

All statements regarding the future are uncertain to some extent.

It is better to accept and recognize uncertainty. (this is the basis for scenario planning)

From Lindely, Understanding Uncertainty

Uncertainty

Approach to uncertainty involves setting up beliefs – a way to organize you beliefs in a reasoned way which leads to a reasoned action.

We use a normative (prescriptive) approach

From Understanding Uncertainty, Lindley

Great News! Life is Uncertain

We have free will, therefore we can decide more or less what we want to do!

When we get to certainty…then we are dead!

Types of Uncertainty

Unknowable uncertainty - the event cannot be imagined.

From Heijden

Types of Uncertainty

Risk uncertainty - Risk is a state of uncertainty where some of the possibilities involve a loss, injury, catastrophe, or other undesirable outcome

From Hubbard

The History of Risk, ER and ERMFrank H. Knight (1885-1972)American economics scholarUniversity of Chicago

Classic work on Risk (1921) set its definition based in the context of uncertainty:

If we cannot quantify outcome probabilities we have UNCERTAINTY.If we can quantify outcome probabilities then we have RISK.

Heinrich’s Dominoes

“

H.W. Heinrich was the Assistant Superintendent of Engineering and Inspection Division of the Travelers Insurance Company

Hubbard’s Definition of Risk

“The probability and magnitude of a loss, disaster, or other undesirable event.That is, “Something bad could happen”

Risk Management - “The identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events.

That is, “Being smart about taking chances.”

What is Risk? Risk Management?

International Standard ISO 31000 on Risk management – Principles and guidelines.

This is the latest source on risk management

What is Risk and Risk Management?

Risk is the effect of uncertainty on objectives where

an effect is a positive and/or negative deviationObjectives an have different aspects (financial,

S&H, environmental) or a combinationRisk is often referenced to potential events and

consequences or a combinationRisk is often expressed in terms of the

consequences of an event and the associated likelihood of occurrence.

From ISO 31000:2009

Risk Management is an Evolving Field

Balanced Scorecard is the prime Strategy Execution Framework among the Fortune 500

Risk Management is an Evolving FieldRobert S. Kaplan now venturing into Risk Management

Three Kinds of Risks:

Category I – Preventable Risks

Category II - Strategy Risks

Category III - External Risks

ERM Definitions from RIMS and IIA

RIMS:“Enterprise risk management is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an inter-related risk portfolio.”


ERM Definitions from RIMS and IIA

IIA:“Enterprise risk management is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives”


Both ERM and IA Use Similar Tools

RIMS IIA

ERM is a discipline ERM is a process

ISO 31000:2009 ISO 31000:2009

IPPF, COSO, ERM Framework, OCEG “red book”

Both organizations believe that they are more effective when they work together!

Strategic planning uses Forecasts

A forecast is like a vector in that it has direction and magnitude

Scenario planning uses Scenarios

Scenarios cover, or envelope two or more axes of uncertainties

Axis of Uncertainty “Y”

Axis of Uncertainty “X”

Scenario BHigh YHigh X

Scenario AHigh YLow X

Scenario DLow YHigh X

Scenario CLow YLow X

For Two Axes of Uncertainty

Definitions of Scenarios

An internally consistent view of what the future might turn out to be - not a forecast, but one possible future outcome.

Michael Porter

Definitions of Scenarios (cont’d)

A description of a future situation and the course of events which allows one to move forward from the original situation to the future situation. Two major categories:

◦ Exploratory - starting from past and present trends and leading to a likely futures;

◦ Anticipatory or normative - built on the basis of different visions of the future to be desired or feared.

Michel Godet

Definitions of Scenarios (cont’d)

“narrative stories that follow particular paths into the future based on research, trends, and key concerns of the managers who will use them.”

- Korte and Chermack

Important Distinction on Scenarios

Scenarios are not about predicting the future, rather they are about perceiving futures in the present.

Schwarz

-Scenario Planning Methodologies

Intuitive Logics - SRI, Pierre Wack, Ralston and Wilson

Trend-impact analysis - Futures Group

Cross-impact analysis - Battelle

General Scenario Planning using Intuitive Logics Approach

Identify the central question / problem (Decision Focus)

Using executive peer groups, gain a consensus on what the key strategic decision is that the organization is facing. This will be your decision focus, and the scenario planning context.

Note that it will be an agreement on how the scenarios will be used.

(we are only interested in certain aspects of the future, not the future.)

Excerpted From Ralston and Wilson, Scenario planning Handbook

General Scenario Planning using Intuitive Logics Approach

Identify the central question / problem (Decision Focus)

As an example, say you are in the energy business. Energy looks like a mixed bag. Coal and Nuclear becoming harder while fracking, solar, and wind are starting to produce.

Your focus might be

How are we going to be able to deliver energy inexpensively and reliably over the next 30 years?

Form the focus as a explanatory paragraph.


General Scenario Approach (Schwartz)

Identify key decision factors (KDFs)

Determine what the key external factors / issues are regarding the future that we want to know more about to improve our understanding.

These KDFs are external, largely uncontrollable conditions.



Identify key decision factors (KDFs)

Example: How will fracking impact domestic energy production?

How will wind power be incorporated into the grid?

What new security threats /requirements will the grid face?

Will nuclear energy again become promising?

Etc.



Cluster the key decision factor (KDFs)

Categorize KDFs that fall into groups.

Example: Energy Costs



Research driving forces and drivers

Since there is no source that predicts the future, the team must analyze the forces that determine the KDF outcomes. These are things like trends, forces, factors, events, areas of uncertainty

This is analogous to the PESTEL analysis strategists perform, but is very rigorous.



Research and rank key factors and driving forces

Use an impact / uncertainty matrix to accomplish


Degree of Uncertainty

Low Med High Level of Impact /Importance

High

Med

Low


Develop scenario logics

Identify the key axes of uncertainty

Example: Say that we identified key axes:

Technology, Resources, Environmental Issues, Cost, Security

As potential axes. We pick the two most important axes of uncertainty.


General Scenario Approach (Schwartz)Determine Alternate Logics for Each Axis (technology and

energy costs)


Scenario BHigh

technology High costs

Scenario AHigh

technology Low costs

Scenario DLow

technology High costs

Scenario CLow

technology Low costs


Prepare narratives for each scenario, with a descriptive name. These are brief descriptions one or two paragraphs; A narrative of how each scenario might evolve


Example: High Technology High Cost otherwise known as “Responsible Technology Scenario”


As the end of the twenties arrives, the landscape is complete with wind farms occupying positions among citizens, who themselves are putting energy back into the grid with their solar energy panels, and even their electric cars. But the cost has been high. The grid is now robust, but costs to secure it have been very high in terms of purchasing multiple access right of ways, thousands of miles of underground high voltage equipment, and smart grid appliances that regulate millions of homes. Even though fusion has not become economical yet, efforts have…


Example: High Technology High Cost otherwise known as “Responsible Technology Scenario”

After the scenario planning

Strategic plans back up the scenarios

◦ Some strategies will work in all scenarios

◦ Some strategies will be risky in some scenarios

◦ Some strategies may pay off big in only one or two scenarios

Strategies based on Scenario planning are more effective and offer agility and flexibility.

ERM and “Black Swans”

Black swans are The disproportionate role of high-profile, hard-to-predict, and rare

events that are beyond the realm of normal expectations in history, science, finance, and technology.

The non-computability of the probability of the consequential rare events using scientific methods (owing to the very nature of small probabilities).

The psychological biases that make people individually and collectively blind to uncertainty and unaware of the massive role of the rare event in historical affairs.

Recommendations

Risk Management should Ensure that your organization does some form of strategic planningParticipate in Strategic Planning ExercisesLead in environmental assessments such as PESTEL and SWOTWork towards forming a Knowledge center and toward becoming a learning organization Start to engage top management into looking into scenario planning (but be careful here….)Start becoming informed on scenario planning yourself!

Risk Management is an Evolving FieldNassim Nicholas Taleb

Scenario Planning can prevent Black Swans

Black Swans are most dangerous when “end of tail” operations are likely to occur.

Risk Management can gauge if scenarios and ancillary strategies take us there!

Scenario Planning is an Evolving Field

Good scenarios are not enough

To be effective, they must involve management, top and middle, in understanding and anticipating the unfolding business environment much more intimately than would be the case in the traditional planning process.

Pierre Wack

Questions and Attempts at Answers

risk management and scenario planning by james joseph wasil senior it strategist ohio bwc january 9,...

Documents

audit risk management

function of risk appetite

strategic planning function

key threats

business objectives

key activityhazard

key activityestablish

foresight maree conway