Talk to us today about how we can help design a Business Risk Scenario Model for your organisation.
Business Risk Scenario Models
What are they?
Business Risk Scenario Model (BRSM) results include a one-page summary of:
- The key things we think could go amiss
- What we will measure to see if they are going wrong
- Our current assessment of how wrong they are
- Which things we care about most and are any of those worse than we can cope with
- What do we think we need to do about the things that are pear-shaped
Why do it?
Behavioural science and human experience tell us that to make the best decisions in high pressured, time-constrained environments we need data models that effectively provide the information needed to make those informed and reasoned trade-offs between all the valid options available. A well-designed BRSM is waiting to help make those pragmatic risk-based decisions in a timely, well-governed, realistic and traceable way.
Is a BRSM part of the business planning process?
Business risk scenario modelling and analysis is not strategic planning – however, it is often part of the process. It is not business continuity management – however, it is often part of the process. It is a structured yet judgement-based process to get the best and brightest in your business aligned on a small number of potentially viable future realities to which you need to be able to respond.
In a Covid-19 world, the need to have a business risk scenario view of your key concerns and options is more crucial than ever.
Business Risk Scenario Process
How does it build upon existing risk management processes?
For several businesses, the challenge is to gather meaningful insight from the risk information. They need trust in the data’s insights to assist in better decision making. Currently, the focus is on Covid-19, but there is always something to deal with, a range of disruptive scenarios – even in ‘normal’ times. The sheer scale of Covid-19 disruption and uncertainty has meant that many traditional reference models, risk registers, control plans, and the like have become unhelpful. Traditional risk tools are not fit-for-purpose when organisations have to make quick decisions on the best possible data available. Instead, without good business scenario models, they rely more on individual judgement and first principles.
It’s clear, the best time to prepare for this challenge is before you are in the middle of it… but for many of us, we need to manage this situation in the best possible way – in a pragmatic, robust and action-oriented manner. We need something different, and fast.
At Insync we have worked together over more than ten years, to help solve some of the most challenging risk problems, as well as embed senior risk oversight capability that measures the things that matter most.
By incorporating variations of the ‘Business Risk Scenario Model’ (BRSM) our risk team have helped:
- Mining, manufacturing, banking, investment, construction, energy, consulting and member-based organisations make better investment and business decisions
- Program leaders and Executive Steering Committees/Boards gain more confidence about the true state of medium and large projects that have complex or multi-faceted risks – which cannot be meaningfully considered or responded to outside a set of well designed and constructed business scenarios that support actionable insights as things evolve
- Highly regulated clients achieve a meaningful balance between the competing demands of business objectives, regulatory compliance obligations, financial and operating risks, and business capability.
But where do you start?
The approach purpose is to get a clear, consistent and forward-focused view on the things crucial to your success. At the moment there might be key resources – cash, capital, raw materials and supply chains. They also include relationships – staff, customer, shareholder and regulator. You need simple but robust metrics on these items, and an assessment of how much pain you are prepared to endure in the pursuits of your mission, plan or, for many, survival.
Key elements of the BRSM
The five steps to creating and using the BRSM
The following are the 5 steps – a subset of the nine aspects called out above.
Step 1 – Define the scenarios
As part of the BRSM design, each scenario is described and linked to underlying strategic objectives, imperatives, critical uncertainties, scenario factors and possible realities to ensure scenarios are meaningful representations of viable future realities and truly are the things that matter most to the organisation. This step requires those with the most knowledge of the context to consider the following:
- What are the critical success factors and how could they be derailed?
- What has gone wrong in the past? (Internal or external examples)
- Recognise the impact of a failure to ‘imagine failure’
- What is unique about this and how does that create unique risks to watch for?
- What is our assessment of the capability of all parties involved and what scenarios does that create?
- What is the external environment like, and does that create significant risk?
Step 2 – Define the scenario metrics
This is the second most important step in developing the template.
Business teams are required to identify the most appropriate
metrics to measure and monitor to provide the insight required
about the progress (or otherwise) of each scenario.
Often, this step identifies the need to source new data or recognise
the limited value of current sources. Remembering that all
measurement comes at a cost so reusing existing measures is ideal.
The objective is to develop rolled up metrics that cover each of the
scenarios and provide the insight to assess the extent to which the
underlying scenarios are actually occurring.
A separate worksheet is developed to capture further detail about
each of the measures included in the BRSM. This includes data
source, ownership, frequency, validation etc. The BRSM should
be set up to receive this information automatically where possible.
Step 3 – Establishing the Trigger Ratings
This is the final step involved in developing the scenario model. The purpose is to determine what tolerances are acceptable for each scenario. If cost is so important, for example, that it cannot be compromised at all, then the trigger rating for that scenario would be ‘1’. If we are OK with some level of scenario deviation then we might have a trigger of say ‘5’ which allows more things to go ‘pear-shaped’ before escalation and decision/action is required.
These ratings form the baseline against which current status is compared. Where the
current status is higher than what the template developers have considered to be
acceptable, then the escalated ‘Action’ flag is set to “Y’ (Yes) and an escalated action
described for the oversight role/team (board/executive/Steering Committee/Sponsor
/Risk owner etc.), to review.
Trigger ratings can change over time, but only for good reason. This could be that there
has been a change in business strategy or priority. For example, implementation timing
could become more important than cost, and the trigger ratings would be adjusted to
reflect that in what gets escalated and what does not. Wherever possible the trigger ratings
should accord with the organisation’s risk appetite statement – and potentially challenge
it where they do not.
Step 4 – Measuring the Current Status
At this point we have completed the development of the BRSM and are moving to using it on a frequent basis.
Each reporting cycle this part of the template is updated which may be short in times of crisis. The model owner is responsible for ensuring that the status of each metric is captured, having regard to all of the scenarios and how the team feel those scenarios are evolving.
Step 5 – Assessing the Rating and any Decisions/Actions Required
The key test is to determine whether the current status justifies a rating that is higher than the Trigger Rating. Where that is the case, the assessment is that an escalation is required.
Where several Trigger Ratings are exceeded the project manager/director will need to determine the timing of any escalation to the Project Steering Committee, Sponsor, or Risk Owner. If the sum of the current ratings exceeds the sum of the threshold ratings, that can be agreed to be a point at which immediate, out of reporting cycle escalation is required.
The nature of the escalation may vary. However, the purpose of the scenario model is not to determine what the escalations may be, but rather to provide a robust mechanism to track the things that matter most and call them out when they appear to be going ‘off-track’ (or ‘pear-shaped’).
This risk governance process may or may not result in adjustments to the scenario model, however the outcome of the escalated actions should be captured (in meeting minutes or similar) to support any regulatory or contractual obligations to demonstrate the effective management of material risk.
The bottom row of the template captures the summary data which drives the priority of the escalation required (if any).
A working Business Risk Scenario Model
The elements described above come together to look like the illustrative example, for the fictitious XL Company dealing with Covid-19 scenarios, presented below. This assumes XL Company is a medium sized professional services company which normally sells its products and services to hundreds of medium and large sized clients who themselves are directly or indirectly impacted by the Coronavirus pandemic.
(Yes, this is not readable but if you want the detail you can extract it)
The content in scenario one is resized below for reference.
Every business is different and the critical success factor for any business facing disruption, or any project facing delivery risk, is the right selection, definition and design of the scenarios which matter most to the organisation’s ongoing survival and success.
Scenario design does not just look at:
- Strategic objectives of the organisation
- Strategic imperatives underpinning those objectives (including trade-offs reflected in risk appetite limits, thresholds and/or tolerances)
- Critical uncertainties to the achievement of objectives (which should also be reflected in material risk profiles/risk registers and/or models)
- Scenario factors (internal/external realities that shape what can go wrong/what needs to go right)
- Possible realities (robust thinking which addresses cognitive bias and logic/reasoning processes)
It also considers the lived experience of the organisation (e.g. through loss/near miss histories) and the skills/experiences of its staff and advisors. Relevant external datasets are also critical to ensure the best thinking is applied.
Summary of key BRSM benefits
In summation, the key benefits of a well designed and properly used BRSM are:
- Consistent understanding of what is most important, and the data that supports this (and whether you have it or not)
- Allows the business to focus on what is most important and avoid biases towards data that may be less relevant or less reliable
- Clear setting of agreed tolerances – when the temperature is rising you have a clear signal that something must be done
- Drives action, not discussion – the purpose here is to understand what we need to change and when
We have used, developed and refined this model for more than ten years in a range of situations and have consistently found that this approach helps people make better informed risk decisions and avoid ‘surprises’. If this helps your thinking, great.
Chief Executive Officer
As a qualified lawyer and passionate technologist, Sean loves to work with clients to help them understand, articulate and reimagine their most important business challenges. He has focused on risk management and decision quality over the last few years and in this 4IR spends as much time helping clients think about emerging risk and opportunity, as about how they best design their risk management, compliance and assurance capabilities to meet existing expectations.