Mukul Pareek, CISA, ACA, AICWA, PRM
The world is complex, and certainly more complex than can be narrated in a risk scenario. Risk managers realize that, and so do their business managers. Can scenario analysis for technology risk ever then become a believable exercise?
My recent Journal article describes a fairly lengthy process that considers building scenarios, followed by estimations of severity and frequency that can then be combined to estimate losses expressed in monetary terms. While the math is straightforward and can probably be left to a junior analyst who knows some statistics, identifying scenarios at the right level of detail is where the bulk of the work lies. That is where risk managers have to exercise judgment, draw upon their real-life experience and connect it to the realities of the organizational circumstance.
The big challenge for technology risk managers is to build scenarios that simulate reality. Scenarios are complex, and often involve multiple risk factors that may seem disconnected on a traditional risk and control analysis spreadsheet.
A question I keep getting asked is: How do you even begin to write down good, credible and comprehensive scenarios? A first suggestion that I often hear is to get a large meeting together and perform a conference room exercise with senior business executives. In my view, that is the lazy approach and is likely to provide high acceptance but low-quality scenarios. The realities of corporate life and the human interactions and the organizational baggage that accompany such an exercise imply that participants will be averse to laying down scenarios that may put their own teams and functions in a defensive spot. And, on top of that, many would simply play to the gallery, trying to say things or suggest ideas that they believe would make them look good.
Just as a business is not a democracy for a reason, scenario identification should be performed largely by risk managers and their team. They should back the plausibility of their scenarios up with reasoned logic and real-world examples. This, of course, does not mean they should not listen to business executives; in fact, this exercise is supposed to drive interactions with the business. But, they should keep the veto on what scenarios are considered for risk calculations. Of course, this requires senior management support, without which nothing of much value can happen in an organization anyway.
I would love to hear readers’ thoughts on how they think robust and complete scenarios could be constructed for a business. I am confident others too would be equally interested to read about such experiences and ideas.
Read Mukul Pareek’s recent Journal article:
“Using Scenario Analysis for Managing Technology Risk,” ISACA Journal, volume 6, 2012