gvandenbrink's picture

Scenario analysis?  A new approach to process risk management? You may ask yourself what is to be expected here. Is this just marketing by filling old wine in new bins? I would like to give you some comfort at the start: Scenario-analysis is taken seriously in this document.

If risks embedded in processes needs to be assessed, the first step is to identify and to assess all kind of risks, which may disturb the process. The analysis does not only include the disruptions as an effect but also the internal and external causes triggering various disruption events. It can be the number of processed items (like raw material, transactions of products) which cause capacity problems on the one hand and external factors at the other hand: Vendors not delivering in time, virus attacks which cause disturbances in the process, external work force causing errors or just third parties, which like to actively disturb the processes of a company (sabotage). These are all risk causes which should be taken seriously in case of an assessment of process immanent risks.

You may have already perceived, that we can easily identify a high number of influencing factors, which may even be dependent on each other. In case of complex processes, we are probably not able anymore to identify the risks and especially the dependencies among those risks upfront. In such cases many times a risk simulation is the only left over solution to assess various scenarios in order to assess the risks and their corresponding events.

The approach seems to be simple:

  1. In a first step the process is depicted. The process cascade is shown, the resources (like employees, roles, IT-systems, locations and external factors) are also depicted. The risks and the corresponding internal controls are included. Also the available capacities for each process step are added to the process reflection
  2. In a second step the inner life of the process is simulated. Various simulations show the rate of successful processed bunches of processed items. The opposite is a reflection of all materialized risks. If enough simulations are run, a clear picture of the risks exists and further analysis may discover dependencies, which were immediately visible at a first glance.
  3. In a subsequent step even more processes depending on the same resources could be simultaneously simulated. The results are even more close to reality.

A successful analysis prerequisite the following:

  • Risk identification of all material risks should as complete as possible. Therefore experienced domain experts and risk experts should work in close cooperation to achieve the best possible results. An external view may be often helpful in order to enlarge the horizon of the analysis.
  • The process including all the mentioned attributes should be depicted
  • Software supporting the simulation logic is of significant benefit, since it may prevent us from narrow focusing and therefore missing relevant risks and corresponding dependencies.

It is expected, that we open a door, if we are successful in implementing such a type of analysis. The analysis results may not only reveal the risks, but may also tell us about the efficiency and effectiveness of our processes. The combination of both perspectives makes such an analysis even more attractive to many companies.

For more information please visit www.grc-lounge.com.

Tags: LoungeTalk