Risky business? A practical guide to scenario planning for CROs

Enterprise risks have gone global. While internal challenges remain, the increasing volatility of geopolitical, financial, and climate change conditions has created new risks that put chief risk officers (CROs) under increasing pressure to anticipate, identify, and limit potential issues. The MIT Sloan Management Review defines these risks as “radical uncertainty” — factors and events that don’t play by the rules of conventional risk.

Consider the push toward carbon-neutral operations. Companies are now at risk of losing customers if they can’t define and deploy a solid set of environmental policies, while those that differentiate themselves with ESG initiatives can charge almost 10% more for their goods than competitors. But what policies offer the best returns on investment (ROI)? What potential problems can they solve? Create? Exacerbate?

In our modern guide to scenario planning, we’ll explore the history and evolution of this approach, address some common pitfalls, and provide a step-by-step plan for success.

What is scenario planning, and why is it crucial?

Scenario planning is a part of a larger risk management strategy that offers a way to envision future conditions and develop resilient strategies. While CROs recognize the benefits of scenario planning, they may not have the consistent processes, accurate data, and technology tools necessary to create a reliable risk framework.

Scenario planning attempts to account for as many risks as possible, not just those that are most likely. It is an umbrella term used to describe the work a company does to model the potential impact and likelihood of given events.

The idea behind scenario planning is simple: More knowledge about possible outcomes means companies are better prepared.

The history of scenario planning

Scenario planning got its start in the 1950s with Herman Kahn of the RAND Corporation. Kahn was focused on using scenarios to inform Cold War strategies: Which combination of troop and vehicle movements would yield the best outcome in military engagements?

Kahn scenarios were known for their storytelling qualities — they didn’t just speak about the future; instead, predictions were communicated as if the future had occurred. By starting with the end state, Kahn could backtrack to the present, identifying conditions along the way that contributed to the desired (or unwanted) outcome.

Scenario planning then moved into government operations. For example, in the early 1990s, the South African government used scenario planning to explore what the country might look like after apartheid.

Today, scenario planning is a common component of corporate operations, helping CROs better predict and prepare for possible outcomes.

The use of scenario planning in managing enterprise risk

CROs are often tasked with the impossible: predicting the future. CEOs, CFOs, CISOs, and other board members want definitive answers on actions and outcomes, but the vast number of variables makes this more magic than science. Scenario planning enables envisioning multiple future conditions and developing resilient strategies to reduce their impact.

In other words, the scenario planning process isn’t about forecasting the most likely future events. Instead, it uses multiple data sets, along with internal assumptions and external factors, to identify a range of possible outcomes and reduce operational risk.

Scenario planning is inherently agnostic. The nature of actions and the impact of risk are irrelevant — plans can be created for any scenario in any industry.

Two types of scenario planning common for enterprise risk management

1. Deductive

Deductive scenario development identifies potential outcomes and works backward to pinpoint key events. For example, a finance company might identify personal loan fraud as a possible scenario. In this outcome, the company loses both the initial loan amount and any interest paid.

Using deductive analysis, CROs and teams find factors that could contribute to this outcome, such as failing to vet clients using know your customer (KYC) processes or failing to secure sufficient collateral before issuing the loan.

By starting at the end, teams can identify the milestones that enabled this outcome and take steps to avoid them.

2. Inductive

Inductive scenario planning is the opposite. Teams start with known facts and conditions and map out possible outcomes. Consider a healthcare organization looking to improve HIPAA compliance. If an analysis of current security posture shows that staff only need a login ID and password to access critical data, CROs can extrapolate potential outcomes if accounts are compromised, such as stolen, ransomed, or destroyed data.

This extrapolation leads to a set of solutions to help avoid this scenario, such as multifactor authentication (MFA) and enhanced data encryption.

The evolution of post-COVID scenario planning

COVID-19 was an unlikely risk. Few, if any, companies had a global pandemic on their list of possible 2020 outcomes. Even as case numbers rose, experience with similar illnesses over the past decades suggested a flash in the pan and little else.

As a result, the widespread nature of COVID caught many companies off guard. Single-source supply chains were suddenly untenable, and businesses had to pivot overnight to accommodate and empower remote working.

The post-COVID result was (unsurprisingly) a renewed focus on scenario and strategic planning. With an incredibly unlikely circumstance coming to pass and massively disrupting operations, enterprises recognized the need to be prepared for anything.

This led to operational changes, including:

• Placing scenario planning higher on enterprise priority lists. This change in prioritization is evidenced in part by the increased demand for CROs — and the resulting shortfall, according to IRM.
• Ensuring operational agility. Consider supply chains. Pre-COVID, disruptions in materials sourcing or logistics were typically telegraphed by other factors such as worker strikes or government unrest. As a result, businesses had time to prepare if conditions changed.
• Evaluating scenarios at speed. The pandemic made it clear that speed is sometimes necessary. As a result, businesses are now better prepared to handle multiple scenarios simultaneously — and switch tactics ASAP if conditions change.

Companies are now seeing similar supply chain impacts as tariffs continue to fluctuate week by week and month to month. In this changeable climate, scenario planning is critical to help businesses plan for likely outcomes and account for potential outliers.

Common pitfalls CROs face with scenario planning

Knowing and doing are not the same. Understanding the benefits of future scenario planning does not guarantee that CROs will have the budget, resources, and time they need to carry out effective analysis and risk mitigation.

Common pitfalls include:

Planning fatigue

Planning fatigue occurs when CROs and their teams get burnt out from excessive scenario planning.

Put simply, planning is complex. It requires CROs and their teams to account for multiple factors simultaneously and weigh the impact of these factors over time. The more detailed the different scenarios created, the more effort required and the greater potential for burnout.

Fatigue may also result from unrealistic assumptions. There’s a fine line between possible and improbable — if teams spend too much time creating plans for events that are incredibly unlikely to occur, they can easily overextend themselves.

Incomplete input data

Missing or siloed data can also cause challenges. For example, if teams can’t easily access data from multiple departments, including finance, marketing, sales, and IT, plans are incomplete at best and unusable at worst. Consider a marketing plan that details the potential impact of three different advertising campaigns, each with increasingly large budgets. The problem? Marketers don’t have access to sales data, which shows a recent drop in overall sales revenue. As a result, all three marketing campaigns are out of scope, meaning they can’t happen, and rendering any scenarios useless.

Duplicate data is also a common problem. If departments all report the same data but in slightly different ways, CROs may put too much emphasis on repeated data because it appears different at first glance, leading to inaccurate predictions.

Precision vs. action

The more precise your data, the better your scenario planning — to a point. If precision is your only priority, it becomes the enemy of action. Gains become marginal, and organizations can find themselves stuck in a cycle of waiting for the “perfect” data before moving forward.

Put simply, there’s nothing wrong using estimates and ranges in scenario planning. If your data is timely, accurate, and relevant, action offers more value than precision.

Disconnect from action plans

Finally, scenario planning is only effective when it connects to data-driven action plans. In other words, while it’s important to imagine potential outcomes, it’s just as important to create responses that address these outcomes. If plans are continually created but never supported, teams may become burnt out.

A 5-step scenario planning framework

While scenario planning looks different for every company depending on their industry, existing risk profile, and desired outcomes, there is a five-step playbook that can help any business kickstart its planning process:

Step 1: Identify critical drivers

First, identify the critical drivers that impact risk in your organization. These may include financial operations, human resources (HR) processes, or data storage frameworks.

Next, assess the drivers based on impact and likelihood. While high-impact, low-likelihood events are worrisome, they’re less concerning than their high-likelihood, low-impact counterparts.

Step 2: Develop and build scenarios

Step 2 focuses on the development process, using critical variables as the basis for scenario building.

First, CROs and their teams should establish basic guidelines, such as how far into the future they want to predict and how many scenarios they want to create.

Next, teams need to identify the primary purpose of these scenarios. Ideally, teams should have a single theme for each set of scenarios.

One framework to build scenario plans is through the bow-tie method, which imagines the scenario (or risk event) in the middle, potential causes that could lead to the scenario on the left-hand side, and possible consequences (both qualitative and quantitative/monetary) that emerge from the scenario playing out on the right.

Example

Company A wants to create three scenarios that look six months into the future. The purpose of their scenarios is to assess the impact of possible tariffs on key components. In Scenario 1, tariffs are predicted using historical data from the last six months, giving a middle-of-the-road estimate.

In Scenario 2, teams assume that tariffs increase by 25%. In Scenario 3, they imagine that tariffs decrease by 25%.

Scenario 1 acts as a control: If all conditions remain constant, this is the likely outcome. Scenarios 2 and 3 offer starting points for teams to work backward: What conditions could lead to a drop or increase in tariffs? How could these conditions come to pass?

Stakeholders should additionally list out both preventative controls that help reduce the likelihood of causes and thus prevent negative consequences, and mitigating controls that help mitigate financial or operational impacts.

Step 3: Assess impact

With plausible scenarios developed, the next step is assessing their impact.

Impacts are measured by their damage or benefit to the organization. There are two common impact types: critical and cumulative.

Critical impacts

Critical impacts happen over the short term. For example, if databases of personally identifiable information (PII) are left unencrypted, companies may face compliance audits, fines, or sanctions.

Cumulative impacts

Cumulative impacts occur over time. Consider the resurgence of phishing emails. According to recent data, 8.4 out of every 1,000 users click through on phishing emails each month. While this doesn’t sound like much, it adds up over time. Even a single click could lead to compromised data and minimal-to-moderate monetary loss.

Other impact factors

Likelihood also plays a role in impact assessment. Low-risk, high-likelihood scenarios are often more impactful than higher-risk scenarios that are unlikely to occur.

Teams may choose to write reports on each scenario detailing their possible impact or assign priority ratings based on their potential to affect business operations. For example, scenario planning around cybersecurity incidents might rate malicious insider attacks at 2/10 because they are high risk but unlikely, while phishing attacks might score at 8/10 because they occur regularly and can put company data at risk.

Assessments are best carried out by stakeholders. For example, a scenario that explores marketing risks should be assessed by marketing teams in addition to chief risk officers and risk management teams.

Step 4: Define responses

Scenario planning is useless without defined responses. Much like incident response planning in IT, potential and worst-case scenarios must be tied to specific actions. This provides a codified framework for staff, which is critical to ensure a reliable and rapid response.

In some cases, responses can be carried out proactively. In the case of unencrypted data, companies can take steps to protect it ahead of possible compromise. In the event of a less likely event, such as the widespread disruption of on-site services due to infrastructure failure, CROs can create detailed, step-by-step plans that enable staff to minimize the impact.

Step 5: Monitor and revise

Scenario planning is an iterative process that evolves alongside business environments. This means the last step in our framework leads directly into the first: CROs must monitor the efficacy of current scenarios and revise them accordingly to account for new critical variables.

In practice, this means risk teams need to monitor the expected exposure of current scenarios along with the effectiveness of controls used in reducing the exposure. Engaging with stakeholders to re-plan regularly on a cadence or when monitoring alarms sound allows organizations to quickly respond to changing environments and document new sets of assumptions.

While there’s no hard-and-fast rule for reassessment, typical timelines include every quarter, twice per annum, or once each year.

Enable scenario planning with better data and tools

Experience provides the strategic thinking necessary to help create and revise multiple scenarios. The real-world expertise of CROs and their teams helps determine what scenarios are most likely, which may have the greatest impact, and how these various scenarios can be addressed.

Improved access to data and better integration of technology tools, meanwhile, help streamline the planning process. For effective technology integration, take these steps:

Leverage ERM systems

Enterprise risk management (ERM) systems help centralize critical data and enable organizations to better assess their potential risk. Consider analytics company Teradata: Using the Optro platform, Teradata was better equipped to connect disparate data sources and quantify potential risks.

Link KRIs to plans

By linking key risk indicators (KRIs) to response plans, companies can more accurately evaluate and determine the impact and likelihood of risk. Common risk qualification methods include quantitative approaches such as Monte Carlo simulations.

Teams can also link risks to strategic objectives. If event A and consequence B occur, how does this impact short- and long-term business strategies? In addition, teams should regularly review their organization’s risk appetite. While more risk can lead to more reward, it also increases the chance of less-than-favorable outcomes. Identifying your preferred risk tolerance improves the accuracy of scenario planning.

Connect risk to reward

Risk and opportunity are two sides of the same coin — the only difference is the outcome.

For example, betting big on a new supplier is risky, especially if current partners are performing as expected. Scenario planning helps identify where risk falls on the spectrum by helping companies analyze up-front costs, operational changes, and potential profitability.

As a result, scenario planning isn’t just about safety; it’s about strategy. By linking scenarios to short- and long-term business planning, companies can use risk reduction as another tool in driving ROI.

Use dashboards to track assumptions

Risk platform dashboards provide a centralized source of truth to help track and manage event assumptions. They also enable visualization at scale, making it easier for CROs to understand the interconnected nature of risk events.

Avoid negative outcomes, yield positive ROI

Scenario planning improves risk management across your organization and allows risk teams to take a brainstorming approach that evaluates risk through the lens of multiple scenarios — in turn, setting the stage for improved business strategies.

But this strategic planning process doesn’t happen in a vacuum. For CROs to create accurate scenarios and develop effective responses, they need a combination of connected data, quantitative risk analysis, and ERM solutions that provide centralized event and risk management.

Bottom line? Comprehensive scenario planning can help CROs avoid negative outcomes and drive positive ROI.

Scenario planning helps improve risk management and reduce potential impact. Discover how Optro enables connected data to make scenario planning easier and more effective. Get started with scenario planning today.

About the authors

Claire Feeney is a Senior Product Marketing Manager at Optro focused on ESG and RiskOversight. In her role, she helps support organizations in transforming their enterprise risk management and sustainability programs. Prior to joining Optro, Claire worked in product marketing at OneTrust, VMware, and Infor. Connect with Claire on LinkedIn.

Marco Dyer is a Staff Product Manager at Optro, where he spearheads the development of risk quantification and scenario modeling initiatives. With over 13 years of experience scaling products within high-growth software organizations, Marco is dedicated to building tools that transform complex risk data into actionable business strategy. He is passionate about empowering customers to modernize their operations and achieve measurable, data-driven outcomes.