Using Risk Scenarios: Expect the Unexpected

the word "risk" underlined with a red marker pen

Fail to plan, and you plan to fail. In recent years, we have seen first-hand the somewhat exponential (re)emergence of enterprise governance and enterprise risk management (ERM). After all, risk is everywhere… but perhaps surprisingly, it’s not all bad! Lest we forget that when it comes to risk, there are both threats (risks with negative consequences) and opportunities (risks with positive effects). And it’s for good reason that optimizing risk is a far more valuable objective than simply striving to eliminate risk altogether. 

At our fingertips we have a growing plethora of risk management frameworks, standards and processes. There is COSO for ERM, the RIMS Risk Maturity Model (RMM), Project Risk Management (in Prince2 or PMBOK), and the ISO 31000 family to name a few. But when it comes to risk management in the IT domain, and specifically the Governance and Management of Enterprise IT, in my opinion there really is only one leading globally accepted and in use business framework to employ – COBIT 5. 

COBIT 5 takes risk management seriously. As well as the two dedicated processes in both the Governance (Evaluate, Direct, and Monitor) and Management (Align, Plan and Organize) domains, which represent Ensure Risk Optimization and Manage Risk respectively, risk management is embedded throughout the COBIT 5 framework.  

The Governance process seeks to ensure that: 

  • IT-related enterprise risk does not exceed risk appetite and risk tolerance 

  • the impact of IT risk to enterprise value is identified and managed, and 

  • the potential for compliance failures is minimized 


While the Management process works to: 

  •  Integrate the management of IT-related enterprise risk with overall ERM, and 

  • Balance the costs and benefits of managing IT-related enterprise risk 


ISACA, the owning body of COBIT 5, instituted the tried and tested concept of using scenario analysis in the risk management space, to help enterprises be ready for (almost) any eventuality. As this is both supplementary and complimentary to the seven risk principles defined in COBIT 5, it makes it even easier to understand and execute risk management in the business! So what’s in it for the business, you may ask?  

In ISACA’s Risk Scenarios Using COBIT 5 for Riskguidance the over-arching focus and objective is on improving risk management within the enterprise, and making it practically achievable, through the effective use of risk scenarios in five essential steps: 

  1. Define the business specific risk scenarios applicable for your organization. Start with the generic risk scenarios included in the guidance, and customize for your unique business. 

  1. Verify and validate that the risk scenarios defined align to the business objectives of the organization, and to the Enterprise Risk Management within the business. This also serves to make understanding the business impact of risk a whole lot easier. 

  1. Review and refine all of the risk scenarios based on their business alignment. It is critical at this stage to assess the level of detail in each risk scenario to ensure it is appropriate for the risk exposure to the business. A one line scenario for a risk to 80% of the organization’s revenue is unlikely to be sufficient… 

  1. Filter the risk scenarios, and where possible reduce in number, to a suitably manageable set of the most relevant and important ones only. Whilst being comprehensive is key, having too many scenarios may render your risk management ‘unmanageable’ and prevent any benefits from being accrued 

  1. Store your final set of risk scenarios in a secure but accessible location. Risk scenarios, although typically defined ‘once-off’ up front, for example at the start of a project, exist in the living, breathing and ever changing business environment. As with improvement philosophy, risk scenarios need to be continuously re-evaluated and adjusted if need be. 

Risk scenarios can be likened to the missing link, bridging the gap between the intangible and unrealistic, to the tangible reality of risks to the organization, and ultimately the ability of the business to create and sustain value over the long term. When executives and stakeholders can clearly (and simply) see the scenarios that could unfold, should probable risks materialize, and their potential direct impact to the enterprise, support and decision making becomes more efficient and effective. And with that comes risk optimization. 

Scenarios are not a new technique, but making risk scenarios available in the IT domain, covering everything from new technology to external regulatory compliance, has provided an (in)valuable means to help businesses in their preparation of how to respond to risks should the train come on by. Risks should not by default be avoided at any costs. In fact to the contrary, organizations in the 21st century would be well advised to not only prepare for the unexpected, but to expect it! Just as one can never tell when ‘D-Day’ is coming, one cannot predict when that opportunity of a lifetime may come rolling by… I know I would want to have a (risk) scenario for that! 

Additional reading available at: 

Orbus Software’s iServer's Governance Risk and Compliance capabilities delivers an extensive range of built in features, reports and assessments that make it easy for your organization to adopt and implement an IT GRC solution.