When are scenario thinking and future planning appropriate in risk management ?

Author: Manu Steens

In this article I write my own opinion, not that of any organization.

On the one hand, we have risk management.

In risk management, it is common practice to translate a risk as a product of probability and impact.  The most well-known formula for measuring a risk is:

R = P * I

R is the measure of risk, P the measure of the probability of an undesirable event occurring and I its impact on achieving the objectives of the organization. Both are considered known.

Special attention in this article is paid to the situation in which there is a high degree of uncertainty with a risk. Unlike certainty, usually mathematically defined as a number between 0 and 1, or between 0% and 100%, uncertainty is rather something we feel but on which we cannot attach a clear mathematical definition that leans back on certainty. What we do know, however, is when the uncertainty is maximum for the occurrence of an event as a result of a cause. That is if the probability is 50%. Why? Because then the occurrence of the event is a coin on its side: you really do not know which way it will fall.

On the other hand, we have the combination of the future strategies with scenario thinking.

In itself, risk management is also a bit like thinking towards the future: if the probability is high, for example 95% chance of occurrence, then there is a relative high certainty of the occurrence of the impact. It is then, from risk management and in function of the impact, that one has to define and implement a measure. This allows the impact to be optimally prevented or mitigated (in the event of a threat) or provoked to the maximum (in the event of an opportunity).

However, the reasoning I want to make here is this one where the uncertainty is maximum. There it is therefore unclear whether the event will occur, or not. So a twofold future occurs: the event happens or does not happen. With this, a game of extremes occurs, for example:

  • Will it be war or peace?
  • Will healthcare become more preventive or more curative?
  • Will sufficient measures be taken in time for the climate or will it become an unbearable climate?
  • Will there be famine or abundance?

With such uncertainties one can consider these uncertainties in their own right, where one has two futures per uncertainty, or one can  express them per two against each other (if they are sufficiently independent), obtaining quadrants that represent four futures.

In theory one can work with n uncertainties, where one then obtains 2n futures but it becomes problematic, because already from n = 3 one has 8 futures, which becomes unworkable and also because in practice it  becomes more difficult to maintain the independence of these uncertainties.  And that is necessary to foresee extremely different futures.

For each of these futures, instead of directly defining measures, one can then start thinking about scenarios. This is a strategic choice, where one defines how one will act in a certain direction depending on which future becomes true. This instead of putting a single project or action in the pipeline because one has a strong expectation regarding whether (probability rather high) or not (probability rather low) the event with a specific impact will occur.

In order to be able to make the right choice, it is necessary to explore the evolution of the circumstances of the organization.  In other words, lowering the uncertainty about the knowledge of the future. To do that, one has a number of things that one can do.

  • The very first thing to do is to dare to question the assumptions. Are the assumptions that were made the good ones.
  • One determines the extreme futures, the scenarios, and whether one is ready for it, or whether, in contrast, one still has work to do. Usually it is the latter. To this end, one looks at which strategic option is most useful in which possible future. These options involve developing possible future projects or actions, and thoroughly considering their effects with a 360° view. As far as possible, tests or exercises are carried out to estimate the possible effects.  What are the shortcomings that need to be filled in?
  • Furthermore, there is the collection of the necessary information. One will define relevant parameters – indicators – and follow their trends. One determines in advance when one will decide on the basis of which (combination of) indicators which strategic options one will roll out. This is important, because being there in time and preparing for a future can determine whether one can get a  competitive or societal advantage from it or whether one is more likely to encounter a problem.
  • When the future unfolds, one deliberately monitors it, and consciously chooses the pre-agreed options tailored to the actual nuanced future. The timing of the decision and the roll-out of action plans is then crucial.


Scenario thinking and future planning are relevant within risk management. However, one should have a good idea when this is the case. A rule of thumb is: do this with priority where the probability of an event with a certain impact is average.

Usually there are multiple risks with an average probability. Then give priority to risks with a high impact. After all, these give a more extreme course of the possible futures. As much as possible, make sure that you work with uncertainties that are maximally independent of each other if you plot them against each other.

However, if the impact is very large, and opportunities exist to influence the probabilities in your favor, do not fail to do so with common risk management strategies. “Choose your battles wisely.” After all, future planning and scenario thinking are especially useful when the internal and / or external environment of the organization are substantially uncertain. The choice to work on certainty, or to try to take advantage of uncertainty, is also a strategic choice in itself. And that depends on the capabilities of the organization. The internal environment can usually be influenced. Tinkering with the external environment is usually an impossible task. That is why this technique is also important when trying  to look at risk management objectively for the organization as part of the world.

How to assess a measure of Business Continuity Management and Risk Management?

Author: Manu Steens

Within Risk Management and Business Continuity Management, each management discipline does it in its own way, risks and uncertainties are assessed in order to have more certainty in a VUCA world on the success or survival of the own organization.

The more or less succinct view on the way of working is that measures are linked to threats via an assessment. (I’m deliberately limiting risks to threats here, so as not to lose focus on the story, while perhaps what follows may be partly true or analogous to opportunities.)

These measures cost money and effort and must therefore be accountable. Until now I got only two answers in literature and at conferences:

  • Look at the costs versus benefits: if the prevention or mitigation costs more than the damage when the risk manifests itself, it is not worth the effort.
  • Look at the estimate of the residual risk, if that has not decreased enough in your opinion, it is not a good measure. The difference between the original risk and the risk after the measure must therefore be sufficiently large.

However, that won’t take you very far if you want to substantiate an argument as a process manager against a risk manager or business continuity manager who in turn has to discuss it with the board of directors or the Chief Resilience Officer (CRO) or in the C-suite.

What’s more, a process manager usually wants hands-on arguments, while a board member or CxO wants more strategic arguments. And then the principle comes into play: to give what is owed to them. Operational and strategic criteria are therefore needed with which to assess each measure.

Without wishing to be exhaustive in the criteria, nor the points for attention that may go with them, I would like to outline a possibility here by proposing such criteria. Note that each criteria can be viewed and further entered and supplemented by those organizations that want to use it. The examples of implementation are purely illustrative and certainly not exhaustive.

As a risk manager or as a business continuity manager, review the measure operationally with the process manager on the following criteria (where applicable):

  • Reliability (For example, if a part is out, there is a backup of processes, people, redundant structure of organization, infrastructure, …)
  • Maintainability (e.g. the building, its equipment, its processes, education and training, …)
  • Availability (e.g. emergency number, network, realizations, independence, visibility…)
  • Feasibility (For example, can it be organized? What legal structure is needed, required finances, required manpower,…)

As a risk manager or as a business continuity manager, look at the measure strategically with the higher manager (CRO, …) on the following criteria (where applicable):

  • Proportionality (Especially: Is a cost benefit evaluation possible, not only with return on investment (ROI) but especially with value on investment (VOI)? ‘More need can be met with the required money in another way than this’, would mean that this is disproportional; what kind of evaluation models are needed for that?)
  • Prudence (For example, what is a life worth? There is no rule of maximum caution here, I think, rather the question whether you can be more careful within budgets?)
  • Effectiveness (Among other things, are the benefits great in the cost-benefit analysis? Is the information flow between the right players? Is there an eye for quality by mapping the risks? Is the organization supportive of the operational and strategic requirements? Does it meet targets in time (for predictable crises to occur) to be able to perform exercises to create preparedness for future crises?)
  • Efficiency (Among other things, is the cost small in the cost-benefit analysis? Is the information flow smooth? Is there a will to collaborate within the networks, and is this with a subsidiary decision-making authority (which is a quality requirement)? Can the organization be reorganized flexibly, and is there a smooth collaboration with government? Are milestones for the plans met in a timely manner?)

Using such a well-thought-out framework of argumentation to substantiate the correctness of a measure, it can help to prevent misunderstandings or arbitrariness when formulating measures to be implemented.

If it has then been established in a subsidiary way at both the operational level and the strategic level that the measure makes sense, it may be safer to implement the measure for all parties, as a justification for a possible audit afterwards if things still go wrong later.

However, although there are the concepts of operational and strategic crisis management, it is not clear to me whether this way of working can be implemented in crisis management. This may be possible in the case of project operation in the aftercare phase. But that in itself may be an idea for others to check.

The 4 commandments of risk management, the values of an organization and Information Security

Author: Manu Steens and Joris Bouve with thanks to Hilde Van Nijen

The main purpose of information security is the risk awareness of the employees. After all, man is the weakest link. Risk awareness goes both ways. On the one hand this concerns awareness of the business with regard to information security: where does it hurt and what can be done technically and what do you have to do yourself? On the other hand, it is also about the awareness of ICT people: what do they need to know that the business finds important and what is not. Doing more is often irresponsible and gives rise to spending money inappropriatly.

What & why?

The purpose of information security is to ensure the reliability of information systems. This reliability is viewed from the following three perspectives:

Confidentiality: ensuring that information is only accessible to those who are authorized to do so.
Integrity: ensuring the correctness and completeness of the information.
Availability: ensuring that authorized users have timely access to the information / information systems at the right time

This is of course only possible by taking, maintaining and monitoring a coherent package of measures. It generally concerns information that is stored in information systems, but can also be written on paper.

The information security policy of the organization is aimed at ensuring, on the basis of risk management, that the information of the organization is correct and complete and accessible in time for the authorized persons.


To ensure information security adequately, measures must be developed to ensure confidentiality (C), integrity (I) and availability (A: availability).
It is not easy to lay down generally applicable criteria for this, because these can differ from department to department within an organization, even between teams within a department the needs can be different.

These measures must also respond to the following areas:

  • People and Resources,
  • Collaboration (at process level and overarching)
  • Systems
  • Content,

As an aid instrument we have worked out the matrix below. In this matrix, the four domains are approached from the three perspectives. We have prepared a number of guidelines for each combination. For these questions we have drawn inspiration from the “four commandments of risk management” (see below). Every employee can get to work with these questions. But these questions are also extremely suitable for gaining a clearer view of information security (both from the point of view of the “business” and from the point of view of IT).

People and resources Collaboration at process level and overarching Systems Content
C What do you share with whom? Which access do you need? Does anyone know the security manager? What is the intention of the management with their information security policy? Does the confidential information remain within confidential circles? Are these circles known to everyone? Which things do you have to be able to be admitted to the systems? Is a background study necessary for this? Who coordinates this? Which security-related laws must your organization meet (privacy, ISO standards, BCM, …)?
I Does everyone have good intentions? Is a background investigation necessary for this? Are the processes drawn up and checked for bugs and errors? Was the flow of the process tested? Are the systems regularly maintained and tested? Is that needed? How important is the correctness of the content? Do you use voluntary error introduction for the sake of confidentiality?
A What people and things do you need to be able to do your work safely? What about a system failure? People? Buildings? Facilities? Suppliers? Has a risk analysis been made for information security? Who has physical access to which systems? Who has logical access to which systems? When? Is there an SLA with supplier? When do you need the information? Are these depending on the time in the year?

Answers to these questions are some of the criteria that information security must meet within the organization.

The four commandments of risk management and four values: openness, decisiveness, trust and agility

Risk-aware behavior can be reduced to the following four commandments:

  • Do not harm yourself unless you get better;
  • Do not harm anyone unless he / she gets better;
  • Do not break anything unless you can make something better with the parts;
  • Grab your chances, unless this is contrary to rules 1, 2 or 3.

These four commandments are

  • simple
  • easy to remember
  • clearly applicable

Moreover, these commands are relatively easy to link to the values ​​of an organization. By way of illustration, we give here how these fit within the values ​​of openness, decisiveness, trust and agility.


Rule 2: do not harm anyone to this applies. For example, openness of management is only valid as long as someone is involved. The privacy legislation also supports this principle that a person can appeal against the processing of his data. In addition, according to the privacy legislation, one is mainly allowed to come out with statistics, not to expose the heart and soul of an individual against his/her will. So there may be transparency, but with the right extent: the extent to which you do not hurt anyone.


Rule 3: do not break anything and rule 4: grab your chances. Effectiveness within the organization is meant to be creative. In order to serve clients better, however, it may be necessary to be decisive and break down existing structures and build better structures. For this, one should know his ways within the organization to act effectively. And if you know the goals and the way to it, it is important to seize the opportunities.


Rule 2: do not harm anyone and rule 1: do not harm yourself. For an organization, it is of utmost importance that everyone has their trust. This applies to both the client and the employees. You must have sufficient self-confidence that you are heading in the right direction with what you do for the market. If people hurt each other senselessly, this trust will soon be violated.


This means that exceptions can always be part of rules 1 through 4.

But it also means rule 4: grab your chances. Drifting away from the chosen road can yield a number of benefits that you would otherwise have missed. Looking carefully at opportunities and tackling these issues is also the message !