Strategic risk analyses enable managers to assess the impacts of, and tolerance for, identified risks. Scenario planning on the other hand enables risk managers to consider the risk landscape, examine how risks evolve in the future and to identify the potential impacts of critical risks and thereby suitable responses. Both tools are essential for increasing organisational competency to manage strategic risks, improving the strategic flexibility and agility of the organisation, allowing risk managers to better assess the consequences related to strategic decisions.
Limitations of traditional risk assessment approaches
A challenge for water utilities is identifying those uncertain events that might occur which cannot be fully identified through conventional risk practices alone, making disruption inevitable (Brown et al. 2017). Traditional risk models (e.g. risk matrix, fault tree analysis) are often developed based on the assumption of ‘closed or simplified systems’ (Ferdous et al. 2010), which tend to omit non-linear relationships in the form of interdependencies and feedbacks, non-linear dynamics and thresholds that give rise to trade-offs and unintended consequences that are more common in open systems (Liu et al. 2007).
Risk analysis provides a single point forecast of individual risks (e.g. the likelihood of pesticides contaminating a water body and impacting consumer health), which is effective in capturing the interactions between events, and allowing the implementation of detailed probabilistic (quantitative) risk assessments (Lindhe et al. 2012, 2009). These, however, have limited capability to assess systemic risks—i.e. the interaction between physical risks and ‘broader risk areas’, such as financial and reputational risks—and their potential escalation from operational to corporate levels in the utility.
One way to address this limitation is to build systemic diagrams where the interdependencies between events, exposures and harms, associated with different risks, are taken into consideration. These systemic models are, however, developed with reference to a single point in time and often do not do consider the dynamic and interrelated nature of external drivers that shape risk events. In striving for resilience, water utilities need to, complement risk analysis with scenario planning as it provides cross-case comparisons from disruptive events that could impact multiple sectors, and provide an investigation of the ‘unknown’ at system scale instead of individual parts (LRF 2015; Linkov and Palma-Oliveira 2017).
Complementarity between risk and scenario tools
Significant literature exists on scenario typologies and the processes and techniques for building scenarios (Bradfield et al. 2005; Saritas and Nugroho 2012; Amer et al. 2013), but little is formally recorded about the practical ‘hands-on’ experience of using scenarios to ‘stress-test’ a company’s risks and the long-term benefits related to greater preparedness and increased competitiveness (O’Brien 2004; Varum and Melo 2010). In practice, it seems few companies systematically integrate qualitative scenarios and simulation into their planning processes due to a fear of the unknown, lack of time, or adequate training in scenario planning techniques (Lemmens and Munsters 2007) combined with doubts about securing a return on investment (Rohrbeck et al. 2013).
Commentators have highlighted that scenarios have the value of initiating conversations about the business environment and enhancing the strategic thinking of managers (e.g. Brummell and MacGillivray 2008; Amer et al. 2013). Rohrbeck (2012) suggested that questions about value creation have been particularly relevant in the corporate context, where futures research has remained on the side line and not integrated well with operational and strategic management. Rohrbeck and Schwarz (2013) evaluated the value created from forward-planning (futures) activities for 77 multinational companies that: (1) gained insights about potential changes to their operating environment; (2) responded positively to change by coordinating business objectives and strategic actions; (3) shaped the future by influencing other actors; and (4) facilitated organisational learning.
Rohrbeck and Schwarz’s (2013) observations have parallels in corporate risk management, in that the ‘process’ itself is often as important as the strategies produced (Wack 1985; Koivisto et al. 2009; Amer et al. 2013). Corporate risk analyses allow managers to: (a) open their mindsets to better understand the aggregate risk to the corporate objectives, (b) compare the aggregate risk against to the utility’s risk appetite, tolerance and capacity through knowledge exchange, and c) manage high-level risk metrics that alert the Executive to emerging risks and so enhance preparedness for change (Allan et al. 2013; Schiller and Prpich 2014). Koivisto et al. (2009) highlighted the commonalities between risk and scenario approaches, further developed by Luís et al. (2016) in the context of water utilities (Table 1).
A framework for integrating strategic risk and scenario analyses
To visualise risks over the long-term, there is a need to consider the interdependent and systemic nature of strategic risks (Luís et al. 2015), and an assessment of how these risks evolve under a range of alternative futures, shaped by a set of drivers of change (Luís et al. 2016). Herein lies the potential for combining scenario planning to help utility managers move beyond single point forecasts of risks to focus on the most critical dimensions of uncertainty that are fundamental to the resilience of corporate objectives and their vulnerability to external pressures (Swart et al. 2004; Means et al. 2010). Incorporating the use of alternative future scenarios supports the development of flexible strategies that can cope with changing baselines and alternative outcomes. Therefore, in combining strategic risk and scenario analyses, we seek to inform long-term planning exercises with dynamic business risk knowledge (Luís et al. 2015, 2016).
Our approach starts with an identification of the utility’s corporate objectives, at Board level, which is cascaded down to tactical and operational levels, where risk managers and risk experts carry out an analysis of the utility’s strategic risks, using risk assessment tools to consider the interdependent and systemic nature of the strategic risks. These baseline risks are then ‘evolved’ under multiple envisaged alternative futures, allowing managers to assess the likelihood and consequences of the risks occurring in each scenario that reflects different assumptions about future developments (e.g. climate, demographic, economic and technological change). This assessment forms the basis for determining the overall portfolio risk exposure, allowing risk managers to identify future threats and opportunities and devise strategies for master plans (Fig. 2).
Below, we outline our framework for combining strategic risk and futures analysis (Fig. 2), reflecting on its first application at the largest water utility in Portugal: Empresa Portuguesa das Águas Livres (EPAL).
Overview of EPAL
EPAL is the oldest and largest water utility in Portugal. Founded in 1868 as CAL—Companhia das Águas de Lisboa, a privately owned water company supplying Lisbon, it became a public limited company in 1974, and is now owned by Grupo Águas de Portugal, which is fully state-owned. The utility supplies water to approximately 3 million people (about a third of the Portuguese population). EPAL has approximately 700 staff and assets with a net value of about 900 million Euros.
EPAL operates a regional service system that assures bulk supply to 35 municipalities, north of the River Tagus. Its operations include the abstraction, treatment and transport of drinking water. EPAL also provides domestic water supply to Lisbon through the city’s distribution network. EPAL’s water supply system includes approximately 2100 km of water mains, 42 pumping stations, 40 water tanks, 25 chlorination points and around 100,000 service connections.
Over its 150 + years history, EPAL has faced differing challenges with each era posing new threats that the utility has had to address. The primary aim of creating EPAL was to supply drinking water to Lisbon through the 120 km extension of Alviela Aqueduct, thus solving Lisbon’s water supply challenges, moving forward. During its first century, key drivers of change facing EPAL included population growth and water quality improvements posing a challenge with droughts, floods and power generation failures. The need to respond to population change and water quality challenges necessitated enlarging system capacity with responses including the identification of new water resources, construction of new aqueducts and trunk mains during the 1930s, 1960s and 1980s, alongside new laboratory facilities. A major change in governance occurred during the 1970s with EPAL (CAL) shifting from a private concession to a state-owned company.
The early 2000’s saw EPAL facing a deficit of production capacity, especially in the summer, due to increased demand and water losses in its distribution network. This resulted in strategic decisions to enlarge the system’s capacity, in terms of drinking water production and transport, and to fight water losses. An extreme drought in 2005 had a major impact, resulting in a large-scale media campaign to change consumption habits, resulting in decreased consumption. With enlarged production capacity and decreased water losses, the period from 2007 has allowed EPAL to shift from prioritising investment in new assets to investing in addressing the complex intrinsic and extrinsic drivers of strategic change spanning political, social, economic, regulatory, issues, to asset management, risk management, information management and challenges including innovation and climate change. More recently, from 2010 onwards, EPAL has seen a shift in paradigm where the utility has transitioned from maintaining or increasing the efficacy of the service, in terms of water quantity, quality and reliability, to increasing the system’s efficiency, sustainability and resilience.
Systemic analysis of strategic risk: baseline
Decision analysts recognise that a ‘top-down’ and ‘bottom-up’ strategic risk assessment is required to capture interdependencies between different business units within organisations such as a water utility. We employed a ‘top-down/bottom-up’ approach to assess EPAL’s strategic risks. After working with the Board to define EPAL’s corporate objectives, these were then cascaded these down to tactical and operational levels for in-depth analysis of the events, exposure and harms to strategic risks, before escalating back up to the strategic level (i.e. the Board) for the results to be assessed. The process is summarised below (Table 2). A full account of the approach can be found in Luís et al. 2015.
Corporate objectives identification. At EPAL, identifying the corporate baseline risks required first setting out the corporate values and priorities of different business units and transposing these into a set of ‘strategic objectives’, defined as the utility’s core objectives underpinning all departmental decisions (Keeney 1992). The process was carried out in a meeting involving cross-departmental discussion with decision-makers, at Board level, and with executives across departments to consider the full range of factors affecting its performance. A total of six strategic objectives were defined, aligned to common financial, regulatory and reputational risks at water utilities (Levinson et al. 2008; Morrison et al. 2010; Orr et al. 2011), including to guarantee: business sustainability, profitability, adequate water quantity and quality, reliability of supply and the business’ reputation and trust of customers and shareholders.
Events/exposure/harm systemic model. Next, we focussed on identifying the risks of not meeting the corporate objectives, defined as the ‘strategic risks’ (Frigo and Anderson 2011). Often in utilities strategic risks are compartmentalised within different business units, which makes it challenging for risk managers to monitor controls effectively, often missing multiple interconnected risks and their interdependencies in strategies developed. At EPAL, we combined strategic and operational risk assessments as a basis for determining the exposure of the overall risk portfolio. Following a ‘top-down’ assessment of the strategic objectives, we convened several brainstorming meetings with risk managers to carry out a ‘bottom-up’ assessment of ‘what they considered to be the strategic risks of EPAL’. This required a semi-quantitative assessment of the strategic risks, which was considered appropriate given the multidimensional nature of the risks. A full appraisal required mediating between operational, tactical and strategic risks, incorporating an analysis of the: (1) events, the root cause of activities defined temporally and spatially, (2) exposures, the pathways of impact from one or a number of events, and (3) harms, the direct impacts, effects or consequences resulting from the pathway(s) of exposure (Gormley et al. 2011). Risk managers were asked to appoint individual risk experts in their teams to assess the strategic risks via a number of semi-structured interviews (n = 12, ca. 2-h duration). Experts evaluated the systemic model to examine if any risks were missing and whether the interdependencies were well captured. They then moved to identify the likelihood of the events, exposures and harms, drawing on past studies at EPAL and on empirical knowledge (Waal and Ritchey 2007) to determine the likelihood and consequences of not meeting EPAL’s strategic objectives.
Luís et al. (2015) provides a comprehensive account of the approach. In summary, we applied a logarithmic scale to consider how likely the consequences of an EPAL-specific risk were to occur in the future (i.e. over 18 months from a base year of 2012). This is a common scale adopted for strategic risk appraisals (e.g. Andrews et al. 2003; FAO and WHO 2009). Assigning a numerical scale that showed the frequency of occurrence of a risk (Fig. 3) helped to reduce the level of ambiguity and lack of consistent interpretations of more qualitative probability phrases (e.g. likely, unlikely).
A set of consequence attributes were selected to describe the impacts, including: (1) ‘type’, (2) extension (magnitude) and (3) duration (including irreversibility). We subsequently defined thresholds for these classes of consequences, ranging from catastrophic (the worst imaginable scenario) to minor impact. Taking water availability as an example, we asked “what is the plausible worst case scenario of a lack of water supply”? The speed at which EPAL was capable of responding to water supply challenges were considered; for example, a 6 months threshold took into consideration the estimated time to implement new abstractions or transfers from other water sources or transport systems (Fig. 4).
The holistic model of the strategic risks was hence built through an iterative process, complemented by the identification and assessment of the performance of existing control barriers. During interviews, each risk expert was provided with the same systemic model and set of records characterising the events, exposures and harms and asked to comment on the (1) likelihood of events, exposures and harms, and (2) identification of existing barriers that mitigate exposures and harms and their respective consequences. Interview data were recorded in a similar format (Table 3) and triangulated (Fig. 5) and then compared to identify any inconsistencies and gaps in experts views, which was subsequently resolved through other rounds of expert interviews.
Once the strategic risks were identified, attention was turned to assessing ‘how interrelated they were’ and the nature and extent of the impact on business performance. Interdependencies were characterised by a hierarchy of relationships, where we focussed on how risks from a specific business function or portfolio (e.g. micro or meso level) could affect the achievement of the strategic objectives at the corporate (macro) level. The assumption is that these interactions are “bi-directional” (Haimes et al. 2008) in that the activities and existing controls in a specific business unit of the utility will influence those in other units by way of interdependencies, which vary in strength, directedness and time scale (Wyrwoll et al. 2018).
The output of this analysis was a systemic model that visualised the aggregate impact of multiple interdependent strategic risks (Gormley et al. 2011)—a useful visual that helped to gather insights about what drives the utility’s strategic risks. Figure 6 illustrates the interactions between the risks—with and without control barriers—and helped EPAL’s decision-makers to consider their performance (i.e. what controls are critical, vulnerable?). The model is colour-coded to illustrate the likelihood of events, exposures and harms, and enabled decision-makers to: (1) visualise the interactions between risks, (2) build an understanding of the risk probability—e.g. whether a risk had a naturally low probability of occurrence or if this was reduced due to existing barriers, and (3) review the efficacy of existing barriers and controls.
Side by side risk comparison (baseline). Next, we assessed the aggregate consequences of harms that allowed for comparing the strategic risks in a “heat map” (Prpich et al. 2013). This required first validating the risk evaluation in a one-day workshop with risk managers and experts from different departments at EPAL related to each of the strategic risks (n = 42). Validation focussed on evaluating the strength of existing control barriers, relying on expert knowledge to address questions about whether: (a) the analysis missed any existing barriers (if so, where), (b) how effective existing barriers are at mitigating risk to strategic objectives, (c) which barrier(s) are most critical, (d) which barrier(s) are most vulnerable, irrespective of their effectiveness, and (e) should there be additional barriers in the system?
Building on the systemic model, we compared the aggregate likelihood and consequences of the strategic risks in a “heat map” (Prpich et al. 2013) that allowed for visualising each strategic risk side by side, represented by an elliptical shape. This presented an alternative to the use of risk matrices that restrict risk classifications to ‘high, medium and low’, based solely on the likelihood and consequence assessed in isolation. In fact, underlying each ellipse there is the whole top/down, bottom/up assessment that led to the systemic model described above. This “heat map” increases our ability to reflect, through the length of the ellipses’ axes, the range of uncertainty the analysis embodies. This includes: (a) aleatory uncertainty that reflect the natural variability of the events (e.g. regulatory changes) and (b) epistemic uncertainty related to the lack of knowledge (e.g. demand changes) (Cox 2008). Bringing experts together allowed us to challenge individual biases, but we recognised the need to offset overall group bias. This was approached by reflecting on ‘uncertainty’ associated with the state of ‘evidence’ or the level of agreement/disagreement between risk experts (Fig. 4). We assigned the following criteria to reflect the level of uncertainty (adapted from Gormley et al. 2011):
“Low”—there is empirical or scientific evidence,
“Medium”—there is no empirical or scientific evidence, but there is a high level of agreement among experts,
“High”—there is no empirical or scientific evidence and there is a low level of agreement among experts.
The elliptic shape of the risks in the heat map reflect a mix of aleatory and epistemic uncertainty through the size of the horizon and vertical axes where, for example, Fig. 7 shows this is far higher for the consequence than the corresponding likelihood. Figure 7 also shows that business sustainability, reliability and profitability are the risks with higher aleatory uncertainty in terms of their likelihood of occurrence. This may be due to the number of events that the company has no control of and as a result is difficult to predict. For example, change in regulation and economic stability often does not provide the stability needed for investment (Hecht et al. 2012) and may exacerbate business risk (Morrison et al. 2010).
The heat map allowed ‘side by side’ comparison of each strategic risk and supported communication with the Board as they included narratives on the character of the risk and the effectiveness of the current controls and barriers to manage the risks, drawing on information provided in the systemic model.
Evolution of baseline risks for the long-term
We employed alternative future scenarios to take account of multiple trends that may lead to different futures, rather than variations of a single future (Foster 1993), and used these to challenge the utility’s baseline risks over the next 30 years—the period of time for which the EPAL’s master plan is developed. Responding to external pressures requires building inter-organisational intelligence about (1) how a set of baseline risks could change given developments in the external business environment, and (2) what opportunities and threats need prioritising in long-term business plans. The process is summarised below (Table 4). A full account of the scenario approach can be found in Luís et al. 2016.
Key drivers and megatrends characterisation Luís et al. (2016) provides a comprehensive account of the approach. In summary, we employed morphological analysis (MA) (Ritchey 2011) to build the scenarios. This allowed for carrying out a rigorous investigation and definition of the relationships between numerous external and internal drivers of change, as a basis for achieving a high degree of differentiation in scenario configurations (Haines-Young et al. 2011). Researchers defined an initial list of key drivers—broad range of sector developments that could affect EPAL’s business performance—in a comprehensive desk-study using a PESTLE (i.e. Political, Economic, Social, Technological, Legislative and Environmental) analysis (Brown 2017). Megatrends—i.e. global, sustained macro-level developments—were derived from a 3-year longitudinal study of EPAL’s vulnerability to climate change (Jacinto et al. 2013; Grosso et al. 2012). Some megatrends with a narrow range of possible future developments were considered as ‘givens or predetermined’ (see Table 4) and assumed to be consistently occurring in all the scenarios.
A total of 12 key drivers (Table 5) were validated in a workshop with experts from different departments and with various management responsibilities in EPAL (n = 23). Experts were split into three groups based on their knowledge of the PESTLE themes: (a) social/economic (e.g. customer relations, financial and administrative, projects and works), (b) political/technology (e.g. trunks mains maintenance, information systems, projects and works, asset planning) and legislative/environmental (e.g. marketing, systems operations, water quality control, climate change). After an introduction to the drivers, participants worked in moderated groups to: (1) refine them by considering the ‘validity of the risks’ each driver poses to international water utilities, and (2) examine plausible change in the sector over a 30-year period, including abrupt change or disruptions (i.e. low probability, high impact events), to guide the identification of driver projections—i.e. the full range of plausible “states” each key driver could assume.
Construction of future scenarios The process involved generating ‘a consistent mix of drivers’ (Ritchy 2011) in order to provide a challenging set of futures upon which to stress-test the utility’s baseline strategic risks and assess the implications for achieving good strategic outcomes. Building on outputs from the workshop, we employed the morphological analysis to carry out a pairwise comparison between every driver projection, whereby a judgement was made on whether a pair of projections can co-exist in a scenario (Ritchey 2011). Given the high number of pairwise combinations to be analysed (n = 474), we used Carma™software (Swedish Morphological Society http://www.swemorph.com/) to reduce the total set of driver configurations to a smaller set of internally consistent ones (Voros 2009; Ritchey 2011). The analysis generated a ‘morphological box’ (Fig. 6), where each pair of projections is resolved as either: (1) consistently a good fit, or best fit, or optimal pair, (2) ‘possible, could work, but are not optimal’, and (3) ‘impossible or very bad idea’ (Ritchey et al. 2002). The software deduced consistent relationships by holding each of the key driver projections sequentially and observing how the others behaved, resulting in the exclusion of logically inconsistent (or implausible) combination of projections.
Selection of the scenarios was guided by considering whether each scenario offered a different, though plausible, situation to which the strategic risks can be tested. A synthesis of the cross-consistency analysis resulted in the development of the scenarios, accompanied by a narrative or “storyline” based on the mix of key driver projections: “financial resource scarcity”, “water scarcity” and “strong economic growth”, where each provided a different assumption about future events and developments in the utility’s external business environment (Fig. 8, Table 6).
Side by side risks (evolution) comparison The event-exposure-harm systemic model (Fig. 6) was used as a basis to examine how the likelihood and consequences of the strategic risks behaved in each scenario, where different assumptions are made about the external operating environment of the utility (e.g. increased client revenues in Scenario 2 support investment in technology upgrade compared with resource constraints in Scenario 3 affecting water quality). While the reference scenario is used as the baseline case, we considered the implications of change within the other scenarios (2, 3, 4 in Table 6, Fig. 8) by examining the likelihood of events, and the impacts on the performance of existing control barriers (i.e. both negative and positive influences). A workshop was held involving a select number of experts (n = 10) from the baseline assessment for strategic risks (Sect. 3.2.1) to stress-test the risks, guided by a number of questions:
How do the baseline risks perform in each scenario? Has the likelihood and consequences of the risks changed? What risks are experiencing the most change in a scenario (or a number of scenarios)?
How are existing risk management measures (barriers/controls) performing? What vulnerabilities exist? What opportunities are arising due to good performance?
What actions need prioritising, either to safeguard against threats to the strategic objectives or opportunities to maximise the resilience of current risk management measures?
These questions help focus on the potential outcomes of change as opposed to rationalising the change itself (Miller and Waller 2003). This was achieved by asking experts to consider the corporate-level risk exposure, relying on their judgement of the outcomes as having either positive, negative or insignificant implications for the strategic objectives (Table 7). The outcomes were debated and justified, revealing both opportunities and threats to the strategic objectives arising across the scenarios (Koivisto et al. 2009; Defra 2006). At EPAL, this was important to ensure outputs could feed into strategic discussions at Board level.
Outputs from the workshop were synthesised and a narrative of the evolution of baseline risks was presented together with the corresponding risk ‘heat map’ (Fig. 9).
Managing multiple, interdependent and dynamic strategic risks
EPAL’s long-term extrinsic threats were integrated into the organisation’s strategic risk profile by considering a broader category of risks and their interdependencies. The next step is to ensure the risks are continuously appraised and monitored, through a coordinated management response, thereby improving the ability of the organisation to remain agile and to address both existing risks and emerging threats in their risk management strategy (Fig. 10).
Evolving the risks in a set of scenarios provided insights into the nature of change in the water sector for the next 30 years, building an understanding of the cumulative effects of multiple extrinsic threats on EPAL’s strategic objectives, and their relevance to different business functions for subsequent integration into decision-making. The outcome of stress testing the utility’s strategic risks provided a starting point for the Board to examine what options are worthwhile investing in. Involving both technical and management staff across different business units was critical for building awareness of the impacts of interdependent risks and establishing a case for action for different functional areas. Building a case involved discussions about the overall performance of existing controls. The event-exposure-harm systemic model, accompanying risk narratives and heat maps provided an appropriate level of information for risk managers to communicate the performance of control barriers to the Board, thus providing them with oversight and a process for regular monitoring and review, including:
weak and critical failure points of existing control barriers; i.e. those that are likely to fail over the long-term and change the risk profile,
sector developments or drivers of change that cause existing barriers to fail,
gaps and unintended consequences of the barriers under different scenarios.
The outcome is the ability to review the status of existing barriers and make iterative amendments to improve performance, either by reinforcing the strength of the existing barriers or by implementing new ones. Options can be identified for maintaining the performance of critical barriers, against both short and long-term risks, which will support EPAL in understanding the long-term viability of their portfolio. To ensure existing barriers remain robust, EPAL needs to periodically update the scenarios to consider new trends, emerging issues and associated risks. This is consistent with guidelines in the 2018 ISO 31001 standard that suggests risk management approaches include the use of open systemic models that regularly exchange feedback with the external environment. This step is critical for testing the vulnerability and efficacy of the barriers, which we have suggested could be carried out within one to three years so it feeds into the 10-year periodic review of the master plan at EPAL (Luís et al. 2015).