Risk scenario is an analysis technique consisting of five components that help people visualize and understand risks. The five components of a risk scenario are: actor, threat type, risk event, assets or resources, and time. The actor is who or what generates the risk. Actors can include internal staff, competitors, regulators, nature, and the market. Threat type describes the nature of the threat and can include malicious events, accidental events, natural disasters, equipment or process failures, and external requirements. The event is what causes project or organizational objectives to be impacted. Events can include disclosure (e.g. confidential information), interruption (of services or production capability), theft, destruction, ineffective design, ineffective execution of processes, compliance or regulatory changes, and inappropriate use. Assets or resources are objects of value that can be affected by the event and lead to impact to project or organizational objectives. Assets and resources include the organization, personnel, process assets, infrastructure (e.g. facilities, networks, equipment, communications), and information. There are two dimensions to the time component: duration of the event and timing of when the event occurs.
Risk scenarios help streamline the risk process by consolidating a series of individual risks into a single risk scenario. Developing a comprehensive treatment plan to address a risk scenario will typically address a number of risks, thereby improving the efficiency and effectiveness of the risk management process. Risk scenarios, like risk statements, can be expressed using a structured context.
Example: < Government> GENERATES <tax legislation> RESULTING IN <increased taxes> AFFECTING <small business> LEADING TO <business growth> <delayed> <12-24 months>