Skip to content

Illustration by Traci Daberko

How to Use Scenario Analysis to Manage in Uncertain Times

Every single decision in an organization is made under a certain degree of uncertainty.

Often, leaders make these decisions based on anticipated events, along with corresponding best-case and worst-case predictions about what might happen. Whether or not these predictions will actually come to pass is unknown at the time the decision is made.

Much research has made clear that a leader’s ability to make decisions in the face of varying degrees of uncertainty is key to overall organization success. And this type of successful decision making rarely results from a commitment to a single, inflexible solution.

As security managers know, organizations operate in a world of uncertainty. Depending on where one sits in a company, the range of business threats that influence uncertainty can include regulatory and policy risks; slow economic growth; profit pressure; cyberthreats, including loss of intellectual property; liquidity issues, including interest rates and access to capital markets; terrorism; government collapse; reputational damage from a previous crisis; the inability to attract or retain talent; pandemics or natural disasters; and disruptive innovation, including technology and new processes.

Given these uncertainties, it is clear that no one future path is inevitable for any organization. A wide range of potential outcomes is possible and subject to unforeseen events and random occurrences. But this does not mean that all forecasting efforts are fruitless. The business world is dynamic and competitive, and because the external environment often drives the need for change, organizations need to hone their abilities to manage uncertainty. Thus, wrestling with future possibilities is crucial, especially for reasons of preparedness, possible expansion, and strategic planning.

[ Stay Aware of Threats. SM7 Newsletter: Sign Up ]

Common forecasting practices for many companies include environmental scanning and monitoring. This intelligence-gathering process involves tracking changes and interpreting events to determine the status of the competitive environment. This practice uses competitive intelligence—open-sourced information such as annual reports, market analyses, media reports, benchmarking, best practices reviews, and interviews—to ascertain what competitors and other companies are doing successfully and how that might inform the organization’s future decisions.

Another decision-making tool that can provide needed flexibility and help an organization negotiate uncertainty is a formal process called scenario analysis.

What is Scenario Analysis?

Scenario analysis is a method for creating responses to various future events with the aim of reducing uncertainty and maximizing the chances of achieving a desired outcome. This process requires investments of people, time, and money. Imagination also comes into play as managers use scenario analysis to determine or invent possible courses of action to take so the organization can reduce its overall risk and maximize its value.

Historically, scenario analysis arose out of military planning during World War II. During the war, it was a means to offer specific descriptions of different futures; summarize and synthesize variables into a coherent picture for each possible future; suggest multiple and distinct choices that each future would entail; and increase the likelihood of achieving desired outcomes by exploring a range of responses or solutions.

Economic historians say that scenarios were first used in the post-war business world by the Shell Oil Company to evaluate oil price variability and consumption patterns, so that capital investments would be shifted into areas offering the best-predicted financial return. The practice quickly spread, and scenario analysis is now used by companies in most industries.

It has also spread beyond the business world. Scenario analysis is used in civic planning to anticipate urban and suburban growth, in engineering to create designs based on variable conditions, and in science to hypothesize research outcomes. Some political campaigns use it to explore possible paths to victory by analyzing variables like voting patterns, turnout, poll findings, and potential demographic changes.

In conducting a scenario analysis, specific future uncertainties and corresponding realities are evaluated by exploring different possible ways to arrive at a desired outcome. This requires assessing internal capabilities, such as the strengths and weaknesses of the operation, and external factors, such as the existing and future opportunities and threats in the business environment.

Scenario analysis does not reveal one exact road to successful decision making, nor does it assume that historical data patterns and past observational findings will replicate themselves in the future. The process will never erase all uncertainty, and it does not predict the future.

Instead, when done well, the process brings to light many possible future developments and turning points, which present several alternative paths to the desired outcome. It can provide a clearer understanding of what is plausible and should be taken seriously, and what is not. In the end, it is about describing various futures or different outcomes. This analysis results in the option to make advance decisions that are either strategic (planned actions) or tactical (immediate responses) in nature, depending on the event.

Let’s look at a basic example that illustrates when and how a security manager might employ scenario analysis.

Comparative Movements

A risk manager in the petrochemical industry is approached by a plant management team and told that pressing operational issues require the relocation of a large storage tank from its current problematic site to another spot a short distance away. The task would not be a small one, considering the complexity and possible cost involved. The size of the tank suggests a small crane would be required to move it.

At first, operations personnel recommend that the tank be moved with a crane. But instead of moving forward on that initial recommendation, the security manager—working with representatives from operational and financial management—leads a scenario analysis. The desired outcome is to move the tank with the least risk and at the lowest cost possible.

The analysis generates three scenarios: Number One, moving the tank with a crane from one site to another, as originally suggested; Number Two, dismantling the tank, moving it piece-by-piece, and then reconstructing it at the new location; and Number Three, building a pool around the tank and then floating it to the new location.

Each option presents its own set of variables and comparative assessments of risk, cost, staff hours, potential hazards, and more. After the analysis, Number Three, the float option, is selected.

As mentioned before, operations had recommended the crane option, because it initially seemed to be the best one. But the scenario analysis revealed various reasons for choosing the third option: the relative simplicity of the move; the lower risk of a move by water rather than by crane; and the quicker return to operations, especially compared with the dismantlement option.

A Case of Mistaken Analysis

A scenario analysis does not predict success; in the previous example, the choice of floating the tank may still ultimately fail. However, scenarios help managers anticipate what’s possible within existing constraints and uncertainties, and this increases the likelihood of success.

Sometimes, however, managers and executives do not always understand that scenario analysis is about managing uncertainty, not eliminating it. In some of these cases, companies will try to predict the future by narrowing down multiple variables to a single point, event, or outcome. They unfortunately fail to account for all events that lead to different possible futures. They sometimes also make strategic decisions based on a single prediction of the future, falsely assuming inevitability.

One of the most notable examples of the mistaken use of scenario forecasting using a single point analysis was by a very successful and well-known company—International Business Machines Corporation (IBM).

Based on a single-point analysis, IBM forecasted sales of 295,000 personal computers (PCs) for the decade of the 1980s. IBM then made the strategic decision to completely move away from developing personal computers. The company outsourced its microprocessor to Intel, outsourced its operating system to Microsoft, and focused on developing mainframe computers.

The single-point forecast was off…slightly, to say the least. As it happened, about 25 million personal computers were sold in the 1980s, or roughly 85 times IBM’s forecast. That single-point forecast and the company’s subsequent course of action have significant ramifications to this day. IBM is a notable cloud services and software company, but it does not sell personal computers.

And IBM was not alone in its ill-advised attempt to reduce uncertainty through single-point forecasting. One reason single-point forecasting can be so risky is that the current competitive business environment is more uncertain than at any time since before World War II. Research analysis of business forecasting for the past decade has found that even two-year forecasts usually fail to capture market change within that relatively limited specific time frame.

Why is the business environment so uncertain? Largely because of technological advances and the pace of innovation, which have increased the quantity of information, improved the quality of knowledge, and compressed time and distance through globalization. As a result, businesses face increased competition, and markets are in greater flux than ever before.

These business uncertainties offer challenges in the security field as well.

Site Plan Security

Imagine a security manager responsible for creating security plans for new manufacturing plants across a range of geographic areas.

In order to move forward, the security department conducted scenario analysis and planning in preparation for site development. It included in the analysis different security needs based on different external factors, such as crime and risk exposures. It also included different internal factors, such as available staff hours, existing skill sets, and other components of value. In each calculation, the ultimate goal was to determine how to best protect people and assets at the site.

The scenario analysis found that one site would likely work best for the first plant. Working with a cross-functional development team on this new plant location, the security manager conducted another analysis. The manager again assessed factors such as potential crime and risk exposure and worked with various vendors to assess costs and needed services. Preparations for the new business development started moving forward.

But that plan was derailed when the company’s negotiations with local government officials on a tax abatement for the new site fell through. And so, a common business environment uncertainty—regulations and tax policy—forced the firm to consider other options.

The development team’s alternative site for the new plant was in an area with higher crime and risk exposure. However, already having engaged in scenario planning and analysis, the security manager was able to dig deeper and factor in a range of other positive attributes about the alternative site.

In the end, the company made analysis-based decisions that led to the selection of the alternative site, and the development of a plan that satisfied the site’s greater security needs and fulfilled the desired goal of the protection of people and assets.

Creating Scenarios

The above site plan example demonstrates some of the value of a thorough scenario analysis. Now, let’s take a deeper dive into the process itself, with a focus on how a manager can create scenarios.

The scenario analysis process is a complex undertaking, because there are a lot of moving parts. The purpose of creating the scenario is to capture the range of future conditions within which an organization might have to operate. Scenarios define different contexts for the future, and the uncertainties of the future change as the time horizon expands. When timelines are shortened or narrowed, the number of uncertainties may be reduced, but pressure for more immediate decisions may increase.

One of the first key steps in creating scenarios is to ask questions to help identify the dimensions and limits of each uncertainty.

For a security manager, these can include questions about the type of crime that exists in the area, and how that crime might influence the cost of programs and systems needed to provide security. But they may also explore how security can affect operational complexity and business profitability.

During this process, one common hazard is for managers to make assumptions based on past experiences. Unfortunately, the deciding factors in prior experiences may be outdated or no longer applicable.

Guarding against this requires managers to submit preconceived notions to the question: what if these assumptions are wrong? Sometimes, they will be. Opposing views are critical; playing devil’s advocate is beneficial when building scenarios.

For example, when looking at crisis management by some notable companies, we can see where they might have benefited from a devil’s advocate who suggested the need to build scenarios that factored in crises. The effects of poor crisis management are apparent; from Coca-Cola’s largest product recall ever in 1999 to the Deepwater Horizon explosion in 2010, we see that companies facing crises suffered crippling operational and communication failures due to an inability to conceptualize different futures. Even Johnson & Johnson—whose handling of the 1982 Tylenol crisis has long been considered the gold standard for crisis management—failed in 2010 when trying to recall products contaminated in its own manufacturing environment. For J&J, the devil’s advocate might have suggested that, despite past successes, the company might need plans for other responses, such as a different means of communication strategy for an event when, unlike the 1982 crisis, the product contamination was of their own making.

Another important step in scenario building is to determine the number of scenarios needed. A common set of scenarios generally involves a best case, a worst case, and one or two in the middle. In all scenarios, there will be trade-offs, but trade-offs do not eliminate the possibility of attaining the desired outcome.

Once the number of scenarios is established, the next crucial step involves determining the probabilities within each scenario, or figuring out what is likely and what is not. Let’s use an example taken from the headlines: Boeing and the 737 MAX.

Following two crashes and the grounding of the jets, the company has slowed its manufacturing as it seeks to navigate the future. But what might that be? Fixes to the jet? Continued delays in production? Loss of sales to competition? These are some of the major questions, all of which present very different futures and provide a poignant example of how scenario analysis can be used at the highest strategic level.

A scenario with low probabilities may be a worst-case option, but that does not mean it should be disregarded. Having multiple scenarios is valuable, and even worst-case scenarios provide important information on comparative options. The aim is to help guide decisions by assessing and getting a handle on as much of the uncertainty as possible.

Take, for example, a security manager who served as a member of the due diligence team for an acquisition. The team had to review a prospective acquisition of a multi-location company to assess whether the acquisition made strategic sense for the company.

The complex scenario analysis that was undertaken required the engagement of the entire cross-functional development team, in addition to the due diligence team. The analysis included specific questions of risk and security exposure that could impair sales, affect employee hiring and retention, and increase costs.

Once the scenarios were analyzed, the company made the analysis-based decision to negotiate for fewer locations, which would improve the overall level of security at each individual site. The decision improved the security and risk financial picture, and it allowed a higher revenue capture than previously anticipated. Thus, the scenario analysis resulted in better security and a better business decision. It also allowed the security manager and staff to demonstrate valuable business acumen.

The Power of Scenarios

Four features make scenarios analyses a particularly powerful tool for understanding uncertainty and making business decisions.

First, these thought experiments expand thinking by developing a range of possible outcomes, each backed by a sequence of events that could lead to the desired outcome. According to psychologists, this is particularly valuable because it helps counteract the common biases of expecting the future to resemble the past and expecting that change will occur only gradually. By demonstrating how and why things could quite quickly become much better or worse in new and unexpected ways, scenarios improve readiness for the range of possibilities the future may hold.

Second, these analyses help protect against groupthink, which can inhibit the free flow of ideas. In business meetings, people often agree with whatever the highest-ranking person in the room says. This is especially true in hierarchical companies, where employees will wait for the most senior executive to state an opinion before venturing their own, which often magically reflects that of the executive. Scenarios allow companies to break out of this trap by providing several established options, which can serve as a “political safe haven” for contrarian thinking.

Third, in large corporations there is typically a strong status quo bias. Scenarios can help challenge conventional wisdom when status quo-based assumptions may no longer hold true. Having alternatives built into the process provides a less threatening way to deviate from the status quo.

Fourth, scenarios are particularly useful in navigating the kinds of extreme events recently seen in the world economy, such as natural disasters, pandemics, terrorism, active shooters, or ransomware. Scenario analyses enable management to steer a course between the false certainty of a single forecast and the confused paralysis that often strikes in chaotic times. When well executed, they allow strategy to be based on a sophisticated understanding of probabilities that maximize the chances of a desired outcome.


Overall, scenario analysis forces secur­ity managers to ask, “What would have to be true for the following outcome to emerge?”

This process can have many side benefits. Demonstrating how and why things could quickly become much better or worse has the natural side effect of increasing preparedness for the range of possibilities the future may hold.

And the analysis can allow the organization to form a better understanding of the major variables that may significantly impact and shape the firm’s future, in both positive and negative ways.

Finally, scenario analysis offers the security leader the opportunity to employ business acumen and generate strategic insights that could help the organization weather uncertainty and achieve its aims. That is no small contribution in these uncertain times where keen insights are needed. But the extent of any effective contribution to scenario analysis made by a security professional will always be context dependent and limited by the knowledge, skills, and abilities they possess, not merely of security but of business itself.

Christopher Walker, DBA (doctor of business administration), is a management development consultant and a longtime member of ASIS International. A former law enforcement officer responsible for high-level financial investigations, Walker served as the head of global security for a multibillion-dollar division of a Fortune 50 company. He is former executive professor of strategy for Northeastern University, and he created the IE/ASIS program “Effective Management for Security Professionals.”