We all know that risk management is supposed to manage risks. But people often understand very different things when they use the word “risk”. One way to solve this problem would be to insist that everyone uses the definitions found in risk standards and guidelines. These definitions have usually been produced by groups of experts who work hard to be clear, to say what they mean and to mean what they say. Unfortunately most people ignore official definitions when they manage risk in practice. Instead they rely on their own ideas about risk which are often limited or misleading. This in turn can reduce the effectiveness of the risk process and stop it delivering the full range of potential value.
One common misconception about risk is that it refers only to uncertain events that might occur in the future, and which would affect the achievement of objectives if they did occur.
The limitation has partly arisen from the use by some of the term “risk event” as shorthand for all types of risk, leading many (most?) risk practitioners to think only of uncertain future events when they identify risks in their projects or business. Of course risk does include uncertain future events (we might call this stochastic uncertainty), but the risk process must also address other kinds of risk. What are they?
Starting with the idea that risk is “uncertainty that matters”, we can ask what uncertainties might matter. There are several types in addition to uncertain future events. Using alternative words to describe different types of uncertainty can help us to find them.
We should consider three main non-event types of uncertainty as part of our risk process:
- First is variability, where there is uncertainty about some key characteristics of a planned event or activity or decision. For example we plan to conduct a test of some new equipment but we are uncertain about how long the test will take. Risk specialists sometimes call this aleatoric uncertainty, where a range of outcomes are possible but we’re not sure which one might actually happen.
- Secondly, ambiguity exists where we are uncertain about what might happen, if anything. For example we intend to launch a new product into a competitive marketplace – how will competitors and potential customers react? Another name for ambiguity is epistemic uncertainty, arising from imperfect knowledge.
- A third type are usually called unknown-unknowns, although a better name would be unknowable-unknowns (and their proper name is ontological uncertainty). These arise from limitations in our conceptual frameworks or world-view. They are the risks we do not see because we don’t know that we should be looking for them.
Risk practitioners will probably need to explain these technical terms carefully if we want to use them with our colleagues! But as risk specialists we ourselves need to be aware that these non-event types of uncertainty exist and could be relevant.
Whichever terms we use to describe risk, it is important for the risk concept to be extended beyond uncertain future events, and for the risk process to include techniques to identify, assess and respond to all types of “uncertainty that matters”. Only then will we unlock the full value that risk management offers, using it to manage every kind of risk and not limiting ourselves just to uncertain future events.
[© Copyright 2012, David Hillson/Risk Doctor & Partners]