One of the first things I learned about risk was that every risk has both a probability less than 100%, as well as an impact on at least one objective. Some of my risk colleagues talked about risks with 100% probability, but I disagreed with them. As I’ve discovered more about risk, I’ve realised that my colleagues were right! There are risks with 100% probability of occurrence. In other words, they are either happening now or they are certain to happen in future.
Most people’s first reaction to the idea that a risk can have 100% probability is to disagree. After all “uncertainty” is a key part of the definition of risk, and 100% probability means “certain”. But this leads to a very limited view of the types of risk that we need to understand and manage.
A previous Risk Doctor Briefing (Number 73, July 2012) discussed four types of risks that could affect our businesses and projects. Each of these is an “uncertainty that matters”, but only one type has probability less than 100%.
1. The first type of risk is a future possible event, which we call “stochastic uncertainty”. This is something that has not yet happened and it may not happen at all, but if it does happen then it has an impact on one or more of our objectives. Most identified risks are like this: a key supplier may go out of business, the client might change the requirement, or new regulatory constraints might be imposed. We can estimate a probability of occurrence for each of these possibilities, which is less than 100% because the future event is uncertain.
2. Second we have risks arising from variability (also called “aleatoric uncertainty”), where some aspect of a planned task or situation is uncertain. For example we may plan to run a 15-day trial, but the duration could in fact be anywhere between 10-20 days. The probability of running the trial is 100%, but its duration is uncertain. Other variable parameters include cost, resource requirement, productivity, defect rate, performance, etc.
3. Third are risks relating to ambiguity (known as “epistemic uncertainty”), describing uncertainties arising from our lack of knowledge or understanding. This might include elements of the requirement or technical solution, or market conditions or competitor capability. The probability of this type of risk is 100% (the fact that we do not fully understand the requirement is certain), but the degree to which this might matter is uncertain.
4. Lastly, we have blind-spots (so-called “ontological uncertainty”), sometimes also called Black Swans or emergent risks. These are risks which we are unable to see because they are outside our experience or mindset. We can be certain that such risks exist even though we cannot describe them, so their probability is 100%. The uncertainty lies in the effect that these risks might have if they occur.
Each of these four types of uncertainty could affect our ability to achieve our objectives, so they are “uncertainties that matter” or risks, and they need to be managed. But only future possible events have a probability less than 100% (Type 1 above), and if they occur then their impact is certain. Non-event risks (Types 2, 3 and 4) have 100% probability, and the uncertainty lies on the impact side.
It is important to note that 100%-probability-risks are not the same as issues, which also have 100% probability. The difference is that an issue also has a certain impact on our objectives, whereas risk always involves some aspect of uncertainty.
So it is possible to have a risk where the probability is 100%. This has implications for the risk process of course, which needs to be able to address all types of risk. For example techniques like the Probability-Impact Matrix cannot be used to prioritise these risks, and we may also need new types of risk response strategy to deal with them.
We still have some work to do if we want risk management to address all types of risk!
© Copyright April 2014, David Hillson/The Risk Doctor Partnership