The term “risk” if often used rather liberally differently across different contexts. Strictly speaking there is no universal scientific definition for risk. In the colloquial context “risk” has been taken to signify of the possibility of an event considered as undesirable, which may (or may not) occur, for instance a traffic accident, sports injury or taking a bad fall on icy streets. In other words, it is that ever slight possibility that something will go wrong or something bad will happen. Anything and everything we do involves some degree of risk. Risk management is immensely popular and an enormous industry because such undesirable events involve tragedy and cost and hence, we want to avoid or minimise the possibility and impact of such eventuality. Perhaps even more importantly, if we seek to manage risk properly, it can pay off generously as investments made into mitigating risk can be sometimes significantly lower than the value of risk (impact). Moreover, if this is not the case, we take our chances or try to get somebody else to carry the risk. Consequently, when we are made aware of a “risk” we should probably do something about it. This notion is reflected in the international standards of risk management. The ISO 31000 (2018), for instance, defines risk as “effect of uncertainty on objective”, clarifying that “effect” should be understood as “a deviation from the expected”, whether this is positive, negative or both, in any level of objective relevant in the context (ISO 3001). The discipline of Risk Management consequently essentially aims to mitigate or manage the impact of undesired events by measuring the probability and impact of known risks, based on our knowledge on the occurrence of similar events, and then identify measures to mitigate (reduce), manage (limit) or transfer (principally to insurance) the risk.
Following this logic, we should have been better prepared against the Covid-19 pandemic. We knew that a pandemic was an eventuality, in other words - it was a known risk. Hence, it should have been justifiable to invest in better preparedness. As Nassim Nicholas Taleb has pointed out, by investing billions before or earlier in the crisis, we could have saved trillions. Even more importantly, we would have probably spared a vast number of unnecessary deaths. The question remains – why did we not do so?
This is where the concept of “uncertainty” enters the equation. The term” uncertainty” is, in a similar manner to “risk”, often rather vaguely defined in colloquial context. Most frequently “uncertainty” simply either refers to the limits of our knowledge in regard to the possibility of sudden and unexpected (undesired) events – such as the so called ’black swans’ or ‘unknown unknowns’. The term is also commonly used in the context of uncertainty of measurement in many fields, including statistical approaches to risk management. In relation to risk management, “uncertainty” has been referred to events with ”unknown outcomes with unknow probability law” (Phillips 2020:39). Frank Knight, one of the prolific theorists of risk, distinguished the differences between “risk” and “uncertainty” in his seminal book Risk, Uncertainty and Profit, by arguing that whilst ”risk” is observable and measurable, “uncertainty” operates in the limits of our knowledge, making assigning probabilities impossible. The term “risk” can thus be said to refer to situations where probability and impact of an undesirable event can be determined, because the possible outcomes can be identified, and the past frequency of their occurrence can be determined through observations of past events. Hence, following Knight’s thesis, “uncertainty”, suggests that possible outcomes are not known to us, or that decision-makers do not hold adequate knowledge or experience concerning the situation, in order to assign probabilities for the possible outcomes or to understand their possible impacts. This in turn leads to the inability to determine the appropriate response based on rational calculations, as well as making decisions following the standard risk management process to either accept, mitigate or transfer the risk. This shortcoming of probabilistic risk management is one of the many reasons behind the failure to respond to Covid-19 effectively and in time – it simply is not effective in dealing with risks that are low probability but have potentially so high impact that they would require enormous investment for mitigation. Such “once in a century” risks are so rare and infrequent that political decision-makers seeking short term gains simply do not have incentives to address them properly. Moreover, the longer the time horizon we are trying to address, the more dominant uncertainty and thus, the higher the risk of policy failure.
What is the key take-away then? We have established that ”risk” and “uncertainty” are not the same, albeit they are related and connected. I would argue that we need to address both in order to avoid future failures in preparing against major disasters and crises. For strategic risk management such a holistic capability helps defining what you can manage (or mitigate) and what you cannot. However, in addition to accounting for “uncertainty” we need to be aware of different levels of uncertainty in order to account for threats such as a pandemic. The next instalment of this blog series will address the concept of “deep uncertainty” and how it relates to “black swans” and “wicked problems”.