When you look at how risks are identified you see terms like inherent and residual or impact and likelihood but you rarely see the explicit use of the concept of uncertainty. Inherent and residual risk, for example, refer to the raw risk before controls and the left over risk after controls are put in place (definitions courtesy of Wikipedia). Impact and likelihood are applied to either one of these. We apply it to the residual risk component when we build risk programs and, to be honest, somewhat ignore the inherent risk concept.
For the last little bit we have been applying an uncertainty component to the rating of risk activities (we call them Key Risk Activities or KRA’s). While not an explicitly weighting the component yet, judging the level of uncertainty associated with an activity gives a much stronger view of the risk associated with the activity in question. It is, like many risk scales, a subjective value and is determined by examining experience, issues and the state of the economy along with other hard and soft information. This analysis has its roots in many areas, Value at Risk (VaR) being one that explicitly calculates the level of confidence (the opposite view of uncertainty) for investments and other areas where quantitative data is available for measurement purposes.
Let’s take as an example using the offering of a new service, which others are offering in the market but you have never offered. And we are going to assume you are going through a logical process before you launch the service. You have analyzed the market, found a software provider, established the procedures and laid out the plan to have a million users by the end of year one. You’ve done the math to calculate the likely profit and audit has assessed the inherent and residual risks associated with the service. Controls are in place, capital is allocated, and now you are ready to go. So how certain are you that you have identified all of the material risks and everything is going to go smoothly.
Our human psyche tells us we are going to be successful. We want to have a value or measure that provides a clear indication of what our level of risk is. But we have never offered this service or if we did we did it at a different organization with different levels of experience both internally and with customers. We should have identified a high level of uncertainty with what we are about to do. And in turn we should be prepared to react when things go wrong.
What is the best way to deal with the uncertainty component? I am a big fan of the use of Scenario Analysis for addressing uncertainty. Scenario Analysis provides the opportunity to draw upon various people in order to identify the downside events and reduce the uncertainty component. In many areas we do this informally with the use of committees where the discussion includes uncertainty. But for other key areas we often charge forward without considering uncertainty. The recent email hacking epidemic is a prime example of where there is a disconnect between the user and the behind the scenes folks.
There are four key pieces to risk management; materiality, impact, likelihood and uncertainty. My experience has been that using these four as basic guides in determining risk provides a stronger base for survival for when the “bad day” occurs and you have to take action.