Practical benefits of defining risk and uncertainty. Part 2.

This article contains further arguments for proper defining risk and uncertainty in reference to the first part of my article "Practical benefits of defining risk and uncertainty. Part 1." https://www.dhirubhai.net/pulse/practical-benefits-defining-risk-uncertainty-part-1-slawomir/ which I recommend to read before reading this one. This article also responds to second challenging statement formulated by Alexei Sidorenko, CRMP while commenting my other article "Define or not define risk - is this the right question?"

The second statement of Alexei, was: 

2.      It is nonsense in saying that definition of risk helps us understand the nature of risk. Proper risk analysis helps us understand the nature of risk.

Again, I strongly disagree. I never said that "definition of risk helps us understand the nature of risk". What I said was that: it is necessary to observe phenomenon first, interactions in the real world to build respective analogical theory model and then agree naming conventions with reference to identified relations, interactions it describes within specified scope. Proper defining risk is about clarity of scope, clarity of generality level and about enabling repetition of experiment, research which somebody else did. If you are against it you contradict yourself on key aspects what you are doing also on your blog, debates, trainings, post, and you contradict current science methodology, ;-). You cannot be follower of clarity or debiasing of perception and simultaneously be against proper defining.

To clarify, definition of risk should enable us to understand what are attributes, features of each risk differencing them from… non-risk and differentiate risk from uncertainty (if this is makes sense) regardless the industry, organization, purpose considered or subject matter domain. The other different thing is nature of specific risks which result from selection of specific available alternatives while making decision. It make sense to explore what can be hidden under risks and rewards (analogically - also under uncertainties and rewards) being attributes of available alternative.

Here important questions arise and it is not easy to answer them using common sense only:

1) Does risk or uncertainty exist in connection with decision not only while making decision but also after making decision and during its preparation?

2) Does risk or uncertainty exist regardless decision being made or not?

It is not possible to answer those questions without defining risk, uncertainty and decision with referring to phenomenon observation like in physics. Alternatively we could identify incoherencies or contradictions between assumptions of specific concept, theory, hypothesis or definitions.

Summing up, you have to differentiate attributes of each risk (generality/detail level 1) regardless its specific (credit, market, liquidity, strategic, etc.) or industry (energy, logistics, mining) from attributes of specifics risks belonging to specific situation/circumstances under which decisions are made (generality/detail level 2) in the given industry and in the specific domain of risk related to liquidity, credit credibility, operational capability, competitive advantage, etc. Tell me why credit risk is used, but not so often we hear about credit uncertainty, but on the other hand we heard about strategic risk and strategic uncertainty. Intuitively we feel the difference, but we are not able sensibly to describe it.

Example:

Generality/detail level 1: fruits (have their own nature different from – for example - vegetables). Somebody observed that it was make sense to differentiate fruits from vegetables, fauna from flora. The same we have to finally do with observation regarding what might fall under risk and uncertainty observing the context in which they are used (as noun - indicating the state, condition and as verb - indicating specific types of activities and specific types of decision making. If we could find reasonable, practical beneficial reasons to differentiate it then we should do it and use it coherently and constantly. I will come back to this later.

Generality/detail level 2 is: risk specifics differentiated based on specific structural combination of cause-and-effect, causal chains, feedback loops uniqueness, differentiated per effect or impact type, cause type which are inherently related with the alternative being subject of selection of best alternative - optimal decision making. Analogically, this is how differentiation between various fruits is identified: apples, pears, plums, pineapples have their specific relations (structure) - we differentiate them because it the differ in taste, shape color - so it would be big mess if we did not. In the same way - risk or uncertainty as alternative attribute related to decision on choosing railway transport differ in specifics (structure, relations) from the ones related to decision on choosing road or aviation transport. Transport related risk or uncertainty can be treated then (if it is justified by analysis purpose) as set covering all of them. How then without defining scope, differentiation criteria risk from non-risk and risk from uncertainty, or uncertainty from certainty - on generality level 1 - how then you can be sure that you are really analysing risks on generality/detail level 2? ;-) Summing up current situation with not proper differentiation risk from uncertainty and without proper defining we still mix apples with pears or saying that we would like orange juice while we mean tomato juice ;-). It's highest time to cut this Gordian Knot with scope of risk and uncertainty management and identifying whether they need the same or different methods. There are some real life cases that justify it to do so.

And we could go into more generality/details level n dependent what goal we are going to achieve - what is purpose of our analysis. But we have to clever in order not to go in too much details – as somebody may call us paranoid or insane ;-) And here let's park at the word "paranoid" and also let's think of a key questions before we start to deal finally with definitions:

1) Are there any practical benefits coming from differentiation of risk and uncertainty as conditions under which decisions are made?

2) Are there any practical benefits coming from differentiation of risk and uncertainty being attribute of available alternatives being selected during decision making?

3) What is the scope of interactions, relations for which it would be worth to name as risk or to name as uncertainty in order to provide better clarity and scope?

4) Why do we need to understand the nature of risk or uncertainty as attribute of each alternative from which we select the best one during decision making?

Let's simulate the problem in the following way, in the form of zero-hypothesis and alternative one:

1) Zero-Hypothesis: If it is a real and significant difference between risk and uncertainty as conditions under which decisions are made, then [most probably] - it would require different methods to cope with it in order to provide optimal alternative and decision, or perhaps different decision optimisation criteria.

2) Alternative Hypothesis: If the difference between risk and uncertainty is only semantics or is virtual and not important one, then regardless risk or uncertainty conditions we could use the same methods to cope with it with no impact on providing optimal alternative and decision.

Silent assumption of above hypothetic statements are that - both risk and uncertainty are components/elements of conditions (state) in which decisions are made and activities resulting from them.

Let's explore them using some most hot-topics ;-) Allusion intended ;-)

"Risk is just 4 letter word" - use instead "what can happen"

It is typical non-systemic method of statement showing how not to structure a problem - you could think and think but when you know that have exhausted all the possibilities of what might happen? This could be blogger advice for free as it costs nothing and is worth almost nothing - if it would - the know-how would not be disclosed for free. It is called sometimes illusion of advice or providing worthy information ;-) even for the sake of simplicity or good will.;-) What can/might happen is more related to uncertainty than risk, provided that we agree that risk relates only to potential (or possibility of) unwanted or undesired outcomes and uncertainty scope covers both wanted and unwanted outcomes as Doug Hubbard proposed in his book "The Failure of Risk Management: Why It's Broken and How to Fix It" which for me is in line both common language and as you could see below when critically compared to risk treatment options in ISO 31000 itself.

Which of risks and rewards (if they exist - remember that some games are minus sum games ;-)) related to specific choice of activity may happen and under what conditions? What can happen if I make specific decision? What can happen while pursuing objectives? Such formulation imposes to operate possibility set or at least "space" of various events or it outcomes which may happen in such space. The point it is "what can happen" not risk related question, it is uncertainty related question. Of course I assume here that risk is related with possibility set which I do not desire but I accept or must tolerate because I am pursuing specific objectives and this possibility set is inherently related to it.

Proper methods should determine optimal granularity level for the given problem and its purpose and can tell how many types of things can happen - based on specific formulation of the model. The real value here is to control possibility set. What if risk manager cannot consciously control possibility set - he for sure may omit important possibility or at least he cannot be sure if the one he chosen are complete - so any unstructured "advice" on "what may happen" provide no value if left as simple as that.

The same challenge applies to any method: Example: "How you assure that factors you analysed in sensitivity analysis and displayed as tornado diagram and in MC are complete or at least follow Pareto rule? How about couplings , feedbacks? How do know you know that you include all important ones, which of them may appear soon more important than now?

How it relates to defining risk and uncertainty? Very simply - I like simplicity too:

Risk - condition, state where you are aware/know complete undesired possibility set related to selection of desired choice and you predict or simulate scenarios within complete possibility set.

Uncertainty - condition, state where you are not aware/do not know complete undesired possibility set related to selection of desired choice and hence you predict or simulate scenarios on not complete possibility set.

Would you use the same methods to both conditions of such defined risk and uncertainty? This is of course only one of the examples of what can be hidden under risk and uncertainty.

Risk is neutral not bad, so uncertainty is... also neutral, bad or good or the ugly...?

Risk "neutrality" in ISO 31000. I already commented it in the one of LinkedIn discussion thread https://www.dhirubhai.net/groups/1834592/1834592-6402236086986248195

This is ISO 31000 key risk defining problem and methodological mistake and it is visible for careful observer and analytical mind.

From the definition "the effect of uncertainty on objectives" does not result and one cannot conclude whether risk is neutral, bad or good. It is simple. Definition itself says nothing about it. This is due to not defining character of "uncertainty". So if anyone is saying based on the above definition that risk neutral he or she is confabulating and says it independently from definition. I could also similarly say that risk is colourful or black-or-white ;-). As for notes...well we have to determine whether they are part of definition or only explanations. If only explanations - again the explanation is independent from definition. If notes are definitions they should be part of definition.

There are several uncertainty frameworks [more on them in Part 3 soon], concepts about which risk managers seems to forget totally and that is why there is no progress with ISO 31000 risk definition. It cannot be different with using the current way and expect different results.

In one of the approaches uncertainty has been called "an unintelligible expression without a straightforward description". It describes a situation involving ambiguous and/or unknown information. In that context – ISO 31000 standard which aspires to be reducing uncertainty generates it with not clear definition (scope).

How understanding of risk influences tools? If you perceive uncertainty only as deficiency of information – then you would tend to think that the generic way to eliminate uncertainty is reduction of deficiency – means – gaining information to reduce its deficiency.

Any other activities you will be performing (aware or not aware) will not be related to uncertainty reduction. If you include ambiguity in your defining of uncertainty then you automatically extend your ways of looking into problems on how to provide clarity and eliminate ambiguity (for example by considering cognitive biases, calibrating probabilities, etc.). Clarity should be in the mind of decision maker and in provided analysis. Based on that we could conclude that information gathering not especially may lead to reduction of uncertainty but generate …ambiguity ;-) That gives automatic conclusions – not all reduction of uncertainty may provide to clarity, or not all information gathering leads to clarity (illusion of reduction of uncertainty while gathering information), not all information gathering leads to certainty. Do you get it now? How uncertainty was defined in ISO 31000:2009 as deficiency of information mainly ;-)  I already highlighted it two times in 2012 during ISO/TC 262 meeting in London and while reviewing of ISO 31000 in 2017 via comments through Polish Committee for Standardisation.

ISO 31000: 2009 risk definition version – in my opinion since the beginning - not sufficient uncertainty clarification (ignoring various domains which dealt already with defining uncertainty):

risk effect of uncertainty on objectives. NOTE 1 An effect is a deviation from the expected — positive and/or negative. NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). NOTE 3 Risk is often characterized by reference to potential events (2.17) and consequences (2.18), or a combination of these. NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence. NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood. [ISO Guide 73:2009, definition 1.1]

They key is - such expression as bolded and underlined "deficiency related to understanding" is too few and not complete expression of the problem - also ambiguity and overabundance of information (like in case expert related bias ;-) may lead to uncertainty.

ISO 31000:2018 version of risk definition - no mention about uncertainty (?!) central word to this standard, is this really minor thing in order not to mention and clarify the scope? Risk - effect of uncertainty on objectives. Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both. An effect can arise as a result of a response, or failure to respond, to an opportunity or to a threat related to objectives. Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels. Note 3 to entry: Risk is usually expressed in terms of risk sources (3.4), potential events (3.5), their consequences (3.6) and their likelihood (3.7). [SOURCE: ISO Guide 73:2009, 1.1, modified — The original five Notes to entry have been modified and combined into three Notes to entry].

More dangerous, if you do not differentiate properly risk, uncertainty and decision is that you start using unconsciously risk assessment methods to deal with uncertainty or if you start using them all possible decisions ;-) It is like using hammer to all decisions or even specific decision types i.e. on fixing anything. ;-) So let your being enthusiastic with Monte Carlo simulations, real options do not mislead you on how people should make informed or intelligent decisions (with risk or uncertainty in mind or not) or how optimally decision should be made - there is feedback here: goal influences the method but method may influence the goal too. Example: When you look at acrobats are you able to identify and count how many decisions they make during the show at circus? Or you only think the decision is whether they decide to start the show or not on specific day? ;-) Do you know how many decisions are made during police shotgun or during crisis situations? Are you still the opinion that there is no need to define the decision and its conditions like risk and uncertainty? Should we aggregate subdecisions made in a short time between each of them (like microseconds, nanoseconds) within specific time period into one big decision? That is why I say, define the scope to know where you should stop with some methods.

Moreover, if we compare "effect of uncertainty on objectives" definition with 7 risk treatment options - whole contradiction emerges:

1) Avoid risk - if risk is neutral, why you want to avoid it? This clearly indicated that risk is undesired space, or possibility set, which existence is not accepted or somebody mixed (reduced risk to threat - I have written about in Part 1 of this article). Therefore it should be rather said - avoid threats/hazards and provoke opportunities. If you do not want to start or continue activity - that means it is unwanted. It cannot be neutral to you, because you would then not avoid but be indifferent to - I do not mind if this happens or not - I do not care, it has little or no impact on me. It is mixing then risk with its elements which are consequences.

2) Take more risk, increase risk in order to pursue an opportunity. Here we have silent, implicit assumption that with pursuing opportunity integrally there is related an increase of risk. What about with option not increasing risk while taking opportunity? Isn't it real? Again it suggests that risk is not neutral, but rather bad otherwise increasing neutrality does not make sense as it is already indifferent, increasing probability of unwanted event provided that we increase probability of more benefits that taking lower risk agains shows risk cannot be neutral and is bad or unwanted.

3) Remove risk source - well, I could also understand as - removing or cancelling the decision ;-) If according to ISO 31000 - risk arises, emerges when decision is made, the decision is the source of risk ;-). Of course there are mixed here two things: threat/hazard elimination or vulnerability/gap/weakness, deficiency of asset elimination. And again on meta-level removing risk means that you do not want it - so it is not desirable or bad.

4) Change (increase or lower) the probability (of what? risk or its causes ;-)) - is a big umbrella under which we may put options which we already listed above. Avoiding, eliminating or increasing risk is changing its probability of threat/hazard or eliminating vulnerability and then changing probability of impact on objectives or probability of threat if we are preventing threats. It says nothing about risk being neutral or bad or good.

5) Changing consequences - consequences have rather negative association, context - so again it is showing that risk related with unwanted consequences. Better should be - changing impact (then it is more uncertainty). As such it would say nothing about nature of risk unless you clarify than you mean negative consequences. Analogically changing benefits, rewards.

6) Sharing risk - suggests rather sharing unwanted consequences. Sharing wanted consequences is not included in risk treatment options - it should be benefits sharing (by licenses, alliances, franchise, etc.)

7) Retain risk - accept potential negative consequences. As opposite what would happen if I retained benefit or accept status quo - accepting potential loss or accepting potential benefits without further influencing on them? Such option become now clearer, that they could not include positives as we cannot hide under retaining risk or possibility loss and gain simultaneously. That all shows that from risk treatment options any neutrality becomes an illusion and not fulfilled aspiration. ;-)

So risk treatment options also are not confirming at all that ISO 31000 definition of risk being neutral - in fact it is contradiction between this definition and risk treatment, so we can conclude, key parts of ISO 31000 are not coherent, not saying about analysis. If risk is neutral then risk analysis is not necessary, why waste time for risk analysis if it is neutral for me or my objectives? And the name itself is not coherent with definition - it should be also uncertainty analysis or risk and rewards analysis if it aspires to exceed beyond bad things might happen.

With analysis types they are also related to the following combinations:

1) known outcomes, known probabilities - sometimes called statistical uncertainty,

2) known outcomes, unknown probabilities - sometimes called scenario uncertainty,

3) unknown outcomes, unknown probabilities - sometimes called identified ignorance,

4) unknown outcomes, known probabilities.

If we stayed at thinking on uncertainty in terms of deficiency of information only we would omit the following combinations:

1) clearly defined uncertainty: clear outcomes, clear probabilities

2) not clearly defined uncertainty: clear outcomes, ambiguous probabilities

3) not clearly defined uncertainty: ambiguous outcomes, clear probabilities of events causing those outcomes

4) totally ambiguous, not clear uncertainty: ambiguous outcomes, ambiguous probabilities.

So it goes far more than Rumsfeld's known unknowns, etc. From the above results several combinations - and some of them we could call risk and some uncertainty. This now belongs to us as professionals to agree what is the borderline between risk and uncertainty.

Risk or uncertainty happening or not happening

When I was started discussion on fundamental concepts with Grant Purdy in 2012 in ISO/TC 262 in London while elaborating ISO 31004 Guidance, one thing intrigued me when Grant said literally - "risk cannot happen or materialise". For me at first sight it was counterintuitive but later I was remind myself about probability space. And that's it! He was right. This is the moment when our common language is not good reference as we very often still say "risk has been materialised or occurred". Risk may "occur" if we make a selection with which inherently is connected certain risk space, spectrum of risk or possibility set of something happening. Therefore in this context "risk" is metalevel for its components like threats/hazards which materialise causing events and impact on objectives within that risk space.

Risk versus happening - is risk happening, materialising? No, if risk is treated as set then their components like threats or hazards exploiting vulnerability happen becoming incidents or causing crisis within the risk space related to specific alternative. This risk space is in fact unwanted possibility set.

Current misunderstanding of any discussion on risks and no possibility to agree what risk is results from mixing and not coherent switching between meta-level (set/system level - uncertainty/risk) and its elements/components (threats/hazards, strengths, weaknesses (vulnerabilities) of an asset, events/incidents, impacts, etc.

Managing risk as negatives only and managing risk in the context of benefits.

Another misunderstanding resides in mixing what is management and what is concentration on influencing only bad things not happening while pursuing and causing good things happening.

In ISO 31000 there was not successful attempt to spread this umbrella of risk management (managing potential bad thing happening related to specific choice) over whole management or what steering/control in the meaning taken from cybernetics.

As we already indicated risk treatment options indicate rather on risk being unwanted potentiality of loss or event having undesired impact on objectives, so it makes no sense to extended it over whole management/steering/control which is management as a whole.

Summing up, without even recalling to any empirical evidence but exploring implication of non-coherent components if ISO 31000 it is clearly seen that it generates information noise regarding nature (attributes/features) of risk and uncertainty. This is all due to not agreement scope of risk and uncertainty.

More on that in Part 3 of this article which appears soon.

Summing up Alexei, so far you were unable to question any of provided arguments by myself and on the contrary I indicated twice your imprecise communication (in part 1, both regarding "risk management is decision making tool" - how can condition under which decision are made can be a tool? Second was strange manner of avoiding using term risk - which was not true when compared to what Carl Spetzer et consortes did. There is no need to be afraid to use word risk and uncertainty while communicating to boards, provided you know what their scope is and difference between them - when you know what you are talking about. In this article, as part 2 of cutting Gordian Knot, I drafted at least possibilities or criteria (probabilities and outcomes known/unknown or probabilities/outcomes clear unclear) for consideration of differentiation risk from uncertainty. Of course there may be other criteria too - if we examine relation to common language. For example uncertainty is where you got uniform distribution - two or more strategic options are equally probable or you are in Strategic Inflection Point as described by Andy S. Grove (Former CEO of Intel) in "Only the Paranoid Survive" in fact relating to crisis situation to some extent. It's your turn now. I am still going to answer your third question - soon.