"There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know."
John Kay (www.johnkay.com) uses this Donald Rumsfeld quote in his article "Beware the fruitless search for 'sharp prediction'" (Financial Times Oct 17th 2007) to draw a qualitative distinction between two classes of risk.
The first class of risk relates to events we can foresee. For these events we can forecast probability, impact and timing of the event occurring. This analysis helps us assess the costs and benefits of alternatives for managing the risk. This forms the bedrock for most risk analysis undertaken by organisations today.
The second class of risk, by its very nature, tends to be unmanaged. If we can't envisage an event, we can't articulate what the risk is that we face. If we cannot quantify the probability, impact and timing of an event occurring then how can we do the analysis required to develop effective strategies for managing the risk?
In the article, it is argued that the probability, timing and impact of this second class of event are uncertain. In other word we cannot predict them with any certainty. However, by analysing trends, it is argued, we can set some bounds to these factors. For example, we may not be able to predict precisely what the exchange rate will be in two years time, but, we can look to purchasing power and capital flows for guidance.
To us, though, this argument is sidestepping the issue of 'unknown unknowns'. All that has been done is to convert exchange rate risk into an example of the first class of risk - a known unknown. This still leaves us at the mercy of the unforeseen event that cannot be revealed by historic or trend analysis.
The events that led to the demise of Arthur Andersen or to the collapse of Bearings Bank are perhaps better examples of unknown unknowns.
However, even where an event cannot be foreseen, we believe there are ways to manage the resultant risk. This comes from knowing our vulnerabilities, something that we should be able to gain a reasonable understanding of and which we can analyse.
Arguably Arthur Andersen should have had a good understanding of the catastrophic impact that a loss of its reputation for integrity would have on its business. The fact that they could not foresee the precise cause has little relevance for managing this risk. What is required is a system of checks and balances that make any such event impossible, or at least limits its impact to a level that is less than catastrophic. Similar arguments can be made for managing the risk of a Nick Leason being able to damage Barings in the way that he did.
As well as traditional scenario analyses, our approach to risk management uses vulnerability analysis to identify and prioritise areas where we need to apply risk management. We'd be very interested to hear of your experiences and views (Directors@Aoxomoxoa).
©Aoxomoxoa Limited 2007