Knowns and Unknowns – The Core of Risk Management
By Leslie White
Risk management is one of those nebulous terms that we all interpret personally. Some think it is a complex, time-consuming process that is only helpful to larger organizations. Others believe it is impractical and/or not worth the effort. You may think it’s valuable but have no idea how to apply its practices and principles to your daily operations. Finally a few have incorporated risk management into their organizational culture and use its concepts daily.
Risk management is simply what you do to prepare for the unexpected. No matter where you are on this continuum, risk management is a part of your daily life if you wear your seatbelt, lock your doors, use passwords or do other everyday tasks. You don’t know if you any of these events are going to occur but you are prepared. The same principle applies to your association.
But how do you prepare for the unexpected – it’s unexpected? Donald Rumsfeld’s “Unknown unknowns” speech offers an explanation:
Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.
Rumsfeld went on to say, “The absence of evidence is not evidence of absence, or vice versa.” He expanded on this in a speech at NATO Headquarters in June 2002:
There’s another way to phrase that and that is that the absence of evidence is not evidence of absence. It is basically saying the same thing in a different way. Simply because you do not have evidence that something exists does not mean that you have evidence that it doesn’t exist. And yet almost always, when we make our threat assessments, when we look at the world, we end up basing it on the first two pieces of that puzzle, rather than all three.
- People minimize the need for risk management by the absence of evidence (nothing bad has happened yet). However that doesn’t mean it won’t happen (not evidence of absence). Your association may not yet have had a fire, an auto accident, a social media nightmare, a disruption to your annual meeting or the sudden loss of a key person but that doesn’t mean it can’t happen.
For associations, the “unknown unknowns” are a serious threat because you don’t plan for the unknown event. There will always be “unknown unknowns,” new risks arise, but other people are familiar with these unknowns. A formal or structured risk assessment can help you uncover some of the “unknown unknowns” and plan accordingly.
The foundation of a risk management program is a risk assessment (where you identify and analyze the risks). Through the process you decide if the risks are manageable or significant enough to change your plans. You may decide that your association is not ready to develop that new service until you gather the knowledge and resources needed to do it correctly.
Risk management is not only concerned about “unknown unknowns” but also the other two types of “knowns.” Among the “known knowns” which ones have you addressed? Is your business continuity plan current? Have you assessed and managed the risks associated with volunteers, people driving their cars on your behalf, or employee theft? Employment-related incidents still plaque associations, so what’s the condition of your employee handbook and supervisory training?
“Known unknowns” often cloud our decision-making. Social media terrified many associations because it was a big unknown. Some associations decided to identify, analyze and manage the risks while others just stayed away or prohibited its employees from participating. My assessment of social media risks determined it was manageable and the greatest business risk was to not participate in social media.
You can only be ready to respond to outcomes (good or bad) of a potential event if you have identified what could go wrong (or right) and what you are going to do to try to prevent or respond to the event.
Leslie White is a Risk Management Consultant at Croydon Consulting. You can read more from Leslie on his blog.