Why Risk Assessments Should Begin with Uncertainty

By Raimund Laqua, Founder of Lean Compliance

Walk into most organizations today, and you'll find risk management teams armed with comprehensive checklists, detailed taxonomies, and colour-coded matrices that promise to capture every conceivable threat. These frameworks are seductive in their apparent completeness—neat categories for operational risks, financial risks, strategic risks, compliance risks. Everything has its place, and every place has its thing.

But here's what I've learned after years of working with organizations on their risk frameworks: these traditional risk assessments are treating symptoms, not the disease.

The Symptom vs. The Disease

Think of risk assessments as medical diagnoses. When a patient presents with a fever, a competent doctor doesn't simply prescribe aspirin and call it a day. The fever is a symptom—an indicator of something deeper that requires attention. The fever might signal anything from a minor infection to something far more serious. To provide effective treatment, you must identify and address the underlying cause.

Traditional risk assessments operate like symptom-focused medicine. They catalogue the visible manifestations of risk—the potential for data breaches, supply chain disruptions, regulatory violations, market volatility. These are indeed risks worth considering, but they are symptoms of a more fundamental condition: uncertainty.

Uncertainty is the root pathogen in the risk ecosystem. It's the fertile ground from which all risks grow. And just as effective medicine requires understanding the pathogen before prescribing treatment, effective risk management demands that we first understand and contend with uncertainty in all its forms.

The Anatomy of Uncertainty

Uncertainty isn't monolithic. It comes in distinct varieties, each requiring different approaches and interventions. Understanding these differences is crucial to developing effective risk strategies.

Aleatory uncertainty represents the inherent randomness in systems—the fundamental unpredictability that exists even when we have complete information about a process. Think of rolling dice or the precise timing of radioactive decay. No amount of analysis will eliminate this uncertainty because randomness is built into the fabric of the system itself.

Epistemic uncertainty, by contrast, stems from our lack of knowledge or understanding. This is the uncertainty that exists because we don't know enough about the system, haven't collected sufficient data, or lack the models to make accurate predictions. Unlike aleatory uncertainty, epistemic uncertainty can potentially be reduced through research, data collection, and improved understanding.

But the uncertainty landscape extends beyond even these well-established categories. There's model uncertainty—the risk that our fundamental assumptions about how systems work are flawed. There's ambiguity uncertainty—situations where even the nature of the problem itself is unclear. And there's emergent uncertainty—the unpredictability that arises from complex interactions between multiple systems and stakeholders.

The Strategic Response to Uncertainty

Once we recognize uncertainty as the source rather than just another item on our risk checklist, our strategic options become clearer and more nuanced. Different types of uncertainty demand different responses, and understanding this matching is where sophisticated risk management begins.

Some uncertainties demand isolation. When facing massive, systemic uncertainties that could fundamentally threaten an organization's existence, the wisest course may be complete avoidance. These are the uncertainties so vast and potentially catastrophic that no amount of mitigation can adequately prepare you for their impact. Think of a small technology company choosing not to enter markets dominated by nation-state actors, or a regional bank avoiding exposure to global derivatives markets. Sometimes the best risk management is recognizing when not to play the game at all.

Some uncertainties require cushioning. These are the uncertainties that create inevitable risks—situations where negative outcomes will occasionally occur, but where the timing and magnitude remain unpredictable. Here, the strategy isn't prevention but resilience. You build buffers, create redundancies, establish reserves, and develop rapid response capabilities. A manufacturing company that maintains diverse supplier relationships isn't eliminating supply chain uncertainty—they're cushioning themselves against its inevitable manifestations.

Some uncertainties can be actively reduced. This is where traditional risk mitigation shines, but only when applied with precision. When uncertainty stems from lack of knowledge or inadequate processes, you can invest in research, data collection, training, and system improvements. When uncertainty arises from insufficient controls, you can implement monitoring and governance mechanisms. The key insight is recognizing which uncertainties are genuinely reducible and focusing your mitigation efforts there.

Most uncertainties require mixed strategies. The real world rarely offers pure cases. Most significant uncertainties contain elements that can be reduced, aspects that require cushioning, and components that might necessitate partial isolation. Sophisticated risk management involves decomposing complex uncertainties into their constituent parts and applying the appropriate strategy to each component.

Transforming Risk Assessment Practice

In my work developing lean approaches to compliance and risk management, I've seen how this uncertainty-first approach fundamentally changes how we conduct risk assessments. Instead of beginning with predetermined risk categories, we start by systematically identifying and characterizing the uncertainties that pervade our environment. Instead of immediately jumping to mitigation strategies, we first classify uncertainties by type and reducibility.

The questions change too. Rather than asking "What risks do we face?" we begin with "What don't we know, and what can't we predict?" Rather than "How likely is this risk?" we ask "What type of uncertainty creates this risk, and what does that tell us about our strategic options?"

This shift in perspective often reveals blind spots in traditional assessments. It highlights uncertainties that don't fit neatly into conventional risk categories. It exposes assumptions we didn't realize we were making. And it opens up strategic options that symptom-focused approaches might overlook.

The Path Forward

Through years of consulting with organizations struggling with traditional risk frameworks, I've found that improving risk assessment isn't about abandoning existing frameworks entirely—many traditional tools remain valuable for specific purposes. Instead, it's about establishing uncertainty analysis as the foundation upon which all other risk activities build.

This means developing organizational capabilities to identify uncertainties systematically, classify them accurately, and match them with appropriate strategies. It means training teams to think like epidemiologists of risk—tracking uncertainties to their sources rather than just cataloguing their symptoms.

Most importantly, it means accepting that effective risk management is less about predicting the future and more about building adaptive capacity to handle whatever uncertainties that future might hold.

The organizations that thrive in an uncertain world won't be those with the most comprehensive risk checklists. They'll be those that best understand the uncertainties they face and have developed nuanced, strategic approaches to contending with them.

After all, in a world where uncertainty is the only certainty, shouldn't our risk management reflect that fundamental truth?