Risk is the effect of uncertainty of objectives. Uncertainty is a state or condition that involves a deficiency of information and leads to inadequate or incomplete knowledge of understanding. In the context of risk management, uncertainty exists whenever the knowledge or understanding of an event, consequence, or likelihood is inadequate or incomplete
‒ ISO 31000:2009, ISO 17666:2016 and ISO 11231:2010
Risk is Uncertainty that MattersRisk can be the potential consequence of a specific outcome that affects the system's ability to meet cost, schedule, and/or technical objectives. Risk has three primary components:
- Probability of an activity or event occurring or not occurring, described by a Probability Distribution Function.
- Consequence or effect resulting from the activity or event occurring or not occurring, described by a Probability Distribution Function.
- Root Cause (condition and activity) of a future outcome, which if eliminated, will prevent occurrence, non‒occurrence, or recurrence of the cause of the risk
For the program manager, there are three risk categories that must be identified and handled:
- Technical ‒ risks that may prevent the end item from performing as intended or not meeting performance expectations. Measures of Effectiveness, Measures of Performance, Technical Performance Measures, and Key Performance Parameters describe the measures of these expectations.
- Programmatic ‒ risks that affect the cost and schedule measures of the program. The programmatic risks are within the control or influence of the Program Management or Program Executive Office, through managerial actions applied to the work activities contained in the Integrated Master Schedule.
- Business ‒ risks that originate outside the program office or are not within the control or influence of the Program Manager or Program Executive Office.
Uncertainty comes from the lack information to describe a current state or to predict future states, preferred outcomes, or the actions needed to achieve them. This uncertainty can originate from the naturally (randomly) occurring processes of the project (Aleatory Uncertainty). Or it can originate from the lack of knowledge about the future outcomes from the work on the project (Epistemic Uncertainty).
Risk Can NOT be eliminated, it can only be reduced with specific work activities, or handled with margin. Any notion this is the case, is uninformed by the principles of managing projects in the presence of uncertanty (Epistemic and Aleatory).
Risk, Their Sources, and Their Handling Strategies
Risk identification during early design phases of complex systems is commonly implemented but often fails to identify events and circumstances that challenge project performance. Inefficiencies in cost and schedule estimates are usually held accountable for cost and schedule overruns, but the true root cause is often the realization of programmatic risks. A deeper understanding of frequent risk identification trends and biases pervasive during the design and development of the project's deliverables is needed, for it would lead to improved execution of existing identification processes and methods.
Risk management means building a model of the risk, the impact of the risk on the program, and a model for handling of the risk since it is a risk, the corrective or preventive action has not occurred yet. Probabilistic Risk Assessment (PRA) is the basis of these models and provides the Probability of Program Success Probabilities result from uncertainty and are central to the analysis of the risk. Scenarios, model assumptions, with model parameters based on current knowledge of the behavior of the system under a given set of conditions.
The source of uncertainty must be identified, characterized, and the impact on program success modeled and understood, so decisions can be made about corrective and preventive actions needed to increase the Probability of Program Success.
Since risk is the outcome of Uncertainty, distinguishing between the types of uncertainty in the definition and management of risk on complex systems is useful when building risk assessment and management models.
- Epistemic uncertainty ‒ from the Greek επιστηµη (episteme), meaning knowledge of uncertainty due to a lack of knowledge of quantities or processes of the system or the environment. Epistemic uncertainty is represented in the ranges of values for parameters, a range of workable models, the level of model detail, multiple expert interpretations, and statistical confidence. Epistemic uncertainty derives from a lack of knowledge about the appropriate value to use for a quantity that is assumed to have a fixed value in the context of a particular analysis. The accumulation of information and implementation of actions reduce epistemic uncertainty to eliminate or reduce the likelihood and/or impact of risk. This uncertainty is modeled as a subjective assessment of the probability of our knowledge and the probability of occurrence of an undesirable event.
Incomplete knowledge about some characteristics of the system or its environment are primary sources of Epistemic uncertainty.
- Aleatory uncertainty ‒ from the Latin alea (a single die in Latin) is the inherent variation associated with a physical system or the environment. Aleatory uncertainty arises from an inherent randomness, natural stochasticity, environmental or structural variation across space and time in the properties or behavior of the system under study. 5 The accumulation of more data or additional information cannot reduce aleatory uncertainty. This uncertainty is modeled as a stochastic process of an inherently random physical model. The projected impact of the risk produced by Aleatory uncertainty can be managed through cost, schedule, and/or technical margin.
Naturally occurring variations associated with the physical system are primary sources of Aleatory uncertainty.
- Ontological Uncertainty ‒ is attributable to the complete lack of knowledge of the states of a system. This is sometimes labeled an Unknowable Risk. Ontological uncertainty cannot be measured directly.
Ontological uncertainty creates risk from Inherent variations and incomplete information that is not knowable.