When thinking about risk, I break things into four quadrants. There are things we know and there are things we don’t know as individuals. I then slice slice that further again with the things we know and the things we don’t know as part of the larger organization or conscious state.
Our sweet spot is the the things we know that we know. (The green area on my chart.) Those are our operations. Those are the things we have in the realm of compliance. We may not be fully compliant and dealing with the risk. But it is known.
At the opposite corner are the things that we don’t know that we don’t know. This is the black swan territory. This is an area of danger for an organization. This is a knowledge void and a compliance void. These are risks that we don’t know about. We don’t know the magnitude of the risk and we don’t know it even exists. Our models miss this factor. Our organizations are not paying attention to these risks.
The other two areas are also interesting.
The things we know that we don’t know is an area that we know we can improve. (The orange quadrant on my chart) This is the area of known ignorance or accepted unknowns. You can manage these risks, because we know them. They have been identified, although not quantified. They may be on the list of things to address. Or we may just be willing to run naked in this area and are not worried about the risk.
The last area of the things that we don’t know we know is an area of opportunity. (The purple quadrant on my chart) This is risk that they are managing, even if they don’t know that risk exists. Often this will be a risk associated with another risk, either through causation or correlation. If an organization realizes they have this knowledge, they maybe able to create a new opportunity for themselves by discovering it. You do need realize that the causation or correlation may sever at some point, pushing this risk down into the territory of the black swan.
There is also an element of danger in the opportunity area when it comes to records management. These may be the pieces of information getting unearthed during litigation that gets an organization in trouble.
It’s important to realize and accept that there are things we don’t know. The key to bettering the organization is to continually try to reduce the amount of stuff that we don’t know.
I want to credit Liam Fahey, a professor at Babson College and co founder of the Leadership Forum, for the origins of this matrix. He gave a presentation using this analysis to a group of law firm knowledge management leaders in October of 2008.
Excellent post. I think there is also another level of filtering involved that incorporates both legal uncertainty and risk appetite. Certainly, with respect to compliance obligations, there is sometimes no clear line between “known’ and “unknown”.
First, there is the issue of conflict of laws analysis for large organizations doing business in multiple jurisdictions and the need to normalize varying obligations in such a way that they can be managed.
Second, there is the issue of legal uncertainty. Legal authority ranges from black letter law which has been affirmed in the jurisdiction applicable to the business to highly speculative assessments of the meaning of laws and regulations as well as how they will be applied in a given jurisdiction.
Finally, there is is the issue of “clean hands”. For example if a business has been found by its regulators to have been at fault previously, prudence dictates that one be more conservative in the future with respect to every obligation than might otherwise be necessary.
All of these factors together become the basis of determining the degree of compliance risk tolerance one has. Do you want to want to press right up to the line between compliance and non-compliance or do you want to take the compliance equivalent of a belt and suspenders approach?