When it comes to business, life, and of course compliance, there are dragons that come across our path that cannot or should not be avoided and instead must be faced head on. Dragons may appear first from a distance and when viewed from afar may appear more or less dangerous than they really are. Until the threat arrives we have time to improve our vision to understand its nature and devise strategies to successfully contend with it. Most threats are a manifestation of uncertainty which is the root cause of risk (ISO 31000). This uncertainty may come in different forms the most common of which are aleatory uncertainty, having to do with randomness, and epistemic uncertainty, having to do with lack of knowledge. However, threats often will not be limited to either one but will consist of all forms of uncertainty in varying measures over time. When risk behaves mostly like aleatory uncertainty (random, chaotic, complex):
Assume the threat is serious and its effects cannot be controlled.
Accept that negative outcomes will happen.
Treat uncertainty by using margins such as reserves, contingencies, insurance, savings, etc.
Introduce broad level safeguards and life saving practices
Goal is amelioration (to make better, to improve)
When risk behaves mostly like epistemic uncertainty (lack of knowledge):
Assume the threat is serious but its effects can be controlled if better understood.
Accept that negative outcomes may happen
Treat uncertainty by buying down risk
Develop capabilities to increase knowledge of the threat and learn how to prevent or reduces its effects.
Introduce targeted level safeguards and life saving practices
Goal is mitigation (to reduce, lesson, or decrease)
Although when it comes to uncertainty, nothing stays the same:
The threat may change
The effectiveness of measures may change
Our understanding of the threat may change
Conditions may change
Therefore the path to certainty will seldom be a straight line which can be frustrating for some. As our knowledge of the threat increases and effectiveness of risk measures is better understood our path will necessarily change to focus on the uncertainty that remains. For this reason risk & compliance will always be a continuous endeavor, seldom a straight path but always working toward taming the dragon of uncertainty. More articles on dragons, uncertainty and risk can be found here