The entire subject of risk management is based on the ability of the manager to identify, value, and then mitigate the correct risks. Classification of risks is a vital step in this process. It is important to realize that there is no standard framework for classifying risks. Different people use different frameworks. One such framework was made popular by Donald Rumsfeld, who was Secretary of Defense for the United States during the subprime mortgage crisis. This framework classifies risks based on knowns and unknowns. It is important to realize that this framework was not created by Donald Rumsfeld. It already existed in a lesser-known psychological construct called the Johari Window. Donald Rumsfeld just popularized the adoption of the concept to characterize and classify financial risks. In this article, we will understand how risks are classified in the known-unknown framework.
The Known Unknown Framework
The known unknown framework is a matrix that helps classify risks based on the knowledge that we have about them. This framework is unique in the sense that it acknowledges that there are some risks that we cannot find out about no matter how diligent we are. After the 2008 crisis, this matrix has been routinely used to classify risks into four different categories. The details about these categories have been mentioned below:
1. Known Known Risks
Known knowns are the easiest type of risks when it comes to risk management. One known stands for the fact that the organization is aware that such a risk exists. The other known is for the fact that the risk can be measured and its effects can be quantified. An example of such a risk would be the possibility that a firm would lose some of its customers to its competitors. Almost every firm is aware that such a risk exists. Also, they can reasonably quantify the probability of customers leaving them and the impact that such a loss would have on their financial statements.
These types of risks are easiest to manage because the probability of them occurring as well as their impact is known. Mathematical models can be developed that help make decisions that minimize the occurrence as well as the impact of such risks. Technology such as business process workflows can bring about a certain level of automation which helps better mitigate and even avoid these risks to some extent.
2. Known Unknown Risks
Known unknown risks are the second category of risks that companies generally face. These risks are called known unknowns because the organization is aware of the existence of such a risk. However, at the same time, the organization is not aware of the probability that this risk will affect them. At the same time, they are not able to quantify the impact that these risks will have on their business if they materialize.
Risks related to lawsuits can be put in this category. This is because companies are aware that they are liable for all the actions of their employees and even their subcontractors. Hence, there is always a possibility that they might become targets of a lawsuit due to the willful or negligent misconduct of one of their associates. However, it is difficult to gauge the probability of such an event taking place as well as the financial impact it may have. Lawsuits can cost the company anywhere between a few thousand dollars to billions of dollars!
Companies often spend a lot of money buying insurance as well as hiring specialists to gain more information and prevent such risks from materializing.
3. Unknown Unknown Risks
These are the most dangerous type of risks which an organization faces. One unknown stand for the fact that the company is not even aware of the existence of such a risk. The other unknown goes without saying. This is because the company is not even aware of the existence of such a risk. Hence, the question of measuring and quantifying risk does not really arise. These risks typically tend to have a very high impact and endanger the very existence of the organization. Examples of such risks include extreme weather events. The coronavirus global pandemic is another classic example of this risk. No matter how hard the risk managers would have tried, they would have found it difficult to predict the existence and impact of this type of risk with any degree of accuracy. This is where all the mathematical models of risk management begin to fail. These events have been labeled as "black swan events" based on the
Companies, however, do not completely give up on these risks. Most companies have some sort of business continuity plan in place to help them manage these black swan events better.
4. Unknown Known Risks
These are risks that are created due to the negligence of the company. For instance, companies should ideally be aware that they face some amount of market risk or counterparty risk. Hence, believing that an adverse event will never occur is negligent on the part of the company. These risks are seldom mentioned in the company's risk management framework. This is because, in a properly managed risk department, such risks should not exist at all. However, many times these risks are present in even the best organizations in the world. The subprime mortgage crisis and the subsequent financial crisis that it brought is testimony to this fact.
The fact of the matter is that every industry, as well as every business, faces risks that are unique and different from the other. The known unknown framework is an effective way to classify these risks.