Why some risks turn into surprises

From the Risk Insights from The Risk Doctor Blog
David Hillson, The Risk Doctor, shares key tips on understanding and managing risk, blending thought-leadership with expert practical application. Managing risk is easy - find out how!

About this Blog


Recent Posts

HAPPY NEW YEAR: Two-faced risk management

Zero chance of a zero-risk project

Innovative risk management

Why some risks turn into surprises

Are project opportunities the same as scope screep?

Categories: risk identification

It is often said that successful risk management should lead to fewer surprises. Risk management acts as a “forward-looking radar”, scanning the uncertain future to identify things which might pose a significant threat to be avoided or an important opportunity to be explored. Even though it may not be possible to discern every last detail of the uncertain future, the risk process aims to expose areas of particular uncertainty and indicate the best path to follow.

Despite this aim, the future does still contain surprises, both good and bad. Some future uncertainties seem to be unforeseeable. There are four reasons why it is not possible to identify all risks in advance.

  1. Some risks are inherently unknowable. These are the true unknowns, where uncertainty lurks hidden in the future, unperceived by everyone until it strikes and delivers its surprise impact. In fact it might be true to say that these “unknown unknowns” are not actually risks, since they are essentially invisible to the risk process. It is as if they don’t exist until or unless they happen, when they are no longer risks but they are either unexpected problems or unplanned benefits.
  2. Other risks are time-dependent, and only emerge with the passage of time. The “risk radar” can only see a limited way into the future, and some risks exist below the time horizon. It may not be possible to identify such risks until later on, when they are closer in time. Until they rise above the time horizon they will remain hidden and unidentifiable.
  3. Some emergent risks are unforeseeable because they are progress-dependent. They cannot be identified until progress has been made. If a risk exists at the back of a building, I cannot discover it until I walk round the building and gain a new perspective. While I am standing in my current position at the front of the building the risk is invisible. Similarly, some integration risks may not be visible until coding and testing is complete.
  4. The last group of risks which can remain hidden from the “risk radar” are response-dependent, also known as secondary risks, which only appear when action is taken to respond to an existing risk. Until action is taken these risks do not exist, so of course they cannot be seen before the response is identified.

With so many ways in which risks can be hidden from our forward-looking radar, it seems that risk identification is doomed to failure, since we are unable to identify unknowable risks, emergent risks or secondary risks. This is why risk management is not a single-shot process, but must be repeated on a regular basis. Risk identification should aim to identify all knowable risks at this point in time, recognising that some risks are currently hidden from sight. Identifiable risks should be assessed and appropriate actions should be developed. But the risk process must be iterative, coming back to identify risks which have become visible since the last time. This will include risks which have emerged with the passage of time and as a result of progress made, as well as secondary risks arising from implemented responses.

Unfortunately, risks which are inherently unknowable will always be able to surprise even the most expert user of the “risk radar”. But routine updates will minimise additional surprises from risks which are unforeseeable today but which become visible later.

Posted on: December 14, 2016 11:14 AM | Permalink

Comments (6)

Please login or join to subscribe to this item
Good article. Could we say there are known secondary risks, that arise as a direct result of implementing a risk response and unknown secondary risks, which only appear when action is taken to respond to an “unknown” risk (workaround)?

Err, that's a novel way to describe it - I think! I'm not sure that it's a useful distinction though - what difference would it make if a secondary risk was known or unknown? If it was unknown then we cannot manage it until it becomes known - so it then comes under the category of emergent risks.

We should be able identify secondary risks before we take action on a risk, at least most/some.

Another great one, David!

@Vincent - I agree, wherever possible, we should be looking for secondary risks as part of the risk response selection process.

@ Alexandra - thanks! :-)

Please Login/Register to leave a comment.


"Critics can't even make music by rubbing their back legs together."

- Mel Brooks