It's important to recognise that risk and uncertainty have multiple dimensions. Why? Because it affects the appropriate proactive or reactive responses.
Consider a programmer writing code, an entrepreneur wanting to break through into a new market or a scientist wanting to contribute to a medical breakthrough. In each case a wise and experienced person will recognise that the problem is unlikely to be unique; it has a range of characteristics, some of which it shares with other challenges. Therefore in many areas categorisation is important, reducing wasted time and increasing the chances of success.
Risk management also benefits from multiple perspectives, classifications or "dimensions". Here are just four.
 Control focus: managing internal v external risks
Insight: the amount and type of influence we have over risks depends on whether they arise within or outside our organisation.
- Internal risks: we have most influence over these; we may influence both the "probability" and "impact".
- External risks: we have less influence over "probability" (lobbying may help for some e.g. political risks) and may need to mitigate potential "impact".
- Hybrids: In reality uncertainty can be a combination of internal and external factors e.g. strategic and competitive risks.
Getting real: The risk of a hurricane on a Florida head office may be unmanageable without insurance (manage impact not probability). Competitive uncertainty may be limited by diversifying our business interests (diversification, managing impact not probability) although our business may thereby suffer from lack of focus or specialisation. We can reduce the probability of internal network failure by purchasing higher quality components and manage the impact by using offsite facilities.
 Action focus: tackling randomness, imprecise estimates and broader lack of knowledge
Insight: values and that matter to us are normally estimates. We may be able to improve our "best guess" estimate and our uncertainty around it.
- Random variation: the world of known probabilities exists but is rare; pure random variation is less important than we would like to think!
- Estimation: we usually lack some knowledge of the average value of a quantity and the potential spread of values around that average.
- Factor uncertainty/ignorance: We may not know the strength of the effect of a factor – or of its potential to affect results – upwards or downwards.
Getting real: The probabilities of various levels of pure random variation can be estimated, using standard analytical techniques. In reality we are rarely in a situation of "pure risk" – see "the big picture view" below – something construed as random variation may not be. The impact of estimation error increases as we sell more product, insure more people etc. It is a systematic risk; the difference between our assumption and the true underlying value will become clearer over time, rather than diversify. One way of managing may be to diversify across "products", so long as there is no underlying estimation bias e.g. to optimism over costs.
 Classic focus: functional and expert-led risk types
These risk types are used in many larger companies, with multiple further levels of sub-type for a given risk type.
Insight: Uncertainty is often best managed by front line people with expertise, with central back up; multiple "lines of defence".
- Strategic: Below we link to evidence that this hybrid risk is often the biggest facing an organisation.
- Operational: the potential for loss arising from inadequate or failed procedures, systems or policies – see the Basel II categories.
- Financial: a host of risks which can be classified at various levels (investment, credit, market etc).
- Insurance-like: most organisations have at least some of this, either through exposure to hazards (weather, fire, death) or through their pension schemes.
- Other: some companies will put (e.g.) reputational or legal risks here.
Getting real: Used as part of a toolset there is nothing wrong with this perspective. It can be applied in a unfortunate way; a Chief Risk Officer may be employed not to help manage overall risk and uncertainty, but to be responsible that the firm does not incur substantial losses from its investment policy. Not good.
 Big picture view: the full spectrum of uncertainty
Insight: Risk classifications such as those set out in WARNING: Physics envy may be hazardous to your wealth! and Decision theory: a brief introduction may seem academic but the segmentations can help us understand the potential for managing uncertainty and therefore (e.g.) see where to focus our efforts.
One classification system, motivated partly by the two papers referred to above is:
- Certainty: this rarely exists, but in many situations non-risk factors dominate – this is not always apparent from risk material.
- Risk: known probabilities (dice cards etc). Rarely directly relevant, but sometimes more data means uncertainty moves closer to risk.
- Uncertainty: unknown probabilities for key variables – this is the norm for organisations.
- Ambiguity: not only are probabilities unknown, the presence and effect of contributing factors and the potential outcome are also unknown.
- Chaos: nothing is known and "black swans" seem to be frequent.
Getting real: Risk, uncertainty and Profit was an influential 1920s book by US economist Frank Knight in which he suggested that profit accrued to firms which took on uncertainty (manageable through expertise) rather than risk (manageable through diversification). As noted above, the uncertainty in (3) is the norm for most organisations and often we struggle to quantify the most important factors (4). This sort of risk management can be challenging:
- Potential impacts of factors can be "non-linear" – their impact does not add simply.
- Probabilities associated with factors may be interdependent – they may not simply multiply like dice rolls.
- Poorly aligned incentives can "distort" risk – see moral hazard and agency risk.
- The level of risk can change over time, as can the contributory factors.
It's about more than the tone at the top
For these and other reasons, risk management is almost never a matter of just mathematics and models; the judgements of (e.g.) an organisation's Board must be brought to bear on business decision which have uncertainty at their core. Without this we'll have more financial and other crises and misplaced blame.
The "helpful thinking" series:
- 4As of risk management : setting the initial objectives for risk management.
- 6Ps of risk management : integrating risk management in an organisation from day-1.
- Frank Knight: Risk, Uncertainty and Profit
- Wikipedia: Frank Knight's risk and uncertainty
- Andrew Lo and Mark Mueller: WARNING: Physics envy may be hazardous to your wealth!
- Professor Sven Ove Hansson: Decision theory: a brief introduction