The other day we were doing some risk analysis at work, the usual stuff that many companies and departments do – even more so it they are an IT department or rely heavily on IT.  It was the traditional brainstorming session, collecting threats and vulnerabilities and then assigning probabilities and impacts to them., but I think I threw a bit of a spanner in the works.Earlier this year I read The Black Swan and Fooled by Randomness, both by Nasim Nicholas Taleb. I thought he had a good point, even if he did labour it a bit and stretched what would have made a good pamphlet over two books, padded out with lots of sniping and old-score-settling.
With those books in mind I suggested that a risk to put on the list would be “the unknown” but apparently you can’t do that. The point is to identify specific risks and the concept of an unspecified, unexpected, unpredictable ,unlikely event of catastrophic proportions doesn’t fit in there. It looks like we (in common with many/most companies) only accept theories from business books and not maths books.
Maybe I should have cheated and put down “inability to take account of the unpredictable” as a vulnerability…
Back in the days when I did real work like building belief networks and doing risk analysis, we would create a probabilistic variable (e.g. “colour”) with a comprehensive set of states (“red”, “blue”, “reddymagenta” etc). Most of the time it was either nugatory or impossible to list all the possible states of that variable, so we listed the ones we were interested in, then put all the probability that was left over into a “bin” state, to be investigated further if its probability got too large. What you have here is a bin state. And a perfect illustration that people often address all the risks that they can measure, rather than all the risks that they face. Another common mistake is not understanding that a risk is a combination of probability and cost – leading to the contradictory behaviour of people simultaneously overestimating (“high cost: we’re all going to die of X”) and underestimating (“low probability: it’ll never happen so we can ignore it”) events with very similar risk levels. Did you use metastates to describe your behaviour against unspecified risks, i.e. “the comms link is dead” (for whatever reason, including the poison mice from Mars shooting at it) so we will do X?
Answering the last point first: what do you think? 🙂
For business purposes, risk analysis is quite simplified and “comms link is dead” would be a risk, regardless of the cause.
Not sure about your colour-coding scheme though. Would only work for females as it is well known that chaps can only see colour in the original Windows 16-colour pallette. It is the cause of many redecorating-related arguments in B&Q.
The point is that there is no room in the system for a risk where you have worked backwards and defined the probability (very low) and impact (potentially absurdly high) but have no idea what it might be. The trouble with thinking the unthinkable is that, by definition, it is unthinkable – but that doesn’t make it go away.
Unfortunately I do not have the maths to properly describe it.
you needed to be more specific. Remember, there are known unknowns, and there are unknown unknowns…
Ironically, one of the few things Rumsfeld said that actually makes sense!
Oh dear… comments from SJ & Rob on the same thread. Don’t let them start talking to each other. The conversation will soon lapse into binary or something!
told you, I’m really a science geek, not an IT geek though the IT pays the wages.
I think you may be overestimating the colour range – I’m sure Rob claims that there are only 8 colours (apricot is, I hear, just a fruit…). Does this, coincidentally, actually prove that he is more of a science geek than an IT one. (Although he did, very kindly, make me feel better about birthdays by giving my age in hex up to a few years ago – which may still be science…)
Thats right – I forgot that the original ‘color’ pallette was only 8 colours.
I like hex though. Next year I will be 30 in hex… so that ‘happy 30th’ card I got from @krypto was actually a year premature rather than flattering!