I get these questions many times from aspiring Risk Management Professionals (RMP) and also sometimes from aspiring Project Management Professionals (PMP).
Question: How risks are classified considering the aspects of “knowns” and “unknowns”?
Let me simplify and put it in the context of four quadrant risk classification. The four quadrants are: Knowns-Knowns, Known-Unknowns, Unknown-knowns and Unknown-unknowns. Risk can be classified into one of these four quadrants based on:
a) Available information,
b) Degree of variability, and
c) Degree of ambiguity.
The first point above, i.e., available information about the risks is quickly understood. How about variability and ambiguity?
Variability and ambiguity are two aspects of uncertainty. Variability is primarily about the uncertainty of results, whereas ambiguity is about the uncertainty of meaning.
Let’s take an example to understand variability first. You are conducting testing for a phase of your project and a large number of bugs are found during testing, which was much higher than expected. The variability here is this: the number bugs can be low or high. But we did not know until we did the testing. Hence, we have uncertainty about results in this case, which is variability.
Ambiguity, on the other hand, is because of lack knowledge or imperfect knowledge. Ambiguity, as the name itself informs, is about the lack of understanding or uncertainty in meaning. Taking an example: let’s say there is a new regulatory framework expected. But you don’t have perfect knowledge on it. Hence, you are not clear how this new regulatory development is going to impact your project. This is ambiguity.
Now, let’s see the four-quadrant classification of risks. The 4 classifications are:
- Known-knowns: These are not risks! But these facts and requirements. These are known facts and/or requirements with known amount of work. Hence, they are addressed as part of the project scope. These are also known as “tapped knowledge”.
- Unknown-knowns: These are hidden facts. Because they are not known (unknown), hence they are hidden from us. But someone else within the community may know about it and also know the amount of work needed. These are also known as “untapped knowledge”. These align more closely with the ambiguity risks.
- Known-unknowns: These are classic risks or risks what you as a project manager or risk manager most likely see. These are also called as “known risks” - known risks but with an unknown amount of rework.
- Unknown-unknowns: These are “unknown risks” - the unknown risks with unknown or unforeseen work. In this case knowledge does not exist within the community or the sphere of influence of the risk manager.
This four-quadrant classification is shown in the below figure.
In our explanation above, I’ve also set these classifications in terms of knowledge. Hence, putting them into the context of knowledge, we will have:
- Known-knowns: What we currently know. These are facts.
- Unknown-knowns: What we don't know, but known to someone else. These are hidden facts.
- Known-unknowns: What we know that we don't know. These are identified unknown facts.
- Unknown-unknowns: What we don't know that we don't know. This is ignorance.
I’ve put the above concepts into a table so that you can understand and remember quickly.
These concepts are important to know in risk management, which are needed both for aspiring RMPs and PMPs. Also, these are foundational to understand contingency reserve and management reserve – two widely used reserves during reserve analysis.
 Book - I Want To Be A RMP: The Plain and Simple Way To Be A RMP, by Satya Narayan Dash
 The Standard for Risk Management in Portfolios, Programs, and Projects by Project Management Institute.
 Book - I Want To Be A PMP: The Plain and Simple Way To Be A PMP, by Satya Narayan Dash