Risk vs uncertainty: why the COVID-19 challenge is so difficult

One of the less featured requirements of the annual report that charities must complete at the end of every financial year is to identify major risks and demonstrate how the organisation is attempting to manage them. It’s probably not controversial to say that this is often seen as somewhat of a irksome burden for those like myself charged with pulling together the final document – and indeed, some qualitative analysis I’m currently undertaking for an academic piece of work suggests it’s often nothing more than a tick box exercise. But looking at these reports has made me reflect on just why the COVID-19 challenge is so difficult – and why it feels so inherently different to other risks that charities have faced in the past 25 years. It’s not just the scale of the issue, it’s something about the nature of the issue itself.

Risk versus Uncertainty

The answer, I think, is that COVID-19 creates more than just risk for organisations – it creates uncertainty. Although these terms are often used interchangeably, it’s important to note that they are actually two distinct concepts. Within experimental social science (particularly economics and psychology), this has been a major source for research over the past 30 years, looking at how individuals make rational decisions in different contexts. Drawing upon this, two definitions are useful to help explain what I’m talking about:

1. Risk: the likelihood of an event(s) from happening, where measurement can be applied, and outcomes are controllable.

2. Uncertainty: a state where future events are unknown, cannot be measured, and are not controllable.

Most organisations that I’ve worked or volunteered for have traditionally focussed on the former – where ‘risk management frameworks’ have been the most popular approach. This is quite understandable. Their aim is simple: to help organisations understand the factors that might prevent their ability to deliver their charitable objectives, and to take appropriate action to mitigate this. The most often cited framework applied in the charity sector is the three lines of defence approach developed by the Institute of Internal Auditors and refined specifically for charities by the Institute of Risk Management. Broadly, this requires organisations to articulate their actions under three different levels, and to consider how these are related as part of a broader coherent plan.

1. First line of defence: operational risk management, for example a detailed risk register for the organisation or a specific project or activity, that sets out concrete steps for staff to take.

2. Second line of defence: management oversight, for example a policy or governance structure that clearly identifies how risks are reported, and who is overall responsible for what.

3. Third line of defence: independent audit, for example the use of quality marks, accreditation schemes or formal benchmarking to give assurance to trustees.

But it is now more obvious than ever that whilst the ‘three lines’ approach to assurance covers many (if not all) of the different types of decision faced by organisations that have risk attached, it misses this second notion of uncertainty. To (begrudgingly) quote former US Defence Secretary: there are known unknowns, but what about the ‘unknown unknowns’?

Managing ‘unknown unknowns’

So what can organisations do to address this from a governance perspective? Having thought about this a lot over the past couple of months, I would suggest that it requires a different methodological approach than with risk – one based on principles rather spending futile hours simply trying to convert the ‘unknown unknowns’ into ‘known unknowns’.

Senior Management Teams and Trustees should look at the following five areas and ask themselves to what extent the charity they lead performs against them.

1. Intelligence: are there systems and processes in place for the organisation to capture data about the changing context in which it is operating? Are staff sufficiently engaging with the wider sector to monitor trends and actually see when big shifts occur?

2. Communication: can those staff on the front line easily convey what they see to senior staff, and are there channels for information to flow to decision-makers? Are there any roadblocks to this, and how can organisations ensure ‘path dependency’ or ‘group think’ doesn’t destroy or corrupt this flow?

3. Agility: can the organisation respond quickly to the information it receives, and are the structures in place fit for purpose when ‘crisis’ hits? Are there plans in place to move to a more ‘command and control’ mode when this is warranted?

4. Leadership: does the organisation have staff (or volunteers) who are able to make difficult decisions quickly and with purpose, putting aside emotion where needed. Does this exist in more than one area, in order to provide a safety net?

5. Reflection: is there space for leaders to share ideas confidentially and really flesh out the pros and cons of decisions in a high trust environment? What support structures are in place for the most senior leaders to work through intractable issues and consider the ‘unthinkable’?

This list is by no means exhaustive, and represents some first thoughts on this topic. As the pandemic continues, this tension between risk and uncertainty will of course change. Issues will move from the latter to the former as we learn more and get more certainty over what comes next. But that doesn’t mean we shouldn’t be more mindful of what else that we don’t know what we don’t know.