Featured Product
This Week in Quality Digest Live
Management Features
Steve McKee
What is your brand’s immutable idea?
Jack Dunigan
When profit is disconnected from purpose, bad things can happen
Wendy White
Prioritizing what is truly important
Henrik Bresman
Effective leaders should know whether their people hat or profit-and-loss hat fits most comfortably
Eric Stoop
A foundation for innovation

More Features

Management News
Building organizational capability and capacity to create outcomes that matter most
Creates adaptive system for managing product development and post-market quality for devices with software elements
Amendments to the California Consumer Privacy Act go into effect no later than July 2020
Why not be the one with your head lights on while others are driving in the dark?
The FDA wants medical device manufactures to succeed, new technologies in supply chain managment
Preparing your organization for the new innovative culture
Standard recognizes that everyone is critical to a successful quality management process.

More News

Oscar Combs


How Uncertainty Affects Risk

Properly identifying uncertainties is key to mitigating risk

Published: Monday, August 27, 2018 - 11:02

ISO 9001:2015, clause 6.1 requires an organization to identify its risks and take actions to address identified risks. It is very tempting to start with a huge list of potential risks for the organization, but is the organization focusing on the actual risks that have an effect on its operations? To perform an effective risk assessment, an organization must first identify the uncertainty in its processes.

When uncertainties are identified, mitigation controls can be targeted at the effects of the identified uncertainties. Failing to identify an uncertainty first could lead to flawed risk identification and nonvalue-added controls. The approach defined here will lead to more effective and meaningful risk identification and mitigation.

How does an organization identify its uncertainties?

Before we go any further, there are two definitions that I must define to put this concept in perspective. These are “uncertainty” and “risks.” Uncertainty is defined as, “something that is uncertain or that causes one to feel uncertain.” Risk is defined as, “the effects of uncertainty.” Given these definitions, it’s clear why an organization must start by defining the uncertainty within its processes, before attempting to identify the effects of that uncertainty or its risks. An organization that doesn’t start with identifying uncertainty will define false risks and miss actual risks that are  affecting it. There is uncertainty in all organizational processes. The effect of these uncertainty is what plagues the organization and its interested parties, so we must identify the uncertainty first.

Identify uncertainty, then its effects

Identifying uncertainty first is critical to effective risk identification. Here is a simple example. Let’s say an employee identifies the risk of being late to work but doesn’t start with identifying the uncertainties involved. Some uncertainties of being late to work might include traffic, mechanical issues, weather, running out of gas, or getting into an accident. The effect of any one of these uncertainties could result in the risk of the employee being late to work. Each of the uncertainties would require its own risk mitigation to address its effect on the risk of being late to work. The employee may have put a risk mitigation in place for traffic, but failed to think about getting into an accident; therefore, the risk of being late to work might not be effectively mitigated. If the employee identifies all of the uncertainties first and then develops risk mitigation and contingencies for each uncertainty, the employee will drastically reduce the probability and the effect of being late for work.

Let’s apply this concept to an organizational process.

Mitigating effects of uncertainty

Here is an example of an uncertainty that can affect every organization. Consider the uncertainty involved in the employee hiring process. There are many effects of uncertainty or risks involved in this process. As explained above, the organization should first start by identifying the uncertainties and then identifying the effects of the uncertainties or risks. Here are a couple of uncertainties involved with the employee hiring process.
• Candidate may not fit organizational culture
• Candidate may not be qualified

The effect of these uncertainties is that the organization may not hire the right candidate. But the organization shouldn’t start by identifying the risk; it must first identify the uncertainties to reduce the probability and effect of the risk. Otherwise, it might fail to put risk mitigations or contingencies in place to address the effects of the uncertainties.

For example, what if the organization simply attempts to mitigate the risk by having candidates complete an application and go through an interview? This mitigation control may help reduce the probability and effects of the risk, but there are many organizations that hire candidates using these controls, and employees still don’t fit their culture or are not qualified. This is because the risk mitigation focused on the risk rather than the uncertainty.

To address the uncertainty of the candidate not fitting the organizational culture, the organization may conduct a committee interview or have the candidate take a personality test. To address the uncertainty of the candidate not being qualified, the organization may call references and request proof of credentials. Both of these risk mitigations would go a bit further than the application and interview controls. Once the uncertainties and their effects are identified, the organization would be in a position to identify effective risk mitigations, which would target the effects of uncertainties.


Risk mitigation is more than simply writing a random list of risks. An organization must first identify the uncertainties within its processes. Once the uncertainties are identified, it must then identify the effects of the uncertainties. These are the risks that will most likely effect the organization. Focusing on the uncertainties and their effects allows an organization to implement a more robust and proactive risk mitigation program.


About The Author

Oscar Combs’s picture

Oscar Combs

Oscar Combs is the  senior consultant of The ISO 9001 Group, a management consulting, auditing and training firm based in Houston, Texas. Combs has more than 23 years of experience working with management systems. He has worked with clients throughout North America, South America, Europe, The Middle East, Asia, and Africa in helping companies manage risk and improve their business operations. Combs holds an MBA from the University of Houston and is certified by Exemplar Global as a Principal Management Consultant and Lead Auditor. He is also a senior member of the American Society for Quality and has served as the Programs Committee Chair for ASQ’s Houston Chapter 1405.