Featured Product
This Week in Quality Digest Live
Management Features
Knowledge at Wharton
Question your assumptions
Lee Seok Hwai
CEO discretion varies from industry to industry and firm to firm
Arron Angle
Behavior-based quality: How do you act when no one is looking?
Innovating Service With Chip Bell
Great leaders do not reflect but rather radiate energetic passion
Gleb Tsipursky
To survive and thrive, organizations must shift strategically to the best practices of working from home

More Features

Management News
Siemens introduces PCBflow, a secure, cloud-based solution for accelerating design-to-manufacturing handoff for printed circuit boards
Includes global overview and new additive manufacturing section
Tech aggravation can lead to issues with employee engagement, customer experience, and business results
Harnessing the forces that drive your organizations success
Free education source for global medical device community
New standard for safe generator use created by the industry’s own PGMA with the assistance of industry experts
Provides synchronization, compliance, traceability, and transparency within processes
Galileo’s Telescope describes how to measure success at the top of the organization, translate down to every level of supervision
Too often process enhancements occur in silos where there is little positive impact on the big picture

More News

Oscar Combs


How Uncertainty Affects Risk

Properly identifying uncertainties is key to mitigating risk

Published: Monday, August 27, 2018 - 12:02

ISO 9001:2015, clause 6.1 requires an organization to identify its risks and take actions to address identified risks. It is very tempting to start with a huge list of potential risks for the organization, but is the organization focusing on the actual risks that have an effect on its operations? To perform an effective risk assessment, an organization must first identify the uncertainty in its processes.

When uncertainties are identified, mitigation controls can be targeted at the effects of the identified uncertainties. Failing to identify an uncertainty first could lead to flawed risk identification and nonvalue-added controls. The approach defined here will lead to more effective and meaningful risk identification and mitigation.

How does an organization identify its uncertainties?

Before we go any further, there are two definitions that I must define to put this concept in perspective. These are “uncertainty” and “risks.” Uncertainty is defined as, “something that is uncertain or that causes one to feel uncertain.” Risk is defined as, “the effects of uncertainty.” Given these definitions, it’s clear why an organization must start by defining the uncertainty within its processes, before attempting to identify the effects of that uncertainty or its risks. An organization that doesn’t start with identifying uncertainty will define false risks and miss actual risks that are  affecting it. There is uncertainty in all organizational processes. The effect of these uncertainty is what plagues the organization and its interested parties, so we must identify the uncertainty first.

Identify uncertainty, then its effects

Identifying uncertainty first is critical to effective risk identification. Here is a simple example. Let’s say an employee identifies the risk of being late to work but doesn’t start with identifying the uncertainties involved. Some uncertainties of being late to work might include traffic, mechanical issues, weather, running out of gas, or getting into an accident. The effect of any one of these uncertainties could result in the risk of the employee being late to work. Each of the uncertainties would require its own risk mitigation to address its effect on the risk of being late to work. The employee may have put a risk mitigation in place for traffic, but failed to think about getting into an accident; therefore, the risk of being late to work might not be effectively mitigated. If the employee identifies all of the uncertainties first and then develops risk mitigation and contingencies for each uncertainty, the employee will drastically reduce the probability and the effect of being late for work.

Let’s apply this concept to an organizational process.

Mitigating effects of uncertainty

Here is an example of an uncertainty that can affect every organization. Consider the uncertainty involved in the employee hiring process. There are many effects of uncertainty or risks involved in this process. As explained above, the organization should first start by identifying the uncertainties and then identifying the effects of the uncertainties or risks. Here are a couple of uncertainties involved with the employee hiring process.
• Candidate may not fit organizational culture
• Candidate may not be qualified

The effect of these uncertainties is that the organization may not hire the right candidate. But the organization shouldn’t start by identifying the risk; it must first identify the uncertainties to reduce the probability and effect of the risk. Otherwise, it might fail to put risk mitigations or contingencies in place to address the effects of the uncertainties.

For example, what if the organization simply attempts to mitigate the risk by having candidates complete an application and go through an interview? This mitigation control may help reduce the probability and effects of the risk, but there are many organizations that hire candidates using these controls, and employees still don’t fit their culture or are not qualified. This is because the risk mitigation focused on the risk rather than the uncertainty.

To address the uncertainty of the candidate not fitting the organizational culture, the organization may conduct a committee interview or have the candidate take a personality test. To address the uncertainty of the candidate not being qualified, the organization may call references and request proof of credentials. Both of these risk mitigations would go a bit further than the application and interview controls. Once the uncertainties and their effects are identified, the organization would be in a position to identify effective risk mitigations, which would target the effects of uncertainties.


Risk mitigation is more than simply writing a random list of risks. An organization must first identify the uncertainties within its processes. Once the uncertainties are identified, it must then identify the effects of the uncertainties. These are the risks that will most likely effect the organization. Focusing on the uncertainties and their effects allows an organization to implement a more robust and proactive risk mitigation program.


About The Author

Oscar Combs’s picture

Oscar Combs

Oscar Combs is President and Senior Consultant of The ISO 9001 Group, a management consulting, auditing and training firm based in Houston, Texas. Oscar has over 25 years of experience working with management systems. Oscar has worked with clients throughout North America, South America, Europe, The Middle East, Asia and Africa helping companies manage risk and improve their business operations. He holds an MBA from the University of Houston. He is certified by Exemplar Global as a Principal Management Consultant and Lead Auditor. Oscar is also a Senior Member of the American Society for Quality and has served as the Programs Committee Chair for ASQ’s Houston Chapter 1405.