Risk Management

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

------------------------------
William McAnally Ph.D., P.E., BC.CE, BC.NE, F.ASCE
ENGINEER
Columbus MS

Original Message:
Sent: 11-21-2025 08:23 AM
From: Mitchell Winkler
Subject: How do you distinguish between risk and uncertainty?

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

------------------------------
Mitch Winkler P.E.(inactive), M.ASCE
Houston, TX
------------------------------

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

In daily language "risk" is connotated with hazard, whereas uncertainty is more neutral and includes also opportunities. This coincides with the meaning of the Latin word "riscare" which means sailing around a cape (i.e. risks of ship wrecking deliberately taken for the sake of entrepreneural rewards, e.g. by Vasca da Gama searching for spices in India).

Insisting on the term "risk" to be likewise positive ("upstream risk") or negative ("downstream risk") appears to be difficult. Hence the loose practice to speak of "risks & uncertainties" -- which should more precisely be replaced by "threats & opportunities".

Note also that usually there are many uncertainties, which don't really matter in terms of success or failure of an undertaking. Hence David Hilson coined the memo: "Risks are uncertainties that matter".

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

In daily language "risk" is connotated with hazard, whereas uncertainty is more neutral and includes also opportunities. This coincides with the meaning of the Latin word "riscare" which means sailing around a cape (i.e. risks of ship wrecking deliberately taken for the sake of entrepreneural rewards, e.g. by Vasca da Gama searching for spices in India).

Insisting on the term "risk" to be likewise positive ("upstream risk") or negative ("downstream risk") appears to be difficult. Hence the loose practice to speak of "risks & uncertainties" -- which should more precisely be replaced by "threats & opportunities".

Note also that usually there are many uncertainties, which don't really matter in terms of success or failure of an undertaking. Hence David Hilson coined the memo: "Risks are uncertainties that matter".

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I agree that Hillson's "Risks are uncertainties that matter" is true but is inadequate as a definition because it's incomplete and can be misunderstood. It's incomplete because it lacks explicit mention of consequences. Embedding consequences in "matter" ignores uncertainty bars on measurements and model results, which may or may not be of consequence. It can be misunderstood as a false equivalency, since uncertainties aren't necessarily risks (that matter).

A glossary is an excellent idea. ISO 31000 defines a number of terms related to risk management and offers a place for us to start on a CE risk management glossary.

Bill Mc

In daily language "risk" is connotated with hazard, whereas uncertainty is more neutral and includes also opportunities. This coincides with the meaning of the Latin word "riscare" which means sailing around a cape (i.e. risks of ship wrecking deliberately taken for the sake of entrepreneural rewards, e.g. by Vasca da Gama searching for spices in India).

Insisting on the term "risk" to be likewise positive ("upstream risk") or negative ("downstream risk") appears to be difficult. Hence the loose practice to speak of "risks & uncertainties" -- which should more precisely be replaced by "threats & opportunities".

Note also that usually there are many uncertainties, which don't really matter in terms of success or failure of an undertaking. Hence David Hilson coined the memo: "Risks are uncertainties that matter".

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I agree that Hillson's "Risks are uncertainties that matter" is true but is inadequate as a definition because it's incomplete and can be misunderstood. It's incomplete because it lacks explicit mention of consequences. Embedding consequences in "matter" ignores uncertainty bars on measurements and model results, which may or may not be of consequence. It can be misunderstood as a false equivalency, since uncertainties aren't necessarily risks (that matter).

A glossary is an excellent idea. ISO 31000 defines a number of terms related to risk management and offers a place for us to start on a CE risk management glossary.

Bill Mc

In daily language "risk" is connotated with hazard, whereas uncertainty is more neutral and includes also opportunities. This coincides with the meaning of the Latin word "riscare" which means sailing around a cape (i.e. risks of ship wrecking deliberately taken for the sake of entrepreneural rewards, e.g. by Vasca da Gama searching for spices in India).

Insisting on the term "risk" to be likewise positive ("upstream risk") or negative ("downstream risk") appears to be difficult. Hence the loose practice to speak of "risks & uncertainties" -- which should more precisely be replaced by "threats & opportunities".

Note also that usually there are many uncertainties, which don't really matter in terms of success or failure of an undertaking. Hence David Hilson coined the memo: "Risks are uncertainties that matter".

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

Dear Bill Mc,

Risk is generally defined as "probabilty x consequences", hence the consequences are included in the definition. The aspect of consequences as such however, is indeed not covered when discussing uncertainties and not either in discussing hazards.

As a former member of the Swiss mirror committee to ISO 31000, I once developed the following picture:

Obviously the consequences depend on the contex; more, failing controls and lack of effectiveness of mitigation measures -- whether reducing likelyhood or consequences -- also contribute to the risk. 

I agree that Hillson's "Risks are uncertainties that matter" is true but is inadequate as a definition because it's incomplete and can be misunderstood. It's incomplete because it lacks explicit mention of consequences. Embedding consequences in "matter" ignores uncertainty bars on measurements and model results, which may or may not be of consequence. It can be misunderstood as a false equivalency, since uncertainties aren't necessarily risks (that matter).

A glossary is an excellent idea. ISO 31000 defines a number of terms related to risk management and offers a place for us to start on a CE risk management glossary.

Bill Mc

In daily language "risk" is connotated with hazard, whereas uncertainty is more neutral and includes also opportunities. This coincides with the meaning of the Latin word "riscare" which means sailing around a cape (i.e. risks of ship wrecking deliberately taken for the sake of entrepreneural rewards, e.g. by Vasca da Gama searching for spices in India).

Insisting on the term "risk" to be likewise positive ("upstream risk") or negative ("downstream risk") appears to be difficult. Hence the loose practice to speak of "risks & uncertainties" -- which should more precisely be replaced by "threats & opportunities".

Note also that usually there are many uncertainties, which don't really matter in terms of success or failure of an undertaking. Hence David Hilson coined the memo: "Risks are uncertainties that matter".

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I like your proposal. To keep it simple and consistent with Frank Knight:

Risk: The possible outcomes are known, and probabilities can be assigned to them.

Uncertainty: The possible outcomes, their probabilities, or both are not known.

In real life many "risk models" are in fact uncertainty models built on assumptions. When those assumptions fail, risk collapses back into uncertainty.

Some argue that uncertainty disappears if one "believes" probabilities exist. However, this brings the discussion close to bias: subjective beliefs, prior assumptions, and model choices inevitably shape the probabilities we assign.

Key question: How can we rigorously distinguish between genuine probabilities and assumed ones, and how should we deal, cleanly and honestly, with irreducible uncertainty, if such a distinction is possible at all?

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I would like to disagree:

• There is "aleatoric risk", like throwing a dice where the possible outcomes are known with 1/6 probability. This is also called  the "known unknowns".
• But there is also "epistemic risk", i.e. due to lack of knowledge the risk cannot be perceived and assessed. This is typically the case in engineeering before certain phenomena were recognized first time, such as soil lequifaction or the pressure sensitivity of the permeability of certain shistosic rocks (which led to the failure of Malpasset dam in France 1959). This is called the "unknown unknowns" and worse than uncertainty, as the mere existance of such kind of risk unknown ("black swan").

A useful concept - even though difficult to handle - is a "Damokles' sword" sort of risck, amounting to the product of (0 × ∞), as is the case for nuclear power plants.

I suggest we should rather discuss the possibilities to estimate likelihood (which is different from probability, if the distribution is not known) and impact/consequences. Usually the latter is easier to ascertain (value at risk), but if response actions fail which were supposed to work properly, assessing the impact may entail regarding conditional probabilities on the downstream side in the consequence tree. 

We might also discuss additional secondary risks created by preventive action, and the nature of residual risk, which is not the same as accepted risk. 

I like your proposal. To keep it simple and consistent with Frank Knight:

Risk: The possible outcomes are known, and probabilities can be assigned to them.

Uncertainty: The possible outcomes, their probabilities, or both are not known.

In real life many "risk models" are in fact uncertainty models built on assumptions. When those assumptions fail, risk collapses back into uncertainty.

Some argue that uncertainty disappears if one "believes" probabilities exist. However, this brings the discussion close to bias: subjective beliefs, prior assumptions, and model choices inevitably shape the probabilities we assign.

Key question: How can we rigorously distinguish between genuine probabilities and assumed ones, and how should we deal, cleanly and honestly, with irreducible uncertainty, if such a distinction is possible at all?

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

Thanks for the clarification. I'm not a risk-management specialist, but I'm very interested in this topic because, as engineers, we deal with risk and uncertainty every day and still have to make decisions.

I agree that, in practice, it is often more useful to focus on likelihood, consequences, consequence trees, and residual risk than to try to justify precise probability distributions. Bounding impacts and thinking through failure paths is usually more robust, especially in complex systems where response actions can fail and secondary effects matter.

At the same time, I see this approach as a practical way of working under uncertainty rather than removing it. When we move from probability to likelihood, or rely mainly on consequence analysis, we are implicitly accepting that the numbers are shaped by assumptions, experience, and judgment, particularly in epistemic cases and in the presence of unknown unknowns.

That's really what I'm trying to understand better: how should we understand and use probabilistic risk assessments, if we accept bias and incomplete knowledge are unavoidable? In other words, what kind of confidence should we place in those numbers, and how explicitly should we acknowledge their limits when they are guiding real engineering decisions?

I would like to disagree:

• There is "aleatoric risk", like throwing a dice where the possible outcomes are known with 1/6 probability. This is also called  the "known unknowns".
• But there is also "epistemic risk", i.e. due to lack of knowledge the risk cannot be perceived and assessed. This is typically the case in engineeering before certain phenomena were recognized first time, such as soil lequifaction or the pressure sensitivity of the permeability of certain shistosic rocks (which led to the failure of Malpasset dam in France 1959). This is called the "unknown unknowns" and worse than uncertainty, as the mere existance of such kind of risk unknown ("black swan").

A useful concept - even though difficult to handle - is a "Damokles' sword" sort of risck, amounting to the product of (0 × ∞), as is the case for nuclear power plants.

I suggest we should rather discuss the possibilities to estimate likelihood (which is different from probability, if the distribution is not known) and impact/consequences. Usually the latter is easier to ascertain (value at risk), but if response actions fail which were supposed to work properly, assessing the impact may entail regarding conditional probabilities on the downstream side in the consequence tree. 

We might also discuss additional secondary risks created by preventive action, and the nature of residual risk, which is not the same as accepted risk. 

I like your proposal. To keep it simple and consistent with Frank Knight:

Risk: The possible outcomes are known, and probabilities can be assigned to them.

Uncertainty: The possible outcomes, their probabilities, or both are not known.

In real life many "risk models" are in fact uncertainty models built on assumptions. When those assumptions fail, risk collapses back into uncertainty.

Some argue that uncertainty disappears if one "believes" probabilities exist. However, this brings the discussion close to bias: subjective beliefs, prior assumptions, and model choices inevitably shape the probabilities we assign.

Key question: How can we rigorously distinguish between genuine probabilities and assumed ones, and how should we deal, cleanly and honestly, with irreducible uncertainty, if such a distinction is possible at all?

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

This is great discussion that I'd like to add on to.

First, let's not confuse risk and uncertainty, though they are certainly related. 

It is more correct to say "aleatory uncertainty" and "epistemic uncertainty".  Rolling a die is not a risk unless you put money on the uncertain outcome of 1/6.

Aleatory is also known as natural variability, usually associated with temporal and spatial randomness, and is irreducible.  Epistemic is knowledge uncertainty, usually associated with data and models, and this can be reduced by collecting more data, refining the model or math, etc.

For example, a flood event is aleatory uncertainty because you can never know precisely the timing, location, and magnitude of the flood.  I feel sorry for meteorologists - it seems like they are wrong 99% of the time. However, the modeling of floods incorporates a bevy of knowledge uncertainty: atmospheric conditions; antecedent moisture; ground saturation; river dynamics, inflow volumes; model type; depth, location and timing of precipitation; etc., all of which can be reduced, but not eliminated, through data collection and model refinements. Thus, we are always getting better at modeling storms.

The first step in dealing with uncertainty, is to acknowledge it and its sources.  Put the sources into bins: reducible and irreducible. If uncertainty can be reduced by field testing/sampling or other means, and if it will change the decision, then take the time to go get the data. Other uncertainties might not be reducible, and decision-makers should know which - usually, though, people in the C-suite are used to making decisions under uncertainty. 

When it comes to biases, it is also important that you recognize them and there are ways to counteract nearly all. Engineers are susceptible to over-confidence bias. This is best countered by working with dynamic teams of varied backgrounds and experience (include scientists and technicians into discussions with engineers). Problem-solving and trivia games have the best chance for success when done in groups.  Reference and availability biases are countered by being familiar with case histories and performance. 

There is no magic salve for dealing with uncertainty, expect perhaps for becoming comfortable with it.

Thanks for the clarification. I'm not a risk-management specialist, but I'm very interested in this topic because, as engineers, we deal with risk and uncertainty every day and still have to make decisions.

I agree that, in practice, it is often more useful to focus on likelihood, consequences, consequence trees, and residual risk than to try to justify precise probability distributions. Bounding impacts and thinking through failure paths is usually more robust, especially in complex systems where response actions can fail and secondary effects matter.

At the same time, I see this approach as a practical way of working under uncertainty rather than removing it. When we move from probability to likelihood, or rely mainly on consequence analysis, we are implicitly accepting that the numbers are shaped by assumptions, experience, and judgment, particularly in epistemic cases and in the presence of unknown unknowns.

That's really what I'm trying to understand better: how should we understand and use probabilistic risk assessments, if we accept bias and incomplete knowledge are unavoidable? In other words, what kind of confidence should we place in those numbers, and how explicitly should we acknowledge their limits when they are guiding real engineering decisions?

I would like to disagree:

• There is "aleatoric risk", like throwing a dice where the possible outcomes are known with 1/6 probability. This is also called  the "known unknowns".
• But there is also "epistemic risk", i.e. due to lack of knowledge the risk cannot be perceived and assessed. This is typically the case in engineeering before certain phenomena were recognized first time, such as soil lequifaction or the pressure sensitivity of the permeability of certain shistosic rocks (which led to the failure of Malpasset dam in France 1959). This is called the "unknown unknowns" and worse than uncertainty, as the mere existance of such kind of risk unknown ("black swan").

A useful concept - even though difficult to handle - is a "Damokles' sword" sort of risck, amounting to the product of (0 × ∞), as is the case for nuclear power plants.

I suggest we should rather discuss the possibilities to estimate likelihood (which is different from probability, if the distribution is not known) and impact/consequences. Usually the latter is easier to ascertain (value at risk), but if response actions fail which were supposed to work properly, assessing the impact may entail regarding conditional probabilities on the downstream side in the consequence tree. 

We might also discuss additional secondary risks created by preventive action, and the nature of residual risk, which is not the same as accepted risk. 

I like your proposal. To keep it simple and consistent with Frank Knight:

Risk: The possible outcomes are known, and probabilities can be assigned to them.

Uncertainty: The possible outcomes, their probabilities, or both are not known.

In real life many "risk models" are in fact uncertainty models built on assumptions. When those assumptions fail, risk collapses back into uncertainty.

Some argue that uncertainty disappears if one "believes" probabilities exist. However, this brings the discussion close to bias: subjective beliefs, prior assumptions, and model choices inevitably shape the probabilities we assign.

Key question: How can we rigorously distinguish between genuine probabilities and assumed ones, and how should we deal, cleanly and honestly, with irreducible uncertainty, if such a distinction is possible at all?

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

This has been a great discussion. Thanks to Olga for revitalizing the topic and to everyone who jumped in to share their insights and perspectives.

While trying to summarize the points made and do some independent reading, I came across the assertion that risk is a subset of uncertainty.

In this way, uncertainties, whether aleatory or epistemic, are always present. Risk is a construct to try to quantify how this uncertainty will impact one's achievement of an intended goal. Furthermore, biases are inherent in both the estimation of uncertainties and the quantification of risk. The quality of one's assessment of uncertainty and risk depends on awareness of these biases and taking corrective actions.

Thoughts on this?

This distinction between uncertainty and risk is something that Bill Mc and I want to include in the next update of the risk primer. We also want to acknowledge that risk is two-sided, another element that this discussion has raised.

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.