Risk Management

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

------------------------------
William McAnally Ph.D., P.E., BC.CE, BC.NE, F.ASCE
ENGINEER
Columbus MS

Original Message:
Sent: 11-21-2025 08:23 AM
From: Mitchell Winkler
Subject: How do you distinguish between risk and uncertainty?

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

------------------------------
Mitch Winkler P.E.(inactive), M.ASCE
Houston, TX
------------------------------

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

In daily language "risk" is connotated with hazard, whereas uncertainty is more neutral and includes also opportunities. This coincides with the meaning of the Latin word "riscare" which means sailing around a cape (i.e. risks of ship wrecking deliberately taken for the sake of entrepreneural rewards, e.g. by Vasca da Gama searching for spices in India).

Insisting on the term "risk" to be likewise positive ("upstream risk") or negative ("downstream risk") appears to be difficult. Hence the loose practice to speak of "risks & uncertainties" -- which should more precisely be replaced by "threats & opportunities".

Note also that usually there are many uncertainties, which don't really matter in terms of success or failure of an undertaking. Hence David Hilson coined the memo: "Risks are uncertainties that matter".

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

In daily language "risk" is connotated with hazard, whereas uncertainty is more neutral and includes also opportunities. This coincides with the meaning of the Latin word "riscare" which means sailing around a cape (i.e. risks of ship wrecking deliberately taken for the sake of entrepreneural rewards, e.g. by Vasca da Gama searching for spices in India).

Insisting on the term "risk" to be likewise positive ("upstream risk") or negative ("downstream risk") appears to be difficult. Hence the loose practice to speak of "risks & uncertainties" -- which should more precisely be replaced by "threats & opportunities".

Note also that usually there are many uncertainties, which don't really matter in terms of success or failure of an undertaking. Hence David Hilson coined the memo: "Risks are uncertainties that matter".

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I agree that Hillson's "Risks are uncertainties that matter" is true but is inadequate as a definition because it's incomplete and can be misunderstood. It's incomplete because it lacks explicit mention of consequences. Embedding consequences in "matter" ignores uncertainty bars on measurements and model results, which may or may not be of consequence. It can be misunderstood as a false equivalency, since uncertainties aren't necessarily risks (that matter).

A glossary is an excellent idea. ISO 31000 defines a number of terms related to risk management and offers a place for us to start on a CE risk management glossary.

Bill Mc

In daily language "risk" is connotated with hazard, whereas uncertainty is more neutral and includes also opportunities. This coincides with the meaning of the Latin word "riscare" which means sailing around a cape (i.e. risks of ship wrecking deliberately taken for the sake of entrepreneural rewards, e.g. by Vasca da Gama searching for spices in India).

Insisting on the term "risk" to be likewise positive ("upstream risk") or negative ("downstream risk") appears to be difficult. Hence the loose practice to speak of "risks & uncertainties" -- which should more precisely be replaced by "threats & opportunities".

Note also that usually there are many uncertainties, which don't really matter in terms of success or failure of an undertaking. Hence David Hilson coined the memo: "Risks are uncertainties that matter".

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I agree that Hillson's "Risks are uncertainties that matter" is true but is inadequate as a definition because it's incomplete and can be misunderstood. It's incomplete because it lacks explicit mention of consequences. Embedding consequences in "matter" ignores uncertainty bars on measurements and model results, which may or may not be of consequence. It can be misunderstood as a false equivalency, since uncertainties aren't necessarily risks (that matter).

A glossary is an excellent idea. ISO 31000 defines a number of terms related to risk management and offers a place for us to start on a CE risk management glossary.

Bill Mc

In daily language "risk" is connotated with hazard, whereas uncertainty is more neutral and includes also opportunities. This coincides with the meaning of the Latin word "riscare" which means sailing around a cape (i.e. risks of ship wrecking deliberately taken for the sake of entrepreneural rewards, e.g. by Vasca da Gama searching for spices in India).

Insisting on the term "risk" to be likewise positive ("upstream risk") or negative ("downstream risk") appears to be difficult. Hence the loose practice to speak of "risks & uncertainties" -- which should more precisely be replaced by "threats & opportunities".

Note also that usually there are many uncertainties, which don't really matter in terms of success or failure of an undertaking. Hence David Hilson coined the memo: "Risks are uncertainties that matter".

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

Dear Bill Mc,

Risk is generally defined as "probabilty x consequences", hence the consequences are included in the definition. The aspect of consequences as such however, is indeed not covered when discussing uncertainties and not either in discussing hazards.

As a former member of the Swiss mirror committee to ISO 31000, I once developed the following picture:

Obviously the consequences depend on the contex; more, failing controls and lack of effectiveness of mitigation measures -- whether reducing likelyhood or consequences -- also contribute to the risk. 

I agree that Hillson's "Risks are uncertainties that matter" is true but is inadequate as a definition because it's incomplete and can be misunderstood. It's incomplete because it lacks explicit mention of consequences. Embedding consequences in "matter" ignores uncertainty bars on measurements and model results, which may or may not be of consequence. It can be misunderstood as a false equivalency, since uncertainties aren't necessarily risks (that matter).

A glossary is an excellent idea. ISO 31000 defines a number of terms related to risk management and offers a place for us to start on a CE risk management glossary.

Bill Mc

In daily language "risk" is connotated with hazard, whereas uncertainty is more neutral and includes also opportunities. This coincides with the meaning of the Latin word "riscare" which means sailing around a cape (i.e. risks of ship wrecking deliberately taken for the sake of entrepreneural rewards, e.g. by Vasca da Gama searching for spices in India).

Insisting on the term "risk" to be likewise positive ("upstream risk") or negative ("downstream risk") appears to be difficult. Hence the loose practice to speak of "risks & uncertainties" -- which should more precisely be replaced by "threats & opportunities".

Note also that usually there are many uncertainties, which don't really matter in terms of success or failure of an undertaking. Hence David Hilson coined the memo: "Risks are uncertainties that matter".

The CEBOK does a good job of distinguishing between risk and uncertainty, defining risk as "... the most likely consequence of a particular hazard or vulnerability combined with the likelihood or probability of it occurring." That definition, distinct from uncertainty, is consistent with the definition given in the Risk Primer  developed by this community.

I'm not enthusiastic about the CEBOK's almost constant linking of uncertainty to risk by using the phrase "Risk and Uncertainty" instead of just "Risk." While risk includes the effects of uncertainty, each term stands on its own. Risk also includes probability and consequences but we don't lump all those words into one label. Risk is risk.

Bill Mc

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I like your proposal. To keep it simple and consistent with Frank Knight:

Risk: The possible outcomes are known, and probabilities can be assigned to them.

Uncertainty: The possible outcomes, their probabilities, or both are not known.

In real life many "risk models" are in fact uncertainty models built on assumptions. When those assumptions fail, risk collapses back into uncertainty.

Some argue that uncertainty disappears if one "believes" probabilities exist. However, this brings the discussion close to bias: subjective beliefs, prior assumptions, and model choices inevitably shape the probabilities we assign.

Key question: How can we rigorously distinguish between genuine probabilities and assumed ones, and how should we deal, cleanly and honestly, with irreducible uncertainty, if such a distinction is possible at all?

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.

I would like to disagree:

• There is "aleatoric risk", like throwing a dice where the possible outcomes are known with 1/6 probability. This is also called  the "known unknowns".
• But there is also "epistemic risk", i.e. due to lack of knowledge the risk cannot be perceived and assessed. This is typically the case in engineeering before certain phenomena were recognized first time, such as soil lequifaction or the pressure sensitivity of the permeability of certain shistosic rocks (which led to the failure of Malpasset dam in France 1959). This is called the "unknown unknowns" and worse than uncertainty, as the mere existance of such kind of risk unknown ("black swan").

A useful concept - even though difficult to handle - is a "Damokles' sword" sort of risck, amounting to the product of (0 × ∞), as is the case for nuclear power plants.

I suggest we should rather discuss the possibilities to estimate likelihood (which is different from probability, if the distribution is not known) and impact/consequences. Usually the latter is easier to ascertain (value at risk), but if response actions fail which were supposed to work properly, assessing the impact may entail regarding conditional probabilities on the downstream side in the consequence tree. 

We might also discuss additional secondary risks created by preventive action, and the nature of residual risk, which is not the same as accepted risk. 

I like your proposal. To keep it simple and consistent with Frank Knight:

Risk: The possible outcomes are known, and probabilities can be assigned to them.

Uncertainty: The possible outcomes, their probabilities, or both are not known.

In real life many "risk models" are in fact uncertainty models built on assumptions. When those assumptions fail, risk collapses back into uncertainty.

Some argue that uncertainty disappears if one "believes" probabilities exist. However, this brings the discussion close to bias: subjective beliefs, prior assumptions, and model choices inevitably shape the probabilities we assign.

Key question: How can we rigorously distinguish between genuine probabilities and assumed ones, and how should we deal, cleanly and honestly, with irreducible uncertainty, if such a distinction is possible at all?

I recently received a request from ASCE for my support in developing the ASCE CEC Early Career cross-discipline certification. This request prompted me to review the CEBOK, which includes a section on Risk and Uncertainty. It further prompted me to examine the distinction between risk and uncertainty. I found this reference to Frank Wright

https://news.mit.edu/2010/explained-knightian-0602

Frank Knight was an idiosyncratic economist who formalized a distinction between risk and uncertainty in his 1921 book, Risk, Uncertainty, and Profit. As Knight saw it, an ever-changing world brings new opportunities for businesses to make profits, but also means we have imperfect knowledge of future events. Therefore, according to Knight, risk applies to situations where we do not know the outcome of a given situation, but can accurately measure the odds. Uncertainty, on the other hand, applies to situations where we cannot know all the information we need in order to set accurate odds in the first place.

Searching for Frank Knight and risk and uncertainty will yield many more references.

How do you view the difference between risk and uncertainty? Sharpening this distinction would help everyone.