Different people use different “tools” to inform what falls under that RMF and essentially improve their risk intelligence... One such “tool” was made popular by Donald Rumsfeld, who was US Secretary of Defence during the subprime mortgage crisis, some 20 years ago. This “tool” classifies risks based on Knowns and Unknowns. You can go onto YouTube and watch him deliver the speech, where he famously referenced the “Known Unknowns” – it’s actually quite funny because on the surface it, the audience of reporters didn’t seem to understand what he was saying – they just laughed.
In fact, if you listen and think about what he said, you then understand why it’s been used by risk managers and project managers ever since. Donald Rumsfeld didn’t create this thinking - it already existed in a lesser-known psychological construct called the Johari Window. The known unknown “tool” is a simple matrix that can help classify risks based on the knowledge that we have about them, offering another tool in your risk toolbox.
These 4 quadrants, when thought about, well considered, and debated often provide valuable data and risk intelligence. Not to mention a useful basis for refining assumptions, for example, as part of a Risk Control Self-Assessment (RCSA), project planning meeting, or a strategic risk brainstorm session with leadership.
Known knowns are facts that have been validated, but this can change over time. Known unknowns can be assumptions we haven’t or can’t validate and are essentially live risks. Both the known knowns and known unknowns are items we can proactively manage and thus seek to control. Unknown knowns and unknown unknowns (true surprises/shocks) are often dealt with reactively and warrant real focus and attention upfront to identify these blind spots and thus seek to shift them into the other categories.
Often, due to lack of time, work pressure or just poor planning and preparation, these are overlooked or neglected. I’m sure we have all been in meetings where these so-called unknown unknowns have presented themselves as live crystalised issues (often material and impactful) and someone exclaims “how did we not think about this” or “why didn’t we see this coming”. Like any good toolbox, there are some tools that just keep being useful and for me the known unknown matrix is one of those tools.
At Mosaic we work alongside clients to assess, design, and implement fit-for-purpose Governance, Risk and Compliance (GRC) frameworks. These frameworks align governance to RMFs and control activities and help ensure actual and potential threats to strategic objectives, business performance, operational efficiency, and resilience are well understood and managed appropriately. Within our expanded team of GRC experts, there is an industry leading depth of knowledge and lived experience, which enables us to provide pragmatic advice and work with your business to ensure that fit-for-purpose and right-sized outcomes are delivered successfully.
Get in touch with one of our Governance, Risk & Compliance team to chat through how we can help you.