It is often said that successful risk management should lead to fewer surprises. Risk management acts as a “forward-looking radar”, scanning the uncertain future to identify things which might pose a significant threat to be avoided or an important opportunity to be explored. Even though it may not be possible to discern every last detail of the uncertain future, the risk process aims to expose areas of particular uncertainty and indicate the best path to follow.

Despite this aim, the future does still contain surprises, both good and bad. Some future
uncertainties seem to be unforeseeable. There are four reasons why it is not possible to identify all risks in advance.

1. Some risks are inherently unknowable. These are the true unknowns, where uncertainty lurks hidden in the future, unperceived by everyone until it strikes and delivers its surprise impact. In fact it might be true to say that these “unknown unknowns”are not actually risks, since they are essentially invisible to the risk process. It is as if they don’t exist until or unless they happen, when they are no longer risks but they are either unexpected problems or unplanned benefits.
2. Other risks are time-dependent, and only emerge with the passage of time. The “risk radar”can only see a limited way into the future, and some risks exist below the time horizon. It may not be possible to identify such risks until later on, when they are closer in time. Until they rise above the time horizon they will remain hidden and unidentifiable.
3. Some emergent risks are unforeseeable because they are progress-dependent. They cannot be identified until progress has been made. If a risk exists at the back of a building, I cannot discover it until I walk round the building and gain a new perspective.While I am standing in my current position at the front of the building the risk is invisible.Similarly, some integration risks may not be visible until coding and testing is complete.
4. The last group of risks which can remain hidden from the “risk radar” are responsedependent,also known as secondary risks, which only appear when action is taken to respond to an existing risk. Until action is taken these risks do not exist, so of course they cannot be seen before the response is identified.

With so many ways in which risks can be hidden from our forward-looking radar, it seems that risk identification is doomed to failure, since we are unable to identify unknowable risks, emergent risks or secondary risks. This is why risk management is not a single-shot process, but must be repeated on a regular basis. Risk identification should aim to identify all knowable risks at this point in time, recognising that some risks are currently hidden from sight. Identifiable risks should be assessed and appropriate actions should be developed. But the risk process must be iterative, coming back to identify risks which have become visible since the last time. This will include risks which have emerged with the passage of time and as a result of progress made, as well as secondary risks arising from implemented responses.

Unfortunately, risks which are inherently unknowable will always be able to surprise even the most expert user of the “risk radar”. But routine updates will minimise additional surprises from risks which are unforeseeable today but which become visible later.

一般而言成功的風險管理應該會使得意外較少。風險管理就像是「預視雷達」，掃瞄不確定的未來以辨識出需規避的嚴重威脅、或需開發的重要機會，雖然可能無法察覺不確定的未來中所有的細節，風險程序的目標仍在於揭露特定的不確定區域，並指出應遵循的最佳路徑。

儘管有此一目標，未來的確仍包含了許多意外，有好的也有壞的，然而有些未來的不確定性卻似乎是無法預見的。不可能預先辨識出所有的風險的原因有以下四點：

1. 有些風險的本質就是無法知道。這些是真的未知、隱藏在未來的潛在不確定、任何人都無法感知直到它侵襲並帶來意外的衝擊。事實上我們若認為這些「未知的未知」並不是一種風險也不為過，因為它們的本質就是在無法顯現於風險程序中。雖然不再視為風險但它們仍然是意料之外的問題或利益，除非等到發生了，否則它們就像是不存在一樣。
2. 某些風險則是具有時間相依性的，只會因時間的推移而發生。「風險雷達」只能看到有限的未來，某些風險存在於時間軸以下，除非到了較接近的時刻，否則這些風險是不可能被辨識的，直到在時間軸上出現以前它們是潛伏且無法辨識的。
3. 有些緊急的風險是無法預見的，因為它們具有進度相依性，直到完成了某項進度前它們是無法被辨識的。就好像一個存在於建築物背面的風險，除非我走到建築物之後並有了新的視野，否則我無法發現該風險，當我站在位於建築物之前的原地時，這個風險是看不到的，同樣的道理，某些整合的風險，在程式寫完且完成測試之前是看不到的。
4. 最後一類無法被「風險雷達」偵測到的是具有回應相依性的風險；也就是次級風險，它只出現在針對某個既存的風險採取回應行動時，在行動採取前這個風險是不存在的，所以它們當然無法在回應行動被辨識出之前看到。

風險有那麼多種方式在我們的預視雷達之前隱而不現，因為我們無法辨識不知道的風險、緊急的風險、或次級風險，這樣看來風險辨識似乎注定要失敗；然而這正是風險管理不能只做一次而必須經常性地重複的原因。風險辨識的目標為辨識出在此一時間點上能夠知道的所有風險，並認知到某些風險在當下是隱而未現的，可辨識的風險應該進行評估並發展適當行動。然而風險程序必須要重複實施，回頭去辨識因時間度過而成為可見的風險，這包括了因時間遞移和因此達到某一進度而出現的風險，以及因採取回應行動而產生的次級風險。

不幸的是，既使對最專業的「風險雷達」使用者，那些本質為未知的風險仍然會成為意外，然而例行性地更新，可以使得今天看不見但之後卻成為可見的風險變成意外的情形最小化。