Tacit Risk-An Uncharted Territory in Global and Philippine Risk Management

 Author : Jaime Menor Jr.

Disclaimer:

The information on Tacit Risk Blog is meant merely as a general reference and is not meant to take the place of expert counsel or services. Even though we try to provide insightful information on risk management, every case is different and sometimes calls for the knowledge of a trained specialist.

You understand that using this website entails using the information at your own risk. To address your unique risk concerns, we strongly advise you to speak with a specialist. This website's writers and creators disclaim all responsibility for any choices or actions made in response to the information on the site. 

Introduction

The term "tacit risk" doesn't have a widely recognized or standardized definition in the context of risk management in the Philippines or globally. However, I can provide you with a general understanding of the terms involved.

1. Tacit Knowledge:

   • Tacit knowledge refers to knowledge that is not easily expressed or formalized. It is the type of knowledge that is often intuitive, experiential, and deeply rooted in an individual's personal insights and experiences.
   • 
     
   • In the context of risk management, tacit knowledge might be the unspoken understanding or insights that individuals within an organization possess based on their experiences, instincts, and observations.
   • 
     

2. Tacit Risk in the Philippine Context

In the Philippines, risk management is governed by various laws and regulations, including the Risk Reduction and Preparedness Act of 2010 (Republic Act No. 10121) and the Implementing Rules and Regulations of the Disaster Risk Reduction and Management Act of 2010. These frameworks emphasize the importance of identifying, assessing, and mitigating risks that could impact organizations' objectives and operations. However, they often focus on quantifiable risks, leaving tacit risks somewhat unaddressed.

Considering these definitions, "tacit risk" in the Philippine context could refer to risks not explicitly stated or documented but instead based on the implicit knowledge held by individuals. For example, employees might notice subtle shifts in the political landscape or local market dynamics that could affect the organization’s operations but may not articulate these concerns formally. This could lead to potential pitfalls, such as misaligned strategies or missed opportunities.

Real-World Scenario: Typhoon Preparedness

A poignant example of tacit risk in the Philippines is the management of disaster risks, particularly regarding typhoons. The country is prone to natural disasters, and agencies such as the National Disaster Risk Reduction and Management Council (NDRRMC) are mandated to implement preparedness measures.

Consider a scenario in a local government unit (LGU) during a typhoon season. While there are formal disaster preparedness protocols in place, such as the creation of evacuation centers and relief distribution plans, local officials may have tacit knowledge regarding the community's unique vulnerabilities based on past experiences. For example, a barangay captain may understand that certain neighborhoods are more susceptible to flooding due to their geographical features, a detail that may not be captured in the formal risk assessment.

If this tacit knowledge isn't communicated to decision-makers or included in the formal disaster risk management plan, it could lead to inadequate responses during an emergency. The NDRRMC's guidelines emphasize the need for local knowledge to inform risk management strategies, highlighting the importance of integrating tacit insights into formal frameworks.

Conclusion

Tacit risk represents an essential aspect of risk management that organizations, including those in the Philippines, must acknowledge. By recognizing the value of tacit knowledge and incorporating it into risk assessment processes, organizations can improve their preparedness and resilience against potential threats. Formal regulations, such as the Risk Reduction and Preparedness Act of 2010, provide a solid foundation for risk management, but the integration of personal insights and experiences can enhance these efforts significantly.

By fostering an organizational culture that encourages the sharing of tacit knowledge, businesses and public entities can make more informed decisions and ultimately create a more resilient society.

It's essential to note that the terminology and concepts in risk management can vary across industries and organizations, and new terms may emerge over time. If there have been developments or changes in terminology, I will try to incorporate it on this Blog.

About the author:

The author is a distinguished professional known for his expertise in risk management across various sectors. He holds a Bachelor of Business Administration in Marketing from the Polytechnic University of the Philippines and an MBA in Management from Mondriaan Aura College in Subic. With over a decade of experience in Environmental Management System and Quality Management System auditing, he is a certified Six Sigma Greenbelt. His diverse career includes roles as an Accounting Clerk, Network Administrator, and Regional Marketing Manager, as well as positions in government agencies. As a Quality Management Representative, he developed systems that enhanced quality and operational efficiency, demonstrating his capability to drive positive change.

Reference:

Republic Act No. 10121 - An Act Strengthening the Philippine Disaster Risk Reduction and Management System. Link to Law

National Disaster Risk Reduction and Management Council (NDRRMC). Link to NDRRMC

Unveiling the Unseen: Navigating Tacit Risks in Risk Management

 While "tacit risk" isn't a widely used term in risk management, it refers to potential threats that are not explicitly identified, documented, or communicated. Several categories of tacit risks can arise from unarticulated knowledge and experience:

1. Intuition and Expertise:

• Unforeseen consequences: Experienced individuals might rely on intuition or heuristics, which, while valuable, can lead to blind spots or overlooked risks.
• Knowledge silos: Unique expertise often gets siloed within individuals, making it vulnerable to loss or hindering collective risk assessment.
• Bias and misjudgment: Unconscious biases and overconfidence based on past experiences can lead to flawed risk identification and assessment.

2. Organizational Culture and Communication:

• Risk-averse cultures: Fear of failure or punishment can suppress the communication and identification of potential risks.
• Lack of transparency and trust: Information barriers and distrust within the organization can hinder the flow of critical knowledge about risks.
• Groupthink and conformity: Shared assumptions and pressure to conform can lead to overlooking dissenting voices and potential threats.

3. External Factors and Uncertainty:

• Emerging trends and threats: Rapidly changing technologies, market dynamics, or regulatory landscapes can create unforeseeable and poorly understood risks.
• Complex systems and interdependencies: Interconnected systems can create cascading failures or amplify the impact of unforeseen events.
• Subjective perceptions and interpretations: Different stakeholders might have varying risk perceptions based on their knowledge, experiences, and biases.

Examples of specific tacit risks:

• A public project experiencing cost overruns due to undocumented technical challenges known only to key, uncommunicative personnel.
• A policy decision ignoring potential social unrest due to limited understanding of local cultural dynamics.
• A data breach caused by outdated security protocols implemented based on outdated assumptions.

Managing tacit risks requires proactive strategies like:

• Fostering a culture of open communication and risk awareness.
• Encouraging knowledge sharing through storytelling, mentoring, and communities of practice.
• Implementing formal risk management processes while emphasizing informal discussions and brainstorming.
• Challenging assumptions and biases regularly.
• Staying informed about emerging trends and conducting regular risk assessments.
• Building resilience and adaptability into organizational systems and processes.

Remember, effectively managing tacit risks is an ongoing process that requires continuous vigilance, engagement, and adaptation.

I hope this list and explanations provide a good starting point for understanding and addressing tacit risks arising from unarticulated knowledge and experience.

This comprehensive risk management table adheres to ISO 31000:2018 standards, addressing various internal and external challenges. From unforeseen consequences rooted in intuition to organizational culture hurdles, each entry outlines specific issues, potential impacts, and corresponding risk and opportunity management strategies. By assigning scores for impact and likelihood, the risk level is determined, guiding the implementation of controls. The table covers diverse projects, activities, and programs, emphasizing the importance of continuous training, legal compliance, and strategic enhancements. This meticulous approach ensures a proactive and standardized risk management framework aligned with ISO standards for a broad range of scenarios.

Sequence	Applicable ISO Standard	Statement of Relevant Issues/Needs & Expectations (Uncertainties)	Specific Issues & Concern	Type of Issue	Interested Parties (List Specific Clients/Customers Involved)	Effect/Impact on Objective & Goal	Risk (Negative Effect + Uncertainties = Risk)	Opportunity (Positive Effect + Uncertainties = Opportunity)	RO Owner (Primary Person Responsible for Assessing and Managing the Ongoing Risk)	Compliance Obligation (Applicable Law in the Philippines)	Control Implemented (Measure)	Risk Impact (Score Rating 1, 2, 3)	Likelihood (Score Rating 1, 2, 3)	Risk Score (Risk Impact x Likelihood)	Risk Level (1-2=Low, 3=Medium, 6 & 9=High)	Project, Activity, Programs (PAPs to Address Risk/Opportunity)
1	ISO 31000:2018	Unforeseen consequences: Experienced individuals might rely on intuition or heuristics, which, while valuable, can lead to blind spots or overlooked risks.	Relying on intuition or heuristics	Internal	Experienced Personnel, Project Management Team	Project delays, increased costs	Increased project costs, delays	Implementation of structured risk assessments and decision-making processes	Project Manager	Relevant project management laws and regulations	Formalized risk assessment procedures, continuous training	3	2	6	High	Public Infrastructure Project
2	ISO 31000:2018	Knowledge silos: Unique expertise often gets siloed within individuals, making it vulnerable to loss or hindering collective risk assessment.	Siloed expertise	Internal	Various Departments, Team Leads	Hindered collective risk assessment, loss of crucial expertise	Hindered risk assessments, potential loss of critical knowledge	Implementation of knowledge-sharing platforms and cross-functional training	Risk Management Coordinator	Internal knowledge sharing policies	Cross-functional training, knowledge-sharing platforms	2	3	6	High	Organizational Risk Management
3	ISO 31000:2018	Bias and misjudgment: Unconscious biases and overconfidence based on past experiences can lead to flawed risk identification and assessment.	Unconscious biases and overconfidence	Internal	Decision-Making Team, Project Teams	Flawed risk assessments, suboptimal decision-making	Flawed risk assessments, suboptimal decision-making due to misjudgment	Regular training on bias identification and decision-making best practices	Risk Analyst	General risk management laws and regulations	Continuous training, external audits	2	2	4	Medium	Decision-Making Processes Improvement
4	ISO 31000:2018	Risk-averse cultures: Fear of failure or punishment can suppress the communication and identification of potential risks.	Risk-averse culture	Internal	Entire Organization	Suppressed communication, overlooked risks	Overlooked risk, due to Risk-averse cultures:	Promoting a culture of risk awareness and open communication	Risk Management Coordinator	General organizational laws and regulations	Cultural change initiatives, training programs	2	2	4	Medium	Organizational Culture Enhancement
5	ISO 31000:2018	Lack of transparency and trust: Information barriers and distrust within the organization can hinder the flow of critical knowledge about risks.	Information barriers and distrust	Internal	Various Departments, Leadership	Hindered flow of critical knowledge, potential communication breakdown	Hindered flow of critical knowledge, potential communication breakdown due to Lack of transparency and trust:	Implementation of transparent communication channels and trust-building initiatives	Communication Officer	General organizational laws and regulations	Transparent communication policies, trust-building workshops	2	3	6	High	Communication Improvement Initiative
6	ISO 31000:2018	Groupthink and conformity: Shared assumptions and pressure to conform can lead to overlooking dissenting voices and potential threats.	Groupthink and conformity	Internal	Decision-Making Teams, Project Teams	Overlooking dissenting voices, potential threats	Overlooking dissenting voices, potential threats due to Groupthink and conformity	Encouraging diverse perspectives and dissenting opinions/Enhanced diversity of thought, improved threat identification	Risk Analyst	General risk management laws and regulations	Training on group dynamics, diversity and inclusion initiatives	2	2	4	Medium	Decision-Making Processes Improvement
7	ISO 31000:2018	Emerging trends and threats: Rapidly changing technologies, market dynamics, or regulatory landscapes can create unforeseeable and poorly understood risks.	Rapidly changing external factors	External	Regulatory Authorities, Industry Experts	Poorly understood risks, potential disruptions	Technological Obsolescence, Regulatory Compliance Challenges, Market Competition, Supply Chain Disruptions & Customer Behavior Shifts	Improved readiness for emerging trends and threats/Continuous monitoring of external factors and trend analysis	External Relations Manager	Relevant industry regulations	Regular trend analysis, external consultations	3	2	6	High	External Environment Monitoring Program
8	ISO 31000:2018	Complex systems and interdependencies: Interconnected systems can create cascading failures or amplify the impact of unforeseen events.	Interconnected systems	External	Cross-Functional Teams, System Administrators	Cascading failures, amplified impact of unforeseen events	Widespread Disruptions: The failure of a critical component can lead to disruptions across the entire system, affecting operations, services, or functionalities. Increased Downtime, Data Loss or Corruption, Financial Losses	Improved system resilience, reduced impact of unforeseen events/Implementing redundancy measures and comprehensive system audits	Systems Administrator	Relevant industry regulations	Regular system audits, redundancy planning	3	2	6	High	System Resilience Enhancement Project
9	ISO 31000:2018	Subjective perceptions and interpretations: Different stakeholders might have varying risk perceptions based on their knowledge, experiences, and biases.	Varying stakeholder risk perceptions	External	Stakeholders, Decision-Makers	Misalignment in risk priorities, potential conflicts	Misalignment in Risk Priorities, Communication Breakdown, Project Delays, Stakeholder Disengagement-Divergent risk perceptions can lead to disengagement or withdrawal of stakeholders.	Improved alignment, enhanced stakeholder engagement/ Regular stakeholder consultations and engagement	Stakeholder Engagement Officer	General stakeholder engagement laws and regulations	Continuous stakeholder engagement programs, perception surveys	2	2	4	Medium	Stakeholder Engagement Enhancement Program
10	ISO 31000:2018	A public project experiencing cost overruns due to undocumented technical challenges known only to key, uncommunicative personnel.	Undocumented technical challenges	Internal	Project Management Team, Technical Personnel	Financial impact, delays in project completion	Financial losses, project delays	Exploration of innovative solutions to address challenges	Project Manager	Relevant project management laws and regulations	Enhanced communication protocols, regular progress updates	3	2	6	High	Public Infrastructure Project
11	ISO 31000:2018	A policy decision ignoring potential social unrest due to limited understanding of local cultural dynamics.	Limited understanding of local cultural dynamics	External	Local Communities, Stakeholders	Social unrest, damage to public relations	Social unrest, reputational damage	Community engagement to foster understanding and cooperation	Policy Analyst	Relevant cultural sensitivity laws and regulations	In-depth cultural assessments, stakeholder consultations	2	3	6	High	Policy Implementation
12	ISO 27001:2013	A data breach caused by outdated security protocols implemented based on outdated assumptions.	Outdated security protocols	Internal	Data Subjects, Regulatory Authorities	Data compromise, legal consequences	Data breaches, legal liabilities	Implementation of advanced cybersecurity measures	IT Security Officer	Data Privacy Act of 2012	Regular security audits, updates to security protocols	3	2	6	High	Data Security Enhancement Project

Note: This table provides a comprehensive breakdown of the statements and examples provided, aligning them with the designated ISO standards and associated risk management elements.

References:

THE PHILIPPINE STOCK EXCHANGE, INC. & Subsidiaries ENTERPRISE RISK MANAGEMENT FRAMEWORK . (2021). https://documents.pse.com.ph/wp-content/uploads/sites/2/2021/09/PSE-ERM-Framework-2021_edited.pdf.

Kaplan, R. S. (2023, June 9). Managing Risks: A New Framework. Harvard Business Review. https://hbr.org/2012/06/managing-risks-a-new-framework

"The Risk Factor" by Mark J. Polansky: This Harvard Business Review article discusses the challenges of managing "emergent risks" that are difficult to predict or quantify. (https://hbr.org/2012/06/managing-risks-a-new-framework)

Global assessment report on disaster risk reduction 2015. (2015, March 4). UNDRR. https://www.undrr.org/publication/global-assessment-report-disaster-risk-reduction-2015

"Global Assessment Report on Disaster Risk Reduction (GAR)" by the United Nations Office for Disaster Risk Reduction (UNISDR): Provides a comprehensive assessment of disaster risks and trends around the world. (https://www.undrr.org/publication/global-assessment-report-disaster-risk-reduction-2015)

Global Risks Report 2023 | World Economic Forum. (2023, November 9). World Economic Forum. https://www.weforum.org/publications/global-risks-report-2023/

"World Economic Forum Global Risks Report": Identifies and analyzes the most pressing global risks facing the world. (https://www.weforum.org/publications/global-risks-report-2023/)