Quantum Risk: a wicked problem that emerges at the boundaries of our data dependency

Framing the problem

I am fighting bias and prejudice about risk perceptions; please read the next lines before you click off.  We tend to be blind sighted to “risk” because we have all lived it, read it and listened to risk statements.  The ones on the TV and radio for financial products, the ones at the beginning of investment statements, ones for health and safety for machinery, ones for medicine, ones on the packets of cigarettes, the one when you open that new app on your new mobile device. We are bombarded with endless risk statements that we assume we know the details of, or just ignore.  There are more books on risk than on all other management and economics topics together.  There is an entire field on the ontologies of risk; such is the significance of this field. This article is suggesting that all that body of knowledge and expertise has missed something.  A bold statement, but quantum risk is new, big, ugly, and already here, it's just that we are willingly blind to it. 

At the end of the Board pack or PowerPoint deck for new investment, intervention case or for the adoption of the new model, there is a risk and assumptions list.  We have seen these so many times we don’t read them.  These statements are often copies, and the plagiarism of risk statements inaccurately copied is significant; no effort is put in as such statements have become a habit in the process methodology.   The problem we all have with risk is that we know it all. Quite frankly, we see risk as the prime reason to stop something and occasionally manage it closer but never too understand something better.  If you are operating a digital or data business you have new risks that are not in your risk statement, you have not focussed on them before, you are unlikely to have been exposed to them, and this article is to bring them to your attention.  Is that worth 8 minutes?

Many thanks to Peadar Duffy whom I have been collaborating with on this thinking, and he has published a super article on the same topic (quantum risk) here 

The purpose of business 

We know that 3% of our data lake is finance data today; shockingly, 90% of our decisions are based on this sliver of data (Source Google). As we have to aim for a better ratio of “data: decisions” that includes non-financial data; we will make progress towards making better decisions that benefit more than a pure shareholder primacy view of the world.  As leaders, we have a desire to make the best possible decisions we can. We fuse data, experience and knowledge to balance our perception of risk, probability and desired outcomes.  

The well-publicised “Business Roundtable” report in Aug 2019 redefines a corporation’s purpose to promote ‘An Economy That Serves All … [Americans]’.  The idea that company purpose should be closer to ecosystem thinking has been gaining prevalence since the financial crisis in 2008.  The thinking has significant supporters such as Larry Fink,  Blackrock’s founder and CEO, who is an influential voice for ESG reporting and promotes changes to decision making criteria for better outcomes. His yearly letters are an insightful journey. 

Sir Donald Brydon's Dec 2019 report highlights that governance and audit need attention if we are to deliver better decisions, transparency and accountability. The report concludes that audit has significant failings and our approach to tick box compliance is not serving directors, shareholders or society to the level expected. Given that so much of our risk management depends on the quality of the audit, internal and external, it is likely that we are unduly confident in data that is unreliable. This point alone about audit failure could be sufficient for this article’s conclusion; however, we are here to explore Quantum Risk. Quantum Risk only exists because of the business dependency we now have on data from our co-dependent supply chains to dependent ecosystems.  

Quantum Risk is NEW  

As a term from physics that describes particles’ properties, “quantum” will help frame new risk characteristics.  The primary characteristics of quantum particles’ behaviour are:- the uncertainty principle, composite systems and entanglement.   In a language, I understand these characteristics for Quantum risk are:

  • When you observe the same risk twice, it might not be there, and it will look different.

  • The same risk can be in many places simultaneously, but it is only one risk.

  • Your risk and my risk directly affect each other across our data ecosystem; they are coupled but may not be directly connected.

Framing Risk

Risk, like beauty, privacy, trust, transparency and many other ideals, is a personal perspective on the world; however, we all accept that we have to live with risk.

Risk, and the management of risk, fundamentally assumes that you can identify it first.  If you cannot identify the risk, there is no risk to consider or manage. 

Having identified the risk, you assess the risks to categorise and prioritise them using the classic impact vs likelihood model. 

Finally, the management (review and control) of risk determines if you are doing the right things or action is needed.  

It is possible to add a third axis to a classic likelihood, impact risk model, “quality of knowledge.” The third axis visually highlights that a focus on high risks accumulates the most knowledge as that is where the management focus and control is required, and it needs data which becomes knowledge.    If there is a deficit in knowledge because of poor data, it translates into an increased risk hidden because of poor data at any point in the matrix.  Poor data (knowledge) can mean that either the impact (consequence) will be more severe or the likelihood (probability) is more likely. In part, we can overcome poor data problems by recognising that it always exists, but it easily hides the rather current issues of pandemics and systemic risk. However, if the quality of knowledge is based on erroneous data (data without rights and attestation), we have no truth to the likelihood and impact.


Some sophisticated models and maths help qualify and understand the nature of risk depending on its nature and size.  However, the list of risks that any one company faces is defined, specified and has been thought about over a long period.  Uncovering new risk is considered unlikely; however, it is this that we are exploring and given our natural confirmational bias towards risk (we know it) - this is hard.  

Classic risk models are framed to gain certainty, where risk is the identification, understanding, management and control of uncertainty.  Existing risk models are highly efficient within this frame of reference, and we can optimise to our agreed boundaries of control with incredible success.  Risk within our boundary (sphere of direct control) is calculated, and it becomes a quantified measure, enabling incentives to be created that provide a mechanism for management control.   Risk outside our boundary (indirect control on a longer supply or value chain), whilst it is someone else’s risk we are dependent on them to manage it. Such dependencies are vital in modern global businesses. We have developed methodology (contracts) and processes (audit) to ensure that we are confident that any risk to us, inside or outside of our direct control, is identified and managed.

However, as leaders, we face three fundamental issues on this move to an economy that serves broader eco-systems as the boundaries we are dependent on have become less clear.  

1. The quality of the data and implied knowledge we receive from our direct and dependent* eco-system, even if based on audit for financial and non-financial data, is unreliable and is increasingly complicated due to different data proposes and ontologies.

2. The quality of the knowledge we receive from our indirect and interdependent** eco-system, even if based on audit for financial and non-financial data, is unreliable and is increasingly complicated due to different data proposes and ontologies.

3. Who is responsible and accountable at second and third-order data boundaries? (assumption first boundary is direct and already in control in our risk model)

* Dependent: balancing being able to get what I want by my own effort as contingent on or determined by the actions of someone else to make it work  ** Interdependence combine my efforts with the efforts of others to achieve successful outcomes together but does not have to be mutual or controlled 

Risk as a shared belief has wider dependencies. 

Who is responsible and accountable at second and third-order data boundaries? (Point 3 above) introduces the concept of second and third-order boundaries for broader (inter)-dependent ecosystems. This short section explains where those boundaries are and why they matter in the context of a business’s purpose moving toward a sustainable ecosystem (ESG.)

The figure below expands on the dependency thinking into a visual representation. The three-axis are values/ principles as a focus [self, society, planet earth], who has accountability/ obligations [no-one, an elected authority such as a director, society or all of humanity], and the health of our eco-systems (prime, secondary, tertiary and all).

The small blue area shows the limitations of our current shareholder primacy remit, where Directors have a fiduciary duty to ensure that their prime business thrives and value is created for shareholders (stakeholders,) at the expense of others. Having a healthy ecosystem helps (competition, choice, diverse risk, margin.)  As envisaged by the Business Roundtable, a sustainable ecosystem is the orange area, expanding the Directors remit to more eco-systems and embracing more of a “good for society” value set but does not increase director accountability.  ESG v1.0 widens the remit to the green area; this step-change expands all current thinking and dependencies of any one player on others on a broader ecosystem. We become sustainable together. 

How is it possible for unidentified risks to exist?

In simple terms, there is no new unknown risk; however, what is known to someone may not be known by everyone. Risk is hiding in plain sight. As we are expanding our remits as discussed in the last section above, we are increasingly dependent on others managing their risk to the same level we manage risk and share data across the ecosystem. This is where Quantum Risk arises, at the boundaries, in the long-tail of the universe of risk.

In the figure below, The Growing Universe of Risk. We are very good at the management of insurable, measurable known:known (identified and shared) risk. We are also very good at un-insurable, measurable (impact, likelihood, knowledge) and known:unknown risk mainly because the determined likelihood of occurrence and impact is moderate.  Indeed, we have created excellent tools to help mitigate and accept uninsurable, un-measurable “unknown:unknown” risk.  In mitigation we accept that the data quality  (knowledge) is poor, but the impact is low, as is the likelihood.  

Quantum risk is the next step out; it is emergent at the boundaries of (inter)-dependencies created as we need to create sustainable ecosystems where we share data. We are increasingly reliant on data from indirectly related players to our ecosystem, and we have no power or control. We have no rights to data and no clue on attestation. Quantum risk is not in our current risk model, or existing risk frameworks and is unimagined to us. 

Business Risk Vs Data Risk

Business risk is something that every business has to deal with.  Kodak and Nokia maybe not as well as say IBM, Barclays or Microsoft.   Mobile phone networks should have seen mobile data services coming and therefore the advent of international voice and video apps that meant there was always going to be a natural decline in SMS, local and international mobile revenue. Most rejected this business risk in 2005 only seeing growth in core areas.  However good hindsight is, apps such as Signal, WhatsApp and Telegram came about due to the timing of three interrelated advances, which created business risk.   Device capability, network capability and pricing.  Device designers and manufacturers have to keep pushing technology to keep selling devices; device technology will always advance.   Network capacity was always going to increase, and packet-switched capability has massive economies of scale over voice circuits. Large, fast packet circuits were always going to win.  Pricing by usage prevents usage; bundles work for increasing capacity.  For a mobile operator, the objective is to fill the network capacity that is built to maximise ROI, bundles work, as does Apps that move revenue from one product to the next.  This is a business risk created by change and dependencies on others in your ecosystem, quantum risks are a business risk but hide in data.

Data Risk falls into three buckets.   

  1. Data that you collect directly as part of the process of doing business.  Critically you can determine the attestation (provenance and lineage) of the data, and it comes from your devices, sensors and systems.  There is a risk that you don’t collect, store, protect, analyse or know if the data is true.  In truth, this is the front end of the long tail in the universe of risk, and it is precisely where we put priority. Nothing new here.

  2. Data you collect from third parties who you have a relationship with. A supplier, partners, collaborator, associate or public data.  Whilst you are likely to have the “rights to use data” (contract), you are unlikely to have “attestation” (provenance and lineage) of the shared data back to the origin. You will have access to summary or management levels (knowledge and insights), and you should have audit and other contractual agreements to check.   There is often a mutual relationship where you both share data, both dependent on the data quality. The risk is that you don’t qualify, check, question or analyse this 3rd party data.  In truth, this is another head-end risk of the long tail in the universe of risk, and it is precisely where we put significant resources. The exception will be public data as there is no route to understanding bias, ontology or purpose, however public data is not usually used exclusively for decision making, with one exception right now ESG and this worries me.  

  3. Quantum Risk is a data risk where you neither have control of nor access to, data. Still, this data set has become critical to decision making as we move to sustainable ecosystems, stewardship codes and ESG.  However, it requires us to dig into the dark and mysterious world data ontologies, which we have to unpack quickly.   


To explain your reasoning, rationale or position, you need to define how entities are grouped into basic categories that structure your worldview and perspective. If you have a different perspective, you will behave and act differently.  Such a structure is called ontology (how we view the world) and is related to epistemology (how do we know what is true and how we have gone about investigating/ proving it?). Ontology is a branch of philosophy but is critical in understanding data and information science as it encompasses a representation, formal naming and definition of the categories, properties and relations between the concepts, data and entities that substantiate one, many, or all domains of discourse. Think of data ontology as a way of showing the properties of a subject area and how they are related, by defining a set of concepts and categories that represent the subject. 

At this point you would have thought with 5,000 years of thinking about this we would have one top-level ontology from which everything would flow.  Alas, we don’t have one for anything.  There is no black and white agreed way to look at anything in philosophy, physics, biology, humanities, data, climate, language, sound, knowledge, compute, behaviour and every other topic. This means that it is safe to assume your way of describing your world, in your organisation, through data is different from everyone else in your ecosystem.  Those same data points represented in 1 and 0’s mean completely other things in different ontologies. Your worst scenario is different ontologies inside your silos which means you have different world views but may not know this.  Ontology is one of the roles for a CDO, explored here.  Now to epistemology, which is concerned with the creation of knowledge, focusing on how knowledge is obtained and investigating the most valid ways to reach the truth. Epistemology essentially determines the relationship between the data, analyst and reality and is rooted in your ontological framework. Different data science teams can have the same data set and very different views, and then we add the statistics team.  What truth or lies do you want?  This matters when data is shared - how do you know what your business partners thinks is true about their data?

It only gets more complicated the more you unpack this and I will write an article about this soon. However, as shown in the figure, knowing how you view the world in data, does not guarantee that everyone else in your ecosystem has the same view.  I have seen very few contracts for data sharing at business data levels share the ontology and mapping schedules between then. Yes we often share naming/ data dictionary level, but that is not ontology. Assuming that shared data has the same purpose between the partner is “quantum risk.” This risk is at the boundaries, and it only appears when you look.  Imagine you are sharing data in your ecosystem on critical systems and as you read this, you realise you have not asked the question about the different world views you and your partners have towards collecting, analysing, and reporting for data.  The event is not the same thing.  Remember, at the start, we know everything about risk. I am in the same bucket. This is all new.  

Responses to Quantum Risk

I made two bold claims at the beginning. “The problem we all have with risk is that we know it all,” and “a bold statement, but quantum risk is new, big, ugly and is already here, it's just that we are willingly blind to it.”  I wish it were easy, but Quantum Risk emerges at our digital business boundaries where we share data, the further we go out the less attestation and rights we have. The complexity of Quantum Risk creates havoc with our existing frameworks and models as:

  • When you observe the same quantum risk twice, it might not be there, and it will look different.

  • The same quantum risk can be in many places at the same time, but it is only one risk.

  • Your quantum risk and my quantum risk directly affect each other across our data ecosystem, but they are not connected and not seen.

Given this, how do we respond? We need to get better with understanding the purpose of our data; we need to find CDO expertise to help us unpack our data ontologies and rethink what we consider are boundaries for commercial purposes, which means revisiting our contracts and terms.  One question for those who get this far, have you tested how your users understand your Terms and Conditions on data use and privacy. I have never seen it in a test schedule as it is a barrier not a value proposition. We tell users to “Click here” fast and trust us. It is an obvious gap to investigate from a partner when you depend on that data and it is shared with you, and your advertising model now depends on it.

Any good economist/ strategist will immediately recognise the opportunity to game data at the boundary. How can I create an advantage, and what are the implications is another whole topic to unpack.  

As a final thought, will your corporation consider Quantum Risk? 

If your fellow senior leadership team is focused on the head end of the long tail, you will see a focus on implementing processes that align to regulation/ rules/ law and policies. You are likely to manage risk very well and be rewarded for doing so via cascading KPI’s.  Quantum risk will be thought about when there are best practices or a visible loss of competitive position.   

Corporates with a more mature risk profile know there are loopholes and whilst have a focus on compliance, they have a hand in the lobby forums so they can benefit by putting risk onto others and gaining an advantage from being the owner of IP when the lobby work becomes policy.  Quantum risk thinking will emerge when there is a clear identification of competitive advantage.

The most mature risk leadership teams are creating new thinking to ensure that they are sustainable and not forced to make retrospective changes as they just focussed on compliance and had delivery based KPI linked bonuses.  These are the pioneers in digital and will pick up quantum risk first.