Ask a chief risk officer to describe their credit risk, interest rate risk, and operational risk and the answer comes back in detail. Ask about everything else, and the confidence usually drops. Managing known and unknown risks is the discipline of giving every one of those categories a defined home in the risk programme.
A four-quadrant model (known knowns, known unknowns, unknown unknowns, and unknown knowns) gives risk teams a clearer map for risk identification than a single register can. This guide walks through each quadrant and the practitioner techniques used to identify them.
The Four Quadrants at a Glance
A working definition for each category in the banking context:
- Known knowns (risks identified and measurable with reasonable confidence)
- Known unknowns (risks named but not fully quantified)
- Unknown unknowns (risks not yet identified)
- Unknown knowns (risks someone inside the institution knows about but has not escalated or actioned)
Known Known Risks: The Quantified Quadrant
Known known risks are the quantified risks already captured in the risk inventory, mapped to controls, and supported by data.
The types of risk in banking that populate this quadrant include:
- Credit risk on a defined loan portfolio
- Interest rate risk under Federal Reserve stress scenarios
- AML transaction monitoring metrics
- Market risk on a trading book
- Capital adequacy versus regulatory requirements
Each has an established methodology, recognised scenarios, and reporting cadence. Banks manage them through:
- A risk appetite statement
- A control library
- Key risk indicators
- A calendar of stress tests
Internal audit and supervisory examination confirm the controls are operating as designed, anchored by a documented risk management system. However, a risk that is well-measured can still be miscalibrated. Known knowns are the safest quadrant to operate in only when the underlying assumptions are interrogated carefully.
Known Unknown Risks: Working with Ranges
Known unknowns are risks the institution has named but cannot fully quantify. A typical entry could be, “the next CRE downturn could affect collateral values”, where the risk is identified, but how far values will fall, in which markets, and on when are uncertain.
In 2026 this category includes:
- The pace of further Federal Reserve adjustments
- The timing and depth of CRE refinancing stress
- The rate of customer adoption of new payment rails
- The accuracy drift of generative AI models
Known unknowns risk management depends on techniques that work with ranges:
- Scenario analysis risk management pairs deterministic but illustrative scenarios to bound the range of outcomes.
- Sensitivity analysis isolates the input most likely to move the outcome.
- Monte Carlo simulation extends both for portfolios where the distribution itself is important.
- Qualitative likelihood-impact scoring fills the gap where data for quantitative work does not yet exist.
Governance has to match: a single threshold breach in a known-knowns world becomes an appetite range in a known-unknowns world, and reassessment triggers become standing items on the risk committee agenda.
Unknown Unknown Risks: Surfacing Blind Spots
Unknown unknowns are the most dangerous quadrant precisely because they cannot, by definition, appear in the risk register. A risk the institution has not identified cannot be quantified, monitored, or controlled.
Recent unknown unknowns examples in financial services demonstrate the problem:
- AI prompt injection attacks affecting customer-facing chatbots emerged before most institutions had identified them as a distinct threat.
- Fourth-party SaaS dependencies have created concentration exposures invisible from standard vendor inventories.
- Climate physical-risk transmission through commercial real estate has surfaced as a risk that most CRE underwriting frameworks did not previously capture.
Risks from this quadrant must progressively be moved into known unknowns where they can be managed. Several practitioner techniques are designed for this purpose:
- Horizon scanning systematises review of weak signals for risks that have not yet manifested at the institution.
- Premortems invert the planning frame by asking a team to imagine a failure has occurred and reason backwards.
- Cross-industry loss event analysis, using consortium data such as the Operational Riskdata eXchange (ORX) or supervisory loss data, surfaces events that have happened to peers.
- Red team exercises challenge management assumptions about strategy, products, and controls.
Internal audit alone does not surface unknown unknowns and audit confirms controls work for risks already identified. The risk identification methods banks use to find unknown unknowns sit upstream of audit.
Unknown Known Risks: When the Organisation Already Knows
Unknown knowns are the quadrant most organisations are reluctant to talk about. They are risks someone inside the institution knows about, but that have not been escalated, documented, or actioned.
Certain patterns recur to create these risks, for example:
- A line-of-business manager identifies a workaround for an end-of-life system but does not escalate it because the replacement is expected “next year.”
- A compliance analyst notices a regulatory interpretation being applied inconsistently across business units but does not raise it because the inconsistency benefits one of them.
- A data steward flags internally that a model’s training data is stale but is told a refresh is coming.
Unknown knowns emerge from information silos, fear of escalation, and an absence of psychological safety. Governance fixes target each of these aspects through:
- Anonymous risk reporting channels that remove the personal cost of escalation.
- RCSA challenge sessions that require business owners to defend their inventories to a sceptical audience.
- 360-degree attestations that break the dependence on a single owner.
Comparing the Four Quadrants
The four quadrants of managing known and unknown risks differ in how they are identified, who owns them, and what techniques convert them from invisible to actionable.
| Risk Type | What It Looks Like at an FI | Identification Technique | Programme Owner |
|---|---|---|---|
| Known known | Quantified, in the risk register; data and methodology established | KRI tracking, RCSA, control testing | First line plus risk committee |
| Known unknown | Named but with a range of plausible outcomes | Scenario analysis, stress testing, sensitivity analysis | Risk function plus ALCO |
| Unknown unknown | Not yet on the radar; absent from the register | Horizon scanning, premortems, cross-industry loss-event review | Strategy plus emerging risk forum |
| Unknown known | Held tacitly somewhere in the institution, not escalated | Anonymous reporting, RCSA challenge, 360-degree attestation | Internal audit plus ethics function |
Frequently Asked Questions
How do banks identify unknown unknown risks?
Several practitioner techniques are designed for this purpose. Horizon scanning systematises review of weak signals across regulatory, technological, and geopolitical sources. Premortems invert the planning frame by asking a team to imagine a failure has occurred and reason backwards through plausible causes. Cross-industry loss-event analysis uses consortium or supervisory data to surface events that have happened to peers. Red team exercises stress-test management assumptions about strategy, products, and controls.
What is an example of an unknown known risk in banking?
A common pattern is a line-of-business manager who has identified an operational workaround for an end-of-life system but has not escalated it because the replacement is expected to “come eventually.” The risk is known to the manager but invisible to risk committees and internal audit. Anonymous reporting channels and RCSA challenge sessions are the primary ways institutions surface these.
How often should banks reassess their risk identification process?
Annual RCSA is the standard baseline at most institutions. Regulatory guidance also expects event-driven reassessments triggered by significant business changes, new product launches, material vendor changes, or following a loss event. Quarterly emerging risk reviews are increasingly common at larger institutions and at community banks under heightened supervisory attention.
Does scenario analysis cover unknown unknowns?
Scenario analysis is most effective for known unknowns. To cover unknown unknowns, scenario analysis has to be paired with horizon scanning, premortems, and tail-risk thought experiments that deliberately challenge the boundaries of the existing scenario library. A scenario library that only contains scenarios management is comfortable with will not, by construction, capture the surprises.
Where does the four-quadrant framework for risk management come from?
The framing was popularised by U.S. Secretary of Defense Donald Rumsfeld in a February 2002 press briefing, but its conceptual roots go back to the Johari Window, a 1955 model from psychologists Joseph Luft and Harrington Ingham. Risk practitioners extended the original three categories (known knowns, known unknowns, unknown unknowns) with a fourth, unknown knowns, to complete a 2×2 of what an institution knows and what it knows about that knowledge.
Supervisory expectations in 2026 increasingly assume that institutions can articulate which quadrant each risk currently sits in and which technique was used to identify it. Readers who want to extend this framework to a specific risk domain may find the broader operational risk management literature useful.
Discover AI-powered technology that helps manage every aspect of risk and compliance, all in one platform.
Request Demo- Risk Prediction
- Regulatory Tracking
- Workflow Automation
- Integrated GRC