There are moments when a thinker’s entire worldview becomes apparent in just a few minutes. There are moments when a thinker’s entire worldview becomes apparent in just a few minutes. One such moment unfolded before American economists around 1950, when Frank Hyneman Knight—then president of the American Economic Association—argued with sharp irony against government price-setting and the illusion of predictable market control. The tone was sharp, the wit dry, the message relentless: whoever pushes prices below market levels creates scarcity; whoever fixes them above market levels creates surpluses. Knight mocked the fact that the public and politicians then stared in surprise at shortages and surpluses as if they were mysterious phenomena rather than the consequences of their own interventions. This was not merely economic polemic. It was a character sketch: Knight distrusted any way of thinking that pretended the world could be made smoother, clearer, and more predictable than it actually is.
A Philosopher Among Economists
It is precisely this distrust of apparent certainty that also fuels the core of his most famous contribution. Frank Hyneman Knight, born in Illinois in 1885, received his education at Milligan College and the University of Tennessee, earned his doctorate at Cornell University, and later taught at the University of Iowa before becoming a defining figure of Chicago economics at the University of Chicago. His students later included, among others, Milton Friedman, one of the most influential economists of the 20th century; George Stigler, economist and Nobel laureate; and James Buchanan, economist and co-founder of public choice theory. He became famous above all for his 1921 book "Risk, Uncertainty, and Profit." In it, he introduced a distinction that continues to resonate today in economics, corporate governance, and risk management: the distinction between risk and uncertainty.
Knight was never merely a narrow-minded economist. His early philosophical training and his enduring skepticism toward grand theoretical simplifications explain why his texts often read less like technical treatises and more like conceptual exercises. He did not merely want to calculate, but to distinguish. His central question was: What exactly do we mean when we speak of uncertainty? And what can one do with this uncertainty mathematically?
This was precisely where his intellectual strength lay. Many authors before him had worked with probabilities, risks, and business opportunities. Knight, however, insisted that one must not lump two very different situations together. There are situations in which we can reasonably specify probabilities. And there are situations in which doing so is precisely impossible. Those who confuse the two may produce numbers, but they do not yet produce insight.
What Knight meant by risk
For Knight, risk was the calculable side of uncertainty. This refers to situations in which the possible outcomes are open-ended, but their probabilities are known or at least estimable with reasonable stability. Such situations can be handled relatively well using statistical and actuarial methods: one can estimate probabilities, calculate expected values, derive provisions or safety margins, and on this basis determine prices, reserves, or measures. In this sense, risk is a form of uncertainty that can be quantified, at least approximately, through data, experience, and sufficiently stable patterns.
A classic example is fire or auto damage within a large insurance portfolio. The individual claim remains uncertain, but collectively, reliable frequencies and average claim amounts emerge. Precisely because there are many comparable cases, probabilities, expected values, and capital requirements can be meaningfully modeled.
The situation is similar in industry or other sectors when recurring risk scenarios are assessed: for example, the probability of failure of a standardized machine component, the frequency of certain quality defects in a production process, or the probability of clearly defined disruptions in a supply chain. Here, too, the individual event remains open-ended, yet statistical patterns emerge across many comparable observations, on the basis of which one can determine loss expectations, safety stocks, maintenance intervals, or risk buffers. Risk is thus not the absence of uncertainty, but its statistically disciplined and methodologically manageable form.
What Knight Meant by Uncertainty
Uncertainty in the narrower, Knightian sense begins where the statistical disciplining of the future no longer holds. In such situations, not only are reliable outcomes lacking, but even robust probabilities for the possible states of the world are absent. Thus, one does not merely not know what will occur; one often does not even know which states should be meaningfully distinguished and with what distribution their chances of occurrence could be described at all. Precisely for this reason, no reliable expected value can be specified under genuine uncertainty. The future then appears not as a calculable lottery, but as a structurally open situation.
This zone also encompasses those rare, consequential events—often hastily "explained" in hindsight—that were later termed "Black Swans": not merely improbable manifestations of a known model, but events that lie outside the usual range of expectations and are therefore inadequately captured by existing categories, data series, and models.
This has far-reaching consequences. When entrepreneurial decisions are made in a world where not all relevant futures can be translated into known probabilities, then profit, for Knight, is not merely the return on capital or labor. It is also the premium for having to judge and act under uninsurable uncertainty. The entrepreneur is thus not simply an optimizer under given distributions, but someone who makes decisions about a future whose structure is itself only partially discernible.
A concrete example: cyberattacks, projects, and the supply chain
The conceptual difference can be illustrated particularly well using a concrete example from the field of cyber and technology risks. Let’s imagine a company migrating a central customer platform to a new cloud architecture, relying on multiple external service providers in the process, and simultaneously facing new attack vectors—such as AI-assisted phishing, novel attacks on identity and access management, or, looking ahead, cryptographic risks posed by powerful quantum computers. At first glance, one might lump all of this under the umbrella term "uncertainty." Upon closer inspection, however, the state of knowledge varies greatly.
For recurring and sufficiently observable phenomena, one can often speak of risk in the narrower sense: for example, regarding the frequency of certain phishing attempts, typical misconfigurations in standard cloud environments, known failure rates of technical components, or the average duration of standardized service interruptions. Here, there is sufficient empirical data to estimate probabilities, distributions, and expected values, at least approximately.
The situation is different when it comes to entirely new threat scenarios, where not only is the point of entry unclear, but the very nature of the problem remains undefined. This applies, for example, to the question of whether new AI-enabled forms of attack, previously unknown vulnerabilities in complex cloud dependencies, or quantum computers that will become practically usable in the future will undermine existing security architectures in a way that systematically overwhelms today’s models. In such cases, it is not merely unclear whether damage will occur, but often also which scenarios are even relevant, which causal relationships dominate, and whether reliable probabilities can be specified for them. This is precisely where true Knightian uncertainty begins.
In practice, these terms are often used interchangeably. This is precisely why a systematic comparison is helpful. The following table examines the same business context—a cloud migration with cyber and supply chain implications—from three different epistemological perspectives.
| Term | What is known? | Are probabilities reliable? | Concrete example | Appropriate method |
|---|---|---|---|---|
| Uncertainty (general term) | The future is open; not all relevant information is available. | Not automatically. Uncertainty initially only indicates that the outcome is open. | Overall, it is unclear how cloud migration, new attack vectors, regulatory requirements, and dependencies on third-party providers will develop together. | Problem structuring, conceptual work, delineation of data and assumptions |
| Risk (calculable uncertainty) | Possible outcomes and their frequencies can be described approximately based on experience or data. | Yes, at least approximately; expected values, distributions, or intervals are meaningful. | Historical frequency of certain phishing attacks, typical misconfigurations in standard cloud environments, known failure rates of technical components, or the average duration of standardized service interruptions. | Statistical models, frequency analyses, loss distributions, stochastic simulations, limits |
| Uncertainty (Knightian uncertainty) | It is unclear which states will actually be relevant and which model would be appropriate. | No, not in a robust form; a clean expected value would often be a false precision. | Whether new AI-enabled attack vectors, previously unknown vulnerabilities in complex cloud dependencies, or future practical quantum computers will undermine existing security architectures in a way that systematically overwhelms today’s models. | (Deterministic) scenario analysis, bow-tie analysis, various creativity methods, BCM and emergency management, early warning systems |
Table 01: A Comparison of Risk, Uncertainty, and Uncertainty
Knight in Today’s Risk Management
For today’s risk management practice, this yields a sobering lesson: Where robust probability models are viable, they should be consistently utilized. Where Knightian uncertainty exists, however, statistical methods reach fundamental limits. In such cases, it is not sufficient to calculate probabilities of occurrence and expected values. Complementary scenario analyses, structured expert judgments, creativity methods for identifying novel development paths, emergency management, Business Continuity Management (BCM), and the explicit identification of model limitations and blind spots are required. This is precisely where Knight and modern risk management converge: not every open future can be modeled probabilistically; some problems remain, at their core, problems of judgment, structuring, and resilience.
In the practice of risk management, however, terminology is often not used clearly. Frequently, every threat, every buzzword, or every general trend is labeled a "risk," even though this initially identifies only a source of potential disruptions. Knight would insist on conceptual precision precisely at this point: A risk is not identical to a mere danger or threat, but presupposes a concrete connection to an affected object, a process, a goal, or a loss.
This is particularly evident in the realm of cyber risks. In many organizations—and unfortunately also in some information security standards—threats, such as ransomware, phishing, or insider attacks, are confused with concrete risks. "Ransomware," however, is not yet a complete risk in itself, but merely a category of threat. A concrete risk would be described more precisely: for example, that a ransomware infection of the identity management system causes the invoicing process to fail for five days, resulting in damage to liquidity, contracts, and reputation.
The bow-tie analysis offers a useful methodological tool here. It forces us to clearly distinguish between threats, causes, the actual top event, and the consequences. In this context, the top event should not already be a threat such as "ransomware" or "compromised privileged identities," but rather the disruption or failure of a critical business process—such as the invoicing process. To the left of this are the causes and threats that can lead to this process failure: for example, phishing, the misuse of privileged accounts, weaknesses in multi-factor authentication, misconfigurations in the cloud, or third-party provider outages. To the right of this are the concrete consequences of the top event: delayed or missing invoices, liquidity strains, contractual penalties, regulatory consequences, manual emergency processing, reputational damage, and, if applicable, subsequent disruptions in other processes. It is only through this clear structure that a general cyber threat becomes a clearly defined, analyzable risk for the company.
To put it another way: Knight teaches humility and conceptual hygiene at the same time. He was no enemy of calculation. But he was an enemy of the quiet delusion that any future can be mastered simply by dressing it in numbers. Risk is calculable. Uncertainty is precisely not. Those who blur this distinction do not create more control, but only a more elegant self-delusion.
Conclusion and Outlook
Frank Hyneman Knight’s enduring contribution lies not merely in a conceptual distinction, but in an intellectual warning that could hardly be more relevant to risk management today. Those who confuse risk with uncertainty easily overestimate the scope of models, metrics, and probability calculations. It is precisely here that the enduring sharpness of his thinking lies: Not every open future is a risk simply because a number is assigned to it. Some futures can indeed be modeled with useful stability; others elude precisely this form of controllability. They do not demand ever more sophisticated pseudo-precision, but rather judgment, scenario thinking, and methodological humility.
In practice, this means: Good risk management does not begin with the reflex to immediately produce probabilities of occurrence and expected values everywhere. It begins with the question of what kind of uncertainty is actually at hand. Is it a recurring, statistically reasonably stable phenomenon? Then probability models, distributions, and quantitative methods are useful and necessary. If, on the other hand, it is a novel, structurally open, or highly interconnected situation, then the language of classical risk quickly reaches its limits. In such cases, robust decision-making rules, qualitative structuring, expert estimates, bow-tie analyses, stress tests, and resilience considerations are also needed.
This distinction is becoming increasingly important, particularly in the modern corporate context. Geopolitical tensions, technological leaps, regulatory shifts, cyberattacks, project cancellations, reputational damage, or systemic supply chain disruptions often contain elements that can be statistically modeled; however, their overall character remains, in many cases, marked by Knightian uncertainty. This does not argue against quantification, but it does argue against the illusion that every relevant future can be reduced to a neat number. The true quality of a risk analysis is then not evident in the elegance of the model alone, but in the ability to openly identify its scope and limitations.
The outlook is therefore twofold. On the one hand, the importance of quantitative methods will continue to grow. Advances in data analysis, simulation, AI-supported pattern recognition, and real-time monitoring are expanding the scope of what can be modeled as risk in the narrower sense. On the other hand, as the complexity of systems increases, so does the zone of genuine uncertainty. The more organizations become networked, digitized, and dependent on external shocks, the more important it becomes to distinguish between calculable risk and structural openness. It is precisely at this boundary that it is decided whether risk management becomes a tool for realistic control—or merely a formal culture of reassuring numbers.
Knight thus reminds us of something that is easily lost in many management discourses: it is not control that represents the highest degree of rationality, but rather a sober understanding of the scope and limitations of one’s own models. Mature risk management recognizes that some problems can be calculated, while others must above all be structured, observed, and treated with caution. In this regard, Knight’s distinction is not a historical lesson but a methodological guidepost for the present. It guards against the fallacy that every number is already knowledge—and at the same time opens the door to a more sophisticated understanding of judgment under uncertainty.
Bibliography and further reading
- Knight, Frank Hyneman (1921): Risk, Uncertainty and Profit. Houghton Mifflin, Boston/New York 1921.
- Knight, Frank Hyneman (1935): The Ethics of Competition and Other Essays, Harper & Brothers, New York 1935.
- Knight, Frank Hyneman (1960): Intelligence and Democratic Action, Harvard University Press, Cambridge, MA 1960.
- Emmett, Ross B. (2009): Frank Knight and the Chicago School in American Economics, Routledge, London/New York 2009.
- Brooke, Geoffrey T. F. (2010): Uncertainty, Profit and Entrepreneurial Action: Frank Knight’s Contribution Reconsidered, in: Journal of the History of Economic Thought, Volume 32, Issue 2, June 2010, pp. 221–235, DOI: https://doi.org/10.1017/S1053837210000179
