We can manage risk better than we can manage uncertainty. In medtech cyber, there is a lot more uncertainty than well-characterized risk.
Uncertainty Scenario: A new drug is proposed in a population that sorely needs it. The clinical study showed weak signals of a severe risk, but the study wasn't large enough to sufficiently measure the risk. Therefore, we are uncertain of whether this drug causes severe life-threatening events.
Known Risk Scenario: A new drug is proposed in a population that sorely needs it. The clinical study showed a strong signal of a very low probability risk. The study's design and size were appropriate to characterize the risk. People who take the drug will certainly be at elevated risk of a severe life-threatening event.
In the uncertainty scenario, I want a lot more data about the risk before I decide to approve or take the drug. Maybe the risk of my death is much higher than we know? Maybe the risk isn't worth the tradeoffs?
In the risk scenario, I can estimate the tradeoff between the low possibility of severe consequences. I can take measures to avoid the risk. As a regulator, I could require the sponsor to implement a Risk Evaluation and Mitigation Strategy (REMS). As a patient, I can make an informed decision.
There will always be uncertainty, there will always be risk. When there is a decision to make (e.g., regulatory approval, commercialization approach, study design), treat uncertainty and well-characterized risk differently.
In medtech cyber, there is a lot more uncertainty than well-characterized risk.
~Shannon, the Optimistic Optimizer