Have you ever made a risk register? It’s a thing companies like to do to ‘map their risks’. They create a long list of things that could go wrong, and they assess each of them along two dimensions: severity and likelihood. If they realise a risk will have severe consequences and is likely to happen, they try and ‘mitigate’ that risk quickly.
The thing about risk registers is they’re often built on guess work. Sure, data plays a role where it can, but sometimes it comes down to a subject matter expert making an informed guess about how bad things could get, and how likely it is that the bad thing will happen.
This is not a treatise against guess work. Rather it’s an acknowledgement that we’re unlikely to escape it. It’s part of how we map, estimate, assess, and mitigate risk, and we should be aware of its usefulness, as well as its pitfalls.