I'm sure you'll have your own examples, but when I think about the ISO 27001 definition, I instantly relate it to driving my car.
I know that by driving a car on a public highway, notwithstanding how carefully I drive, there's a "residual risk" of an accident—the unknown. However, what I do know is that I can massively reduce the likelihood of that accident happening if I've got my seat belt on, have serviced the car properly and remember my driving lessons and experience from years of being behind the wheel. In other words, I'm actively treating the risk and safeguarding myself and my passengers.
In my example, I've considered the likelihood of an essentially "unknowable" risk (that is, we know traffic accidents are an ever-present risk, but we can't reliably know when that risk will manifest itself as some kind of incident). There are, however, other categories of risk, and most of us will no doubt remember former U.S. Secretary of Defense Donald Rumsfeld's famous classification of risk into three categories: "As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know."
To deal with risks in the category of "known knowns," organisations identify, assess and manage risks to avoid surprises. Many organisations use a risk management information system to monitor and reduce residual risk across four evaluation criteria:
Residual risks that fall into the categories of "known unknowns" and "unknown unknowns," however, are inherently more difficult to identify than the "known knowns." Doing so relies heavily on the experience of risk managers and company directors, assisted with accurate data from across the organisation.
A challenge during the risk assessment process is to reduce the presence of unknown risk. But one of the big questions here is, is it possible to prevent and, consequently, manage risks in the "unknown unknowns" category? If so, how? Does it require the input of multi-disciplinary teams? Keeping an open mind and thinking creatively when assessing risks? Reducing the likelihood of a risk, based on analysing historic data and applying the learnings from real life cases?