"Issues are risks that have already occurred” is the standard view of the difference between what is popularly called “risk” and “issue”. But, that’s a superficial difference that does not take into account a major attribute of “risk”: objectives.

I had a recent discussion with a risk professional that went something like this:

Me: “I need to add ‘X' to the risk register. It’s a month until and the ‘X’ is nonexistent.”

RM: “Wait, it’s not done? We don’t have it? Then it’s not a risk, it’s an issue. You lot always confuse the two.”

Me: “…”

On the surface it seems like the RM was correct in stating that it’s an issue. The ‘X’ is nonexistent, so there’s an issue: an important control is not present. However, the objective is not to have the control ‘X’ right now. The objective is to have that control in a month’s time. The issue will be if the ‘X’ is not operational in a month’s time, not right now. There is a risk that ‘X’ will not be ready and that’s where risk management can help.

Issue: a risk that has already occurred.

Risk: effect of uncertainty on objectives.

In short: issues are only present if the objectives have not been met already. Otherwise it's a risk you need to manage.

Tags: risk, risk management, issue