“Issues are risks that have already occurred” is the standard view of the difference between what is popularly called “risk” and “issue”. But, that’s a superficial difference that does not take into account a major attribute of “risk”: objectives.
I had a recent discussion with a risk professional that went something like this:
Me: “I need to add ‘X’ to the risk register. It’s a month until
RM: “Wait, it’s not done? We don’t have it? Then it’s not a risk, it’s an issue. You lot always confuse the two.”
On the surface it seems like the RM was correct in stating that it’s an issue. The ‘X’ is nonexistent, so there’s an issue: an important control is not present. However, the objective is not to have the control ‘X’ right now. The objective is to have that control in a month’s time. The issue will be if the ‘X’ is not operational in a month’s time, not right now. There is a risk that ‘X’ will not be ready and that’s where risk management can help.
Issue: a risk that has already occurred.
Risk: effect of uncertainty on objectives.
In short: issues are only present if the objectives have not been met already. Otherwise it’s a risk you need to manage.