Distinguishing Issues versus Risks
Regardless if you are implementing Enterprise Risk Management (#ERM), Integrated Risk Management (#IRM), Operational Risk Management or all the above programs, there is value to the stakeholders in clearly distinguishing between issues and risks. Perhaps the following will help you in sharing this perspective.
An issue is different from but related to a risk. A risk is tied to an objective and associated with a trigger event and uncertain events or conditions. An issue can be independent of an objective.
Consider an example of the objective of driving a car from Halifax to Toronto by Tuesday in winter conditions. In this example:
- An issue is the fact that the car has bald tires.
- Given it is winter, the possible trigger events include freezing rain and excessive snow, which would result in uncertain driving conditions such as slippery roads and/or poor visibility.
- Considering the issue, very likely trigger events, and expected uncertain conditions, there is an elevated risk of crashing and not meeting the objective.
Alternatively, if there are no plans to use the car, the bald tires remain an issue only Without an objective requiring the use of the car, the trigger event will not be realized, and the risk will not manifest.
To maximize enterprise effectiveness and efficiency, consider the formal management of issues (Issues Management), possible trigger events (Threat Hunting), and the resulting risks (Enterprise Risk Management).
Good analogy and example that many can relate to!
Important post Rick. This is a good example of why I'm a big fan of the FAIR methodology.