There are a couple of words that are often interchanged and Riskczar would like to put an end to that. At the very foundation of ERM is the use of common terms across the organization so it’s important that we all talk the same talk.
What is a risk and what is an issue?
Risk is an uncertainty which has not happened yet, but could. You can assign a probability between 0% and 99% to a risk.
Issue is an event which has already taken place, and thus has an probability of 100%.
For example, if you are preparing for an H1N1 pandemic but have not been impacted by this pending threat, then this is a risk; perhaps you can assign a likelihood to this event (5%, 20%, 50%) and a corresponding dollar impact to your organization.
As of today, World Health Organization said that 2,837 people have been reported as swine flu fatalities. If one of those fatalities was your CFO or your Head of Sales or your mail room clerk, then your business has experienced some change, so what you are dealing with is an issue and not a risk. Any action plans you may have implemented to replace this person are related to an issue.
However, perhaps having suffered one fatality, you are more likely to add swine flu risk or increase the likelihood of a swine flu risk on your heat map. What if everyone at my organization is affected? Since this event has not yet occurred, this is a risk.
Got it?
Issue = happened
Risk = not happened yet
Great distinction between an issue and a risk. However, it raised a concern – is ERM about issues and/or risks? Once a risk becomes an issue, does it still “belong” to ERM? Do we continue to report on it, monitor it etc, or does it move from our radar and is captured on some report generated through the line?
should risk registers solely contain “risks” and should “issues” be relegated to another register?
From a tracking perspective, you continue to report on the outstanding action plans until it is completed or accepted regardless of issue or risk. In fact, this is the real value of ERM (along with leadership talking about risk) not the arguing over where to put the bubble on the heat map.
When you look at a heat map that organizes risks according to impact and likelihood, one usually chooses likelihood values like 1%, 5%, 10, 50% for example. If you think about it in probability terms, an issue, which has already occurred, is a risk with a 100% likelihood as it has already happened.
If you want to report issues separately because it removes the clutter of a visual aid like a heat map, go ahead. There is no right and wrong.