There are a couple of words that are often interchanged and Riskczar would like to put an end to that. At the very foundation of ERM is the use of common terms across the organization so it’s important that we all talk the same talk.
What is a risk and what is an issue?
Risk is an uncertainty which has not happened yet, but could. You can assign a probability between 0% and 99% to a risk.
Issue is an event which has already taken place, and thus has an probability of 100%.
For example, if you are preparing for an H1N1 pandemic but have not been impacted by this pending threat, then this is a risk; perhaps you can assign a likelihood to this event (5%, 20%, 50%) and a corresponding dollar impact to your organization.
As of today, World Health Organization said that 2,837 people have been reported as swine flu fatalities. If one of those fatalities was your CFO or your Head of Sales or your mail room clerk, then your business has experienced some change, so what you are dealing with is an issue and not a risk. Any action plans you may have implemented to replace this person are related to an issue.
However, perhaps having suffered one fatality, you are more likely to add swine flu risk or increase the likelihood of a swine flu risk on your heat map. What if everyone at my organization is affected? Since this event has not yet occurred, this is a risk.
Issue = happened
Risk = not happened yet