GRC • 7 min read

Issues management vs. Risk management – What’s the difference and why does it matter?

blog
All Blog Cases
|By topic

In Governance, Risk, and Compliance (GRC), it’s fairly common to come across the misconception that issues and risks are essentially the same thing and therefore can be handled the same way. However, issues and risks are two sides of the same coin, locked together in an eternal dance.

Understanding the relationship between them and shaping how you do things to leverage the energy of the dance is key to continuous improvement and strengthening against future problems. In other words, it is a value add of the risk management process if implemented right.

Here, we will cover what risks and issues are, how they relate to each other structurally, and how you can leverage that to help your business improve how it operates.

The difference between issues and risks

Risks are uncertainties that affect the business and/or operations. It has the potential to happen in the future but if, when, and how it will affect us are not known quantities. The risk assessment process is about evaluating what potential events (threats or opportunities) would have the most effect on us and how likely they are to happen. This evaluation is used to prioritise the urgency with which they need to be addressed.

While ’prevention’ is a nice ambition to have, the reality is that most risks can’t be completely prevented. The point in relation to threats is to reduce the potential impact, the likelihood of it happening, or both.

Issues/incidents are risks that have materialised and are affecting us now. An issue can be viewed as an ongoing problem while an incident is a defined event.

Issues/incidents management serves key three purposes:

  • Containment: Handle the issue/incident; and
  • Mitigation revision: Issues/Incidents materialising against a risk we are supposedly mitigating suggests possible issues with the mitigation measures or the implementation of those measures; and
  • Risk identification: Issues/incidents can be indicators of risks we didn’t know we had. Each issue/incident of note must therefore be evaluated to determine if it poses a risk that we need to mitigate the future recurrence of.

How do they relate to each other structurally?

The relationship between risk and issue/incident is best viewed as a cycle – the proverbial ’dance’. Many of our risks can be identified through discussions, previous experience, and so on, in which case the cycle starts at ’RISK’ and ’ISSUE’ provides feedback on mitigation effectiveness.

But quite often risks will be discovered through recurring issues or incidents, and the cycle starts at ’ISSUE’. It is important that there are mechanisms in place to detect, collect, and analyse these in order to move onwards in the cycle and identifying the relevant risk and mitigation.

Otherwise, it ends up as an escalating spiral of firefighting the same issues/incidents over and over again. Energy, resources, and bandwidth constantly circling the drain in an exhausting death-struggle with high turn-over and loss of competent staff who get fed up.

How can I leverage the dance to strengthen my operations?

Risk management and issues management are part of the continuous improvement work – not an over-night magic wave of the wand. It takes time to get it right and especially to get it all right. The risk assessment process is about prioritising what risks to work on first to make sure you get it right. But prioritising doesn’t mean forgetting about the rest or to neglect the lessons from issues.

It is always easier and cheaper to manage risks before they become serious issues. Firefighting issues is time-, energy, and resource consuming at the best of time, not to mention the reputational damage of constantly setting off and putting out internal and external fires. But issues/incidents are important indicators of how our risk mitigation and risk identification is working.

By connecting and collating data relating to issues and risks, and being able to analyse the two together, you can use occurring issues to strengthen your risk management and not have to waste your efforts and reputation on the same incidents again. Standardised controls embedded in your ways of doing business manages risk effortlessly, and by extension frees up time from firefighting to be spend where it matters.

Depending on the size and complexity of your business this can be done in simple spreadsheets or in digital systems that allow you to track, match, and analyse risk and issue/incident data across entities and geographical areas, in order to continuously analyse and improve how you operate.

Do you want to read more about risk management? Check out our guide “Your guide to understanding risk analysis”. You can download it on the link below.

Download guide