Does your organization know the difference between risks, issues, and incidents when it comes to your risk management?
If you don’t, you’re not alone. Many organizations don’t fully understand the difference, and will mistakenly use the terms interchangeably.
Why does this matter? Because once you understand the terms correctly, organizations can better understand their risks and the mitigation activities needed.
For instance, a client may tell us that they have hundreds of risks when instead they actually have hundreds of issues—which results in a much different risk management approach!
Using proper risk terminology enables organizations to better communicate their risks internally and with third parties in order to be more proactive and identify proper mitigation activities.
Risks, issues, and incidents—what’s the difference?
Below are terms and brief explanations given for each of these risk terms and others closely associated, followed by an example to better paint the picture of how these risk terms might each be used in a given scenario.
|Risk||The potential (or likelihood) for something bad to happen.|
|Issue||When there hasn’t been appropriate mitigation to limit a given risk.|
|Incident||When something bad has happened (or the at-risk scenario became an actuality).|
A risk is the potential (or likelihood) of something bad to happen.
The key component to risk is that there is a potential loss at stake for your organization (whether it be financial, reputation, etc.).
Risks can be further broken down in a number of ways, including examining what type of risk it is, the impact (vulnerabilities at stake due to the risk), the likelihood, and the controls (the ability to intervene with a given risk).
When risks are found, follow-up actions will be required, including analyzing the risk, determining the cost to control said risk, and implementing the appropriate mitigation activities.
An issue (also often referred to as a finding or an observation) is when there hasn’t been appropriate actions taken to mitigate the risk to an acceptable level.
When an organization recognizes a risk and doesn’t take the necessary precautions to limit the risks (whether intentionally or unintentionally), it becomes an issue.
However, you can never get an organization’s risk completely to zero. Every organization must define and establish a level of risk that they’re comfortable with accepting—also known as risk tolerance.
(A finding is an instance when policies or actions to issue risk (also known as mitigations) do not go successfully, therefore creating a risk issue.)
An incident is when something bad has happened (but you don’t yet know if it was a loss event).
An incident involves some sort of negative event tied to a risk. This could be anything from IT-related risks like a data breach or physical risks like a tornado or an employee tripping and falling.
However, there can be a loss-event incidents and non-loss event incidents.
For clarity’s sake, we’re going to use a hypothetical scenario to exemplify the differences between the various risk terminologies and how they each uniquely affect any given risk situation. The scenario we’ll use here is if there was rain predicted in the forecast during your morning commute to work.
In this case, if there is rain predicted in the forecast, the risk is excessive dry cleaning costs or staff morale being lowered because they are getting wet from the rain while walking to the office.
If the staff is wearing nice clothes that could become damaged from the rain, the likelihood of this risk is high, and controls include bringing an umbrella or using a parking garage.
The risk then becomes an issue if you fail to perform the necessary mitigation activities (perhaps you left your umbrella at home or the parking garage was full).
In this case, you would encounter a risk incident when you inevitably get wet from the rain (the potential loss event in this case would be if your clothes required dry cleaning costs or if staff morale was indeed lowered).
Of course, there is much more nuance to a risk register, such as risk threats vs. vulnerabilities or inherent risk values (the likelihood and impact of something bad happening) vs. residual risk (when something bad may still happen but you’ve taken actions to reduce the risk).
However, knowing the key differences between risks, issues, and incidents is a hugely valuable first step when building out your risk database.
If you have any further questions about the nuances between the three or how to approach them differently in a risk management solution, contact us here.