Understanding the Difference Between Risks and Issues

In business and daily life, the terms “risk” and “issue” are frequently used. However, it is not uncommon to see these terms used interchangeably. In reality, there is a clear distinction between risks and issues, and understanding this difference enables you to select more appropriate response strategies. This article explains the essential differences between risks and issues based on international standards such as ISO 31000, ISO 9001, and PMBOK, and discusses appropriate approaches for addressing each.

In Simple Terms: The Difference in Time Axis

Let us first establish the most important point.

Risk = A problem that has not yet occurred (future possibility)

Issue = A problem that has already occurred (present reality)

This difference in time axis is the starting point for all other differences.

What is a Risk?

Definition in International Standards

Risk is defined in ISO 31000 (the international standard for risk management) as “the effect of uncertainty on objectives.” In simpler terms, it is “an undesirable event that may occur in the future.”

Understanding Through Concrete Examples

For example, the following are risks:

• “The launch of the new product next month may be delayed”
• “An important employee may resign”
• “We may suffer a cyberattack”
• “The factory may be damaged by a typhoon”

Note that all of these include the uncertainty of “may occur.”

Three Characteristics of Risk

Potential (not yet manifested): Risk is like the underwater portion of an iceberg. It is invisible, but it certainly exists.

Probabilistic (does not necessarily occur): Not all risks become reality. A risk with a 10% probability of occurrence means it happens only once in ten times.

Has impact (magnitude when it occurs): Even for the same “delay risk,” a one-day delay and a one-month delay have completely different magnitudes of impact.

What is an Issue?

Definition in Practice

An issue (referred to as “issue” or “problem” in English) is “an event that has already occurred and requires resolution.” It refers to a challenge that requires attention in the present progressive tense.

Understanding Through Concrete Examples

The following are issues:

• “The launch of the new product is delayed by two weeks”
• “Key person Mr./Ms. A resigned last month”
• “There was unauthorized access to the internal system yesterday”
• “The factory roof was damaged by the typhoon”

The key point is that all are confirmed facts of what “happened” or “is happening,” not “may happen.”

Three Characteristics of Issues

Manifested (already visible): An issue is the above-water portion of an iceberg. It is clearly visible to everyone.

Definite (100% occurred): No discussion of probability is necessary. It has already happened.

Requires immediate response: “We’ll deal with it someday” is not sufficient. Action must be taken right now.

Why This Difference is Important

Evaluation Methods Are Completely Different

Risk Evaluation: Thinking on Two Axes

Risks are evaluated by “probability of occurrence” × “impact.” This is called a risk matrix.

Impact	Low Probability	Medium Probability	High Probability
High	Caution Required	Top Priority Response	Top Priority Response
Medium	Monitor	Caution Required	Caution Required
Low	Acceptable	Monitor	Caution Required

Example: “Risk of Losing an Important Customer”

• Probability of occurrence: Low (approximately 1% per year based on past performance)
• Impact: High (accounts for 30% of sales)
• → Treated as a cautionary risk, implement regular relationship strengthening measures

Issue Evaluation: Thinking on Three Perspectives

Issues are evaluated from the following perspectives:

• Scope of impact: How many people or departments are affected?
• Urgency: By when must it be resolved?
• Difficulty of resolution: How many resources are required?

Example: “Production Line is Stopped”

• Scope of impact: Large (affects production of all products)
• Urgency: Maximum (losses expand every hour)
• Difficulty of resolution: Medium (can be addressed with parts replacement)
• → Form a response team with top priority

Difference in Response Methods: Four Strategies vs. CAPA

Risk Response: Four Strategies (ISO 31000, PMBOK Compliant)

Avoid: Stop the activity that causes the risk.

Example: Cancel a business trip to a dangerous area

Mitigate: Reduce the probability or impact of the risk.

Example: Introduce a backup system

Transfer: Move the risk to another party.

Example: Purchase insurance, outsource work

Accept: Consciously do nothing while recognizing the risk.

Example: Accept risks with extremely low probability of occurrence and small impact

Issue Response: CAPA (Corrective Action and Preventive Action)

CAPA is the standard problem-solving approach required by ISO 9001 and other standards.

Step 1: Root Cause Analysis

Why did the problem occur? Find the root cause through methods such as “5 Whys Analysis.”

Step 2: Corrective Action

Resolve the current problem. This is a firefighting response.

Step 3: Preventive Action

Ensure the same problem does not occur again. Improve systems and processes.

Step 4: Effectiveness Verification

Confirm whether the measures are truly effective.

Practical Example: Project Schedule Delay

Treating as Risk (not yet delayed):

“At this rate, there is a risk of not meeting next month’s deadline”

→ Response: Prepare to increase personnel (mitigation), prepare for deadline extension negotiations (mitigation)

Treating as Issue (already delayed):

“With only one week until the deadline, progress is only 70%”

→ Response: Form an emergency team (corrective action), improve future estimation methods (preventive action)

Common Mistakes and Correct Usage

Mistake 1: Treating a Risk as an Issue

Panicking and responding to the risk that “sales may decline” as if it has already happened leads to overreaction.

Mistake 2: Treating an Issue as a Risk

Taking a leisurely approach to the issue of “the system is down” as if it were a risk allows damage to expand.

Tips for Correct Usage

Ask yourself: “Has this already happened? Or is it something that may happen in the future?”

Practice in Organizations: The Two-Wheel Approach

Separate Risk Management Meetings from Problem-Solving Meetings

Many successful organizations clearly separate these two types of meetings.

Risk Management Meeting (monthly, etc.):

• Identify new risks
• Review status of existing risks
• Review countermeasures

Problem-Solving Meeting (as needed or weekly):

• Share occurred problems
• Confirm response status
• Examine recurrence prevention measures

Clear Distinction in ISO Standards

ISO 9001:2015 (Quality Management System) specifies:

• Clause 6.1: Actions to address risks and opportunities (future-oriented)
• Clause 10.2: Nonconformity and corrective action (addressing current problems)

as separate requirement items.

Summary: Both Prevention and Treatment Are Important

The difference between risks and issues is easy to understand when compared to medicine.

Risk management = Preventive medicine (measures to avoid getting sick)

Problem-solving = Therapeutic medicine (treatment to cure illness)

Both are necessary to maintain health. Similarly, both risk management and problem-solving are essential for the sound operation of organizations and projects.

What you should remember last is that “today’s risk can become tomorrow’s issue.” Prevent problems from occurring through appropriate risk management, and if problems do occur despite this, resolve them quickly. Acquiring this way of thinking leads to success in all situations.

Supplement: Risk is Not Necessarily Just “Bad Things”

In the definition of ISO 31000, risk includes “opportunities (favorable impacts)” as well. For example, “it may sell better than expected” is also a risk. However, in practice, “threats (negative impacts)” are primarily dealt with, so this article has explained from that perspective.