Article by Lizelle Wagner (AdvDip PM, Cranefield; PRINCE2 Practitioner)

Risks and Issues in project management are often confused and the two terms are frequently used interchangeably.  However, risks and issues are not the same thing and should be clearly identified and differentiated so they can be addressed correctly when they arise.

Defining a RISK

“As applied to a project, a risk is the possibility that an undesired outcome, or the absence of a desired outcome, disrupts your project.  Risk Management, then, is the activity of identifying and controlling undesired project outcomes proactively.” (Smith, 2002, p. 5).

PMBOK defines Project Risk Management as: “The process concerned with identifying, analysing and responding to uncertainty (throughout the project lifecycle).  It includes maximising the probability and consequences of adverse events to the project objectives” (Burke, 2008, p. 117).

APM bok defines Project Risk as: “Factors that may cause failure to meet the project’s objectives.” The objective of Project Management is to successfully deliver the project within time and within budget (Burke, 2008, p. 117).

A risk thus aims to identify and control uncertainty.  This uncertainty can be mitigated by:

  • identifying the probability of the occurrence of the risk;
  • understanding the consequences, or alternatives, if the risk event happens; and
  • determining what drives the risk, i.e. the factors that influence its magnitude of likelihood of occurrence (Smith, 2002, pp. 5-6).
  • Utilising a matrix to determine scores for the probability and likelihood.
  • Implementing action planning.
  • Utilising a risk register to keep record of risks and mitigation actions.

There are three essential facets to risk:

  • Uncertainty
  • Loss
  • Time component (Smith, 2002, p. 5)

Risk Action Planning:

There are four different routes of action to risk management:

  • Avoid the risk by reversing the decisions that were made that caused the risk to arise in the first place.
  • Transfer the risk to another entity.
  • Provide redundant paths to increase the likelihood of success.
  • Mitigate the risk by developing prevention and contingency plans.

Not all risks are manageable.  If a risk is more of an ongoing nag and has no time component, then the risk is irresolvable and cannot be managed.  The Project Manager may also decide to only manage a certain level of risk, e.g. only high risks and not low and moderate risks.

Risk Management is made up by three components, i.e.:

  • Risks
  • Opportunities
  • Issues

Defining an ISSUE

Events that are certain to occur are known as issues (Smith, 2002, p. 6).  Risk events that have occurred, also become issues (Smith, 2002, p. 122). Issues are just as important as risks and should be captured as they arise, while identifying risks.  However, they are managed quite differently, so once they are identified, they proceed on a different action-planning track (Smith, 2002, p. 6).

Issues have no uncertainty to manage, but the timing and impact on business can be managed.

Identifying Risk vs. Issue

The following diagram clearly illustrates whether or not an event should be captured as a risk or an issue and if it should be captured at all, as not all risks are manageable.



Burke, R. (2008). Introduction to Project Management. UK: Burke Publishing.

Smith, P. G. (2002). Proactive Risk Management. Boca Raton, Florida: CRC Press.