The international Standard on risk management (Risk Management—Guidelines ISO 31000:2018) defines a risk as “the effect of uncertainty on objectives”, where an effect may be positive, negative, or both, and can address, create or result in opportunities and threats.

In reality, this definition can be quite confusing for practitioners and difficult to implement.
Let’s explore this further:

• Firstly, an effect may not be uncertain…it may in fact be very certain. For example, many projects lack resourcing capabilities from the start, and may continue throughout the life of the project. The “Resourcing” risk is quite certain and has to be managed, noting it may contribute to other risks being identified.
• Many people talk about “opportunity risks” without really understanding what they are saying. In doing so, they confuse risk with opportunity. Opportunities arise from the active identification and management of risks and can significantly influence whether a risk should be accepted, regardless of whether the risk may be outside the accepted tolerance thresholds.
• The ISO definition influences many practitioners to state a risk incorrectly resulting in a risk statement that may in reality be:
  • a risk event
  • a risk consequence or
  • a source of risk.
• Doing so may render the risk completely invalid and question whether all of the analysis, evaluation and identified risk controls are accurate and can withstand external scrutiny.
• Generally, threats identify risks as the threat assessment should be undertaken prior to the risk assessment as the threats inform the risk assessment. Practitioners need to understand the difference between a threat and a risk.

So, in practical terms, what is a risk?
It is really quite simple. A risk is a disruptive event with consequences that may adversely impact objectives. So, let’s break down the key elements of this statement.

A disruptive event may include (without meaning to be exhaustive):

• The execution of a threat
• The eventuation of a hazard
• A change in proximity of when an activity may occur (for example, pushing back the 2020 Tokyo Olympics by 12 months due to COVID-19)
• A sudden reduction in budget
• An unforeseen reduction in resources
• A security breach or work health and safety breach
• Lack of governance and approved processes.

The consequence is the impact the event has on the objectives and is guided by the risk categories informing the context under which the risk assessment is undertaken. The consequence (or impact) statement is identified by assessing the disruptive impact on critical assets (both tangible and non-tangible) that enable the organisation to achieve its objectives.

Objectives are the key pillars of what the organisation must achieve and may be broken into sub-objectives…all the way down to Key Performance Indicators and Measures and, finally, tasks.

In the risk context, the risk categories are developed to identify tangible and non-tangible assets that enable the organisation to achieve those objectives.

It is important to ensure risks are focused on objectives, otherwise practitioners can fall into the trap of listing risks that really just tasking statements and not risks at all. Doing so will overinflate the risk register from say, 10 risks to 50.

In various program and project management texts, an issue is generally defined as “a risk that is realised”. This definition can cause considerable management problems and is confusing for practitioners.

A risk that is realised is not necessarily a significant event. If a risk rated Low were to eventuate (for example, Likelihood = Highly Likely, Consequence = Insignificant), you would not go running to the CEO saying you have an issue. You just manage it—in line with the approved risk management controls and authorised financial delegations. In short, it is a management activity.

Similarly, if a High risk were to be realised, you would still manage it consistent with the approved risk management controls—unless the realisation of that risk resulted in an issue.

An issue has several key components that should be carefully considered before formally raising it as an issue:

• It is a significant event that may be current or happening in the future. The term significant is based on whether the issue is impacting an asset that, in turn, is defined through the risk categories.
• The resolution of the issue is outside the approved delegation of the person or business unit raising the issue—a more senior authority is required to make a decision to resolve the issue.
• It is usual that external advice may be required to assist in resolving the issue. For example, there may be a requirement for legal, financial, security or ICT specialist advice to be gained in order to properly brief the more senior authority about the recommended resolution decision.

Failure to properly identify or resolve the issue may result in a risk, or the elevated risk rating of an existing risk. Here is an example of an issue:

• A project manager identifies the need for an increase of specialist ICT resources to ensure a critical project deliverable can meet the approved milestone. It will cost $650,000 to engage the specialist resources, but the project manager is only approved to spend up to $500,000. Authority to spend the additional money must be gained from the Chief Financial Officer (CFO). Failure to gain that authority will result in reputation damage to the project.
• An issue should be raised in the Issues Register seeking the approval of the additional money as failure to successfully resolve that issue will create a significant risk of reputation damage to the project (and potentially the organisation).
• If the cost to engage the specialist resources were only $150,000, the project manager would have made the decision and engaged the additional resources (if they were available) as it is within the project manager’s authorised financial delegation.
• If the CFO refused to authorise the additional expenditure, the project manager may choose to escalate the issue to the next higher authority, the Chief Executive Officer due to the reputational risk that may eventuate.