Project Risks and Issues – What’s the Difference?

If engaged in combat with enemy forces, we want every available tool to ensure safety and a successful mission.

risky investment

Photo courtesy of

Imagine watching an aircraft radar system. When we first see enemy aircraft, we know there is potential harm. We have risk – we may experience an airstrike resulting in damage to buildings, contents, and harm to people.

Now imagine the aircraft firing and striking a strategic site. At the point of the strike occurs there is no longer uncertainty about the threat. The event has occurred resulting in negative effects. We no longer have a risk – we have an issue or problem.

Let’s further explore the differences between risks and issues and understand why it matters.

What is Risk?

The Project Management Body of Knowledge (PMBOK) defines risk as, “An uncertain event or condition that, if occurs, has a positive or negative effect on one or more project objectives.” In the analogy above, we had an uncertain event of a potential airstrike. The uncertainty concerns the risk, not necessarily the cause.

Here is another example:

  • Cause: Lack of requirements validation
  • Risk: Project team may not meet the user’s needs
  • Impact: Will be more costly and take longer to correct

Let’s assume a project team decides to skip the requirements validation. The cause is certain, but the risk remains uncertain. Why? There may be lots of requirements defects or none.

What is an Issue?

When a threat occurs, it becomes an issue or problem. When an opportunity occurs, it becomes a benefit. The problem or benefit is certain.

Why Does It Matter?

Are we splitting hairs? The distinction between risks and issues matters for a few reasons.

  • Proactive Management Saves Time. “An ounce of prevention is worth a pound of cure.” Project managers should manage risks proactively. PMs will save valuable time through prevention. As often noted, PMs can eliminate up to 90% of threats through risk management.
  • Provides a Measure of Management Effectiveness. If a PM is experiencing many issues, it may be a sign that the PM did not do an adequate job of planning. Tracking risks separately from issues allows the PM to determine the effectiveness of the planning and make adjustments as needed.
  • Different Type Response. Where we may have previously been mitigating or preventing a threat, issues require a different response. Issues require corrective action to bring the performance of the project in alignment with the project management plan. Unknown risks or risks accepted passively require workarounds.

Other Terms – Assumptions and Constraints

While we are on this topic, let’s clarify two other terms – assumptions and constraints.

  • Assumptions. Assumptions are “a factor in the planning process that is considered to be true, real, or certain, without proof or demonstration” according to the PMBOK. Assumptions may be a source of risks. Be sure to perform an assumption analysis periodically to validate assumptions.
  • Constraints. A constraint is “a limiting factor that affects the execution of a project, program, portfolio, or process.” Constraints such as a budget or schedule constraints are factual. The PM must continually consider these defined limits when managing risks, particularly when planning risk responses.

Question: Do you know project managers who spend most of their time curing problems rather than managing their project? Why do some PMs fail to proactively reduce threats and the loss of benefits?

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 thoughts on “Project Risks and Issues – What’s the Difference?

  1. Not convinced that the differentiation between risk and issue adds any value. Even though the risk has occurred (i.e. it is now an issue in terms of the differentiation) there is still uncertainty regarding the impact and the objectives that will be impacted. It is therefore still a risk – ISO 31000 makes it pretty clear that it is about the likelihood of the consequence occurring – not the risk (event/condition) itself.

    Hence the differentiation does not add to the debate IMHO.

    • Hi Quinton,

      Thanks for your feedback. If I see lots of threats becoming issues, I know that the PM (including myself) and the risk owners are not doing an adequate job of managing the risks. Issues typically take lots of time to address. If enough issues surface concurrently, the PM spends the majority of his/her time reacting to issues rather than being proactive with other PM duties. The project may spiral out of control.