Business Analyst Interview Question: What is the difference between a risk and an issue, including differences in how you identify, manage, and resolve them?
The difference between a risk and an issue is primarily about whether something has happened or not, and what to do about it.
A risk is anything that threatens the ability of an organization to conduct its business in the way it wants to, but it hasn’t happened yet. The Business Analysis Body of Knowledge (BABOK) defines risk a bit differently by focusing on the effect of the risk rather than the cause. It says a risk is “the effect of uncertainty on the value of a change, a solution, or the enterprise.”
Risks often come up in the context of a change a business wants to make or a solution the business wants to create (hence the BABOK definition.) Anytime you change an existing process or system, you create a risk that things just won’t work as intended. A change could break the existing system, or interact with it in unpredictable ways. A risk may also exist entirely outside the system, but which can happen as a result of a change to the system. For example, changing how much a system charges for a product may have consequences in the marketplace and customers.
Some of the business risks that can arise include:
- Strategic risks that threatens the organization’s strategic plans for conducting business
- System risks that can introduce unintended bugs or defects into a software solution
- Process risks that may disrupt how you conduct business day-to-day
- Compliance risks that threaten to run afoul of government laws and regulations
- Security risks that threaten the safety of your computer networks and data assets
- Financial risks that could cause the organization to lose money
A Business Analyst cares about risk because they can damage the business. A BA plays a key role in identifying these risks throughout a project’s life cycle. Once he does, he must bring them to the attention of the project manager. Either the BA or the PM must also keep a risk log to track:
- The likelihood that a risk will occur
- The severity of the risk should it ever occur
- A mitigation strategy to either prevent the risk from happening or to act upon it if it happens (that strategy could include doing nothing)
- The owner of the risk and its mitigation strategy (that is, the accountable party)
How about issues?
An issue is usually a risk that has actually happened. While risks are about things that could happen in the future, issues are what you get when a risk actually occurs.
A second cause of an issue is unresolved conflicts, especially early in the life cycle of a project. For example, a BA may be unable to proceed with a project because the stakeholders have not resolved disagreements between themselves about what the requirements should say.
Not to over-complicate things, but unresolved issues can raise new risks. For example, an issue arising from failure to agree on requirements can create a risk that a project may suffer delays.
While ideally an issue arises based on a previously identified risk, that is not always true. Sometimes an issue pops up out of nowhere. A Business Analyst must be prepared to jump on an issue to resolve it regardless of whether it was anticipated or not.
When a Business Analyst or other stakeholder identifies an issue, the project must take steps to address and resolve it. As with a risk log, the BA or PM may keep an issues log that tracks:
- An explanation of what the issue is about
- The severity of the issue (including whether it is acting as a “showstopper” that prevents the project from moving forward)
- The priority of resolving the issue versus other identified issues
- A description of the strategy/plan for resolving the issue
- The team/project/sprint/stakeholder that is accountable for resolving the issue
Again, the Business Analyst plays a key role in identifying and resolving issues because failure to do so can negatively impact the business.
Whether it’s a risk or an issue, either one will challenge a Business Analyst’s ability to quickly work with stakeholders to find a solution to the problem.
How would you answer a question about the difference between a risk and an issue? Leave your thoughts in the comments!