There is a particular type of organizational failure that is almost entirely preventable — and almost universally common. It is not the failure caused by a risk that nobody saw coming. It is the failure caused by a problem that everyone knew about, that sat in a tracker or a meeting agenda for months, that was repeatedly discussed and repeatedly deferred, and that eventually escalated into something far more damaging than it needed to be. This is not a risk management failure. It is an issue management failure. And the distinction matters enormously.
Risk management is about anticipating what could go wrong. Issue management is about dealing effectively with what has. Both are essential. But in most organizations, issue management receives a fraction of the attention and investment that risk management does — despite the fact that poorly managed issues are one of the leading causes of the regulatory findings, audit observations, operational failures, and reputational incidents that organizations work so hard to avoid.
What exactly is an issue — and how is it different from a risk?
The terms "risk" and "issue" are frequently used interchangeably in organizations — and this confusion is itself a problem. A risk is something that might happen. An issue is something that has happened, or is happening right now. Once a risk event occurs, it becomes an issue — and the management response required is entirely different.
A risk requires a response plan — something you prepare in advance to mitigate or accept the possibility of a loss. An issue requires an immediate management response — something is wrong right now and needs to be assessed, contained, remediated, and reported. When organizations treat issues as just another category of risk, they apply the wrong tools and the wrong mindset to something that requires urgency and accountability, not just assessment and monitoring.
Issues can take many different forms — and a robust issue management process needs to be equipped to handle the full range. Not all issues are operational failures. Many are more subtle: a control that is working but is not meeting its intended standard; a process that is compliant but creating unnecessary risk; a regulatory expectation that the organization is not quite meeting; a near-miss that needs investigation before it becomes an incident.
Where issues come from
Issues arrive from many directions simultaneously — and an organization that only captures issues from one or two sources is systematically missing part of its exposure. The four most common issue sources are:
Issues discovered through RCSAs, KRI monitoring, management review, or staff raising concerns. The gold standard — catching problems before others do.
Issues identified through internal audit, external audit, or regulatory examination. Important — but representing findings that slipped past the first two lines.
Issues arising from regulatory observations, enforcement actions, or legal challenges. Carry the highest urgency and reputational stakes.
Issues that emerge from actual operational failures — a system outage, a transaction error, a process breakdown, a near-miss event.
The distribution of issues across these sources tells an organization a great deal about the health of its risk and control culture. An organization that predominantly identifies issues through audit and regulatory review — rather than through its own monitoring and self-assessment — has a first-line ownership problem. The issues are being caught, but by the wrong people, too late, and at too high a cost.
The issue lifecycle — from identification to closure
Effective issue management is not a single act — it is a structured process with distinct phases, each of which needs to be executed well for the overall program to work:
Capture the issue clearly. Define what went wrong, where, and what the actual or potential impact is.
Rate severity. Understand root cause. Determine whether the issue is isolated or symptomatic of something broader.
Allocate clear ownership. Define a remediation plan with specific actions, milestones, and a realistic target date.
Execute the plan. Address the root cause, not just the symptom. Verify that actions taken have actually resolved the issue.
Validate resolution independently. Capture lessons. Update controls and risk assessments to reflect what was learned.
Each phase matters — and failures at each phase produce different and predictable problems. Issues that are not clearly identified cannot be properly assessed. Issues that are assessed but not properly assigned become orphaned. Issues that are assigned but tracked without genuine accountability do not get remediated. And issues that are closed without genuine validation reopen — often in a worse form, and often at the worst possible moment.
The severity question — why not all issues are equal
One of the most important design decisions in any issue management framework is how issues are rated for severity. A well-designed severity framework ensures that the most significant issues receive the most urgent attention — and that governance bodies receive a clear, prioritized view of what matters most.
A severity framework only works if it is applied consistently and honestly. The most common failure in issue severity rating is systematic under-rating — issues are rated lower than their true severity warrants, whether to avoid scrutiny, to manage reporting numbers, or simply because the connection between the issue and its potential consequences has not been clearly thought through. Organizations that consistently under-rate issues create reporting that looks reassuring but is systematically misleading.
What good issue management looks like versus what most organizations actually do
The accountability problem — why issues stay open too long
The single most consistent failure in issue management programs is not the identification of issues — most organizations are reasonably good at finding problems. The failure is in the management of issues once they have been found. And the root cause is almost always the same: accountability that is nominal rather than real.
A high-priority issue is identified. It is logged, rated, and assigned — to a team, or to a role, or to a senior person who is already operating at capacity. A target date is set. The first reporting cycle passes and the issue is "in progress." The second cycle: still "in progress," target date extended by sixty days. The third cycle: target date extended again, severity quietly downgraded. Six months later, the issue is still open, the original context has been lost, the individuals who understood it have moved on, and an auditor is asking why a significant control weakness identified in the first quarter has not been resolved. This sequence is not unusual. In many organizations, it is the norm.
The solution is not more tracking. It is real accountability — ownership assigned to a specific named person who has the authority and the resources to resolve the issue, who is held personally accountable for delivery, and who cannot defer indefinitely without that deferral being visible, challenged, and escalated. Issue management accountability needs to be treated with the same seriousness as financial accountability. An issue that has been open for six months without resolution is a governance failure, not just a management inconvenience.
Building an issue management program that works
Issues raised through different channels — audit, RCSA, KRI alerts, operational incidents, staff escalations — should all flow into a single, consistently structured issue log. Fragmented capture creates fragmented visibility. Leadership and governance bodies cannot manage what they cannot see completely, and issues logged in separate systems by separate teams inevitably create blind spots.
The most expensive issue management outcome is the recurring issue — the same problem, appearing repeatedly, because past remediation addressed the surface manifestation rather than the underlying cause. Genuine root cause analysis asks not just "what happened?" but "why did it happen?" and "what conditions allowed it to happen?" The answer to those questions determines whether the remediation plan will actually work.
A target date that can be extended repeatedly without consequence is not a target date — it is a suggestion. Issue remediation timelines should be set realistically, based on the genuine complexity of the required actions. Extensions should require documented justification and formal approval. And persistent overdue issues should trigger escalation, not just a note in the tracker.
The moment an action is marked "complete" is not the moment an issue should be closed. Closure should require independent validation that the underlying problem has actually been resolved — not just that the remediation actions have been executed. An access control issue that required a policy update and training program should only be closed when there is evidence that the policy has been embedded and the training has demonstrably changed behaviour, not when the documents have been signed off.
Every significant issue contains information about the actual performance of the organization's risk and control environment. That information should flow back into the risk register, inform KRI thresholds, update RCSA assessments, and shape the focus of future monitoring and audit activity. An issue management program that exists in isolation from the rest of the risk framework is collecting valuable intelligence and systematically failing to use it.
Issue reporting to boards and governance bodies should provide a complete, honest picture — the number of open issues, their severity distribution, the age profile of overdue items, and the trend over time. Reports that only surface positive news, that aggregate issues in ways that obscure severity, or that present a declining issue count as inherently good news regardless of the quality of closures, are not serving governance. They are managing it.
The strategic value of doing this well
Organizations that build genuinely effective issue management capabilities do not just avoid problems — they develop an organizational intelligence that compounds over time. Issues, well-managed, are one of the richest sources of insight into how an organization actually operates versus how it believes it operates. The gap between those two things is where both risk and opportunity live.
When issue data is captured consistently, assessed rigorously, and analysed systematically, it reveals patterns that no other risk management tool can easily surface. Which processes generate the most issues? Which control failures are most frequently linked to significant outcomes? Where are the same root causes appearing in different parts of the business? The answers to these questions allow organizations to direct their risk management resources with precision — investing in the areas where the evidence shows problems are most likely, rather than the areas where the risk framework suggests they should be.
The organizations that treat issue management as a strategic capability — not just a compliance process — consistently find that they are better at anticipating problems, faster at resolving them, and more credible with regulators, auditors, and stakeholders than those that do not. That is not a coincidence. It is the compounding return on getting this right.
Build stronger enterprise risk programs with Relyntra.
Relyntra Advisory Services and Relyntra Dynamic Solutions help institutions turn risk insight into operating discipline.
Discuss your risk priorities