In risk management activities, study teams often confuse risks and issues.
In brief, a risk is a condition that increases the risk of a negative impact to patient safety, data integrity, or regulatory compliance. An issue is an event that has already negatively impacted patient safety, data integrity, or regulatory compliance.
Risks are potential issues, and risk management is proactive. Issues are actual issues, and issue management is reactive.
It's not surprising that study team "risk management" often devolves into "issue management." Proactivity feels like a luxury when there are so many problems to deal with. But it's also difficult to detangle risks from issues because each issue can also elevate existing risks and present new risks.
A study team, for example, learns that a key piece of IRT functionality is not functioning correctly. An investigation identifies the root cause as a lack of clarity in the specification and a contributing cause as lack of robust User Acceptance Testing. The issue is a surprise; the team had not identified it as a risk. The first question the team should ask is, "How did we miss this?"
While dealing with this issue, the team must also consider what other risks this issue raises, given the root and contributing causes. Obviously, if this particular IRT function is incorrect, what other IRT functions could not be working as planned? But, less obviously, if our team is not writing clear specifications or conducting robust UATs on our IRT system, what other systems could have been inadequately specified and tested?
Each issue should cause us to re-evaluate our risk profile and prompt us to take proactive actions to manage new and increased risks along with reactive measures to address the issue that has occurred.