Issue Management – Categorization & Identification

issue management series - part 1 - categorization and identification - blog header

Every business faces the risk of unexpected, harmful events that can cost the company, damage its reputation, and cause it to lose important clients. Issue management gives organizations an opportunity to proactively prepare for the unexpected by minimizing potential risks and resolving issues before they escalate. This all begins with effective Issue categorization and Identification.

This series will focus on issues in the context of compliance and risk management, encompassing the core elements of information systems, such as ISO 27001, SOC, and FedRAMP. Our goal is to help you understand how issue management is a cross-functional program, and how issues can manifest from any business facet, while still being centrally managed for improved visibility and effectiveness. 

In this series we will explore:

  • Creating an issue management program
  • Issue identification and categorization
  • Building a risk registry
  • Issue ownership and management methodologies
  • Corrective actions and issue monitoring

Issue Management

Issue management is the identification and resolution of issues that occur within a company. Issues include problems with employees or vendors, technical failures, security breaches, and material shortages – all of which may negatively impact an organization. Issue management provides teams with a process to identify, track, analyze, resolve, and prevent future issues.

Tying Together Issue & Risk Management

A risk is any potential event or condition that can affect your company, for better or for worse, such as an unanticipated change in project scope or the possibility of an unsatisfactory mitigating control.

Issues are any identified risks or problems within your company that require corrective action or remediation, reactive or proactive. Creating an Issue will initiate the process that your risk team has implemented to resolve or prevent the problem.

Issues often arise from a risk registry, but can also come directly from any department, project, audit, and process, potentially causing a loss in productivity, services, or revenue. As teams within organizations are increasingly interdependent, any one disruption could culminate in irreversible financial and reputational damage.

The Importance of a Centralized Program

Corporate governance strategies are designed to help the business outline the appropriate interactions and relationships between internal and external stakeholders, strategic objectives, and optimized operations. A centralized issue management program is a key part of this governance strategy, driving better decision-making, increasing transparency, and aligning with organizational goals.

Keep in mind a governance program empowers organizational leadership to make informed decisions to improve performance while mitigating potential risks. A unified issue management program supports this by transforming organizations based on how they collect, categorize, analyze, monitor, and solve issues, accelerating progress on key objectives, proactively working on risks, and raising new opportunities.

Categorizing Issues

Correct Issue categorization and identification enables faster decision-making and increasingly in-depth analysis. It is best practice to categorize compliance-focused issues by source:

  • Cybersecurity risks: Cyber risk is the likelihood of suffering negative disruptions to sensitive data, finances, or business operations online. Most commonly, cyber risks are associated with events that could result in a data breach or system outage. A few examples of cyber risks include ransomware, data leaks, phishing, malware, and cyberattacks.
  • Insider threats: These are types of risks that come from negligent or malicious employees, contractors, vendors, or anyone with access to confidential information.
  • Physical risks: These are threats that might impact the physical organizational environment, including offices, server rooms, and operational facilities. These risks might have a malicious cause or can derive from a natural disaster.
  • System vulnerabilities: Though commonly used interchangeably, cyber risks and vulnerabilities are not the same. A vulnerability is an internal weakness that results in unauthorized network access when exploited.
  • Nonconformities: As part of any quality management system, a nonconformity is any failure to meet a documented requirement. Requirements might be set by clients, internal stakeholders, regulatory or statutory bodies.

Issue Tracking & Identification

Issues can arise without warning. To easily track and identify risks that may evolve into issues while minimizing their potential impact, it is vital to have a well-defined risk registry with documented processes – including a recurring process for risk identification across different business functions and departments.

For issue identification, the compliance team can review the program scope and schedule periodic identification exercises. Issue identification must be an iterative process. As it progresses, more information will be gained, the issue registry will become more detailed, and it will be adjusted to reflect the current understanding and program life cycle.

A few techniques to identify issues are:
  • Performing annual risk analysis based on statutory and regulatory requirements. This technique involves listing issues that might arise from nonconformances with required controls based on applicable standards, such as ISO 27001 Annex A;
  • Running frequent vulnerability scans and manual penetration tests;
  • Performing internal and external audits and acting on nonconformities that might arise as a result of these assessments;
  • Holding frequent management review meetings to give leadership the opportunity to brainstorm and discuss internal or external factors that might impact the business;
  • Interviewing stakeholders; and
  • Identifying potential issues based on substantial internal and external changes and threats.

Prioritizing Resolution

After identifying issues, teams should assess both risk probability and impact before diving headfirst into creating a mitigation strategy. Regardless of how you choose to assess the probability and impact, it is imperative that the assessment methodology is well documented and communicated to ensure consistency as part of your governance program.

An issue may be refined or changed given further analysis, which might directly affect your mitigation strategy. Stay tuned for the next article in our 4 part series where we highlight the various registries at your disposal and how to keep in-depth records of your issue management program.


Looking to develop your own issue management program? Get in touch with our team today