Practices for Risk Management in ITIL® 4 Environments

Posted by Marbenz Antonio on January 4, 2023

Information Security Management in an ITIL 4 World

Managing risk is an essential aspect of creating value through IT service management (ITSM). Risks can arise in various areas during the delivery of services and products, including operational, legal, and financial risks.

In addition to reducing problems in service and product delivery, risk management policies and responses may also be reviewed by government and regulatory agencies. Managing and controlling risk in an ITSM environment is not only good business practice but it may also be required by regulations.

This article discusses risk management within the context of an ITIL 4 framework. If you are using an ITIL v3 framework, you can refer to our companion article on IT risk management for ITIL v3 and ITSM environments.

Risk management practices in ITIL 4

According to the ITIL 4 framework, risk management is a general management practice with the following dual purpose: to ensure that the organization:

  1. Understand its risk profile
  2. Knows how to effectively handle its risks

Two types of risks

It’s important to understand the two types of risks:

You can manage your risk profile by taking advantage of opportunities while also reducing or eliminating threats. While many organizations primarily focus on responding to threats, it’s important to remember that ITIL 4 also emphasizes the role of IT in creating business value, not just delivering IT services.

With this emphasis on creating business value, it is equally important in ITIL 4 risk management to pursue opportunities as it is to plan for and respond to realized threats.

Critical risk management sub-practices

The ITIL 4 Risk Management practice is divided into four sub-practices.

Risk management support

The risk management support sub-practice establishes your risk management framework by addressing basic questions about how you handle risk, such as:

  • How do you identify risks, both positive and negative?
  • What risk levels is an organization prepared to allow?
  • Who is responsible (in charge of) the different Risk Management duties?

It’s important to note that this sub-practice defines the overall framework for managing risk, rather than addressing specific risks individually.

Business impact & risk analysis

This sub-practice estimates the impact on the business that would result if a risk were to materialize and helps to assess the likelihood or probability of the risk occurring.

It’s important to evaluate both the probability that a risk will occur and the significance of each risk. Probabilities can be broadly classified as low, medium, or high. Assessing the probability of each risk helps to prioritize which risks require response plans and the order in which the plans should be developed.

Like the guidelines set by the Project Management Institute (PMI), the primary output of the Business Impact and Risk Analysis sub-practice is the Risk Register, sometimes called the Risk Log. The Risk Register lists identified risks and the responses that will be carried out if a risk materializes.

Assessment of required risk mitigation

In this sub-practice, you determine two important items:

  • The risk response strategies (or countermeasures) for responding to a risk
  • The Risk Owner for each specific risk

The Risk Owner is responsible for identifying any necessary countermeasures and maintaining them.

ITIL can follow the PMI’s guidance by identifying countermeasures for both positive risks (opportunities) and negative risks (threats) as shown below:

Countermeasure Strategy Risk type
Share Sharing the benefit/responsibility/threat of a risk with another party Opportunity/Threat
Exploit Acting to ensure that an opportunity occurs Opportunity
Enhance Increasing the size or capacity of the IT service or product being offered Opportunity
Escalate Entrusting the risk to someone outside the project, program, or portfolio who can better realize the opportunity Opportunity
Avoid Avoiding the risk by avoiding the activity that activates the risk Threat
Transfer Reassigning the risk exposure to a third party, such as an insurance company Threat
Mitigate Implementing controls and contingencies to reduce the probability or the impact of the risk Threat
Acceptance For risks that are not covered by other countermeasures, an organization may accept a risk (do nothing) because it is too cumbersome or expensive to control Threat

Risk monitoring

This is the stage where you take action when a risk has been realized and track the progress of implemented countermeasures. It’s important to ensure that the risk response is appropriate in light of the risk impact and to adjust or modify the response as needed.

Monitoring may involve modifying countermeasures if the actual risk impact is more or less severe than anticipated. You should also track how well the planned countermeasure is addressing the risk. Risk monitoring may also require revisiting the other three sub-practices:

  • Modifying your risk framework
  • Revisiting business impacts and risk analysis processes
  • Reassessing your risk mitigation countermeasure planning

Risk management & other ITIL practices

Risk management is not a standalone process that is completed once and then forgotten.

Risk management is a continuous process that should be reviewed or reevaluated whenever there are changes within the ITIL 4 Service Value system, particularly changes in opportunity or demand, the Service Value Chain, and other sub-practices under the General Management, Service Management, and Technology Management practices. Risk management sub-practices should also be revisited when a new risk is identified during an incident management event.

Since ITIL 4 is a comprehensive framework that emphasizes co-creating business value, risk management practices should be applied to all aspects of ITSM, not just IT service delivery.


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Verified by MonsterInsights