Managing risk is an essential aspect of creating value through IT service management (ITSM). Risks can arise in various areas during the delivery of services and products, including operational, legal, and financial risks.
In addition to reducing problems in service and product delivery, risk management policies and responses may also be reviewed by government and regulatory agencies. Managing and controlling risk in an ITSM environment is not only good business practice but it may also be required by regulations.
This article discusses risk management within the context of an ITIL 4 framework. If you are using an ITIL v3 framework, you can refer to our companion article on IT risk management for ITIL v3 and ITSM environments.
According to the ITIL 4 framework, risk management is a general management practice with the following dual purpose: to ensure that the organization:
It’s important to understand the two types of risks:
You can manage your risk profile by taking advantage of opportunities while also reducing or eliminating threats. While many organizations primarily focus on responding to threats, it’s important to remember that ITIL 4 also emphasizes the role of IT in creating business value, not just delivering IT services.
With this emphasis on creating business value, it is equally important in ITIL 4 risk management to pursue opportunities as it is to plan for and respond to realized threats.
The ITIL 4 Risk Management practice is divided into four sub-practices.
The risk management support sub-practice establishes your risk management framework by addressing basic questions about how you handle risk, such as:
It’s important to note that this sub-practice defines the overall framework for managing risk, rather than addressing specific risks individually.
This sub-practice estimates the impact on the business that would result if a risk were to materialize and helps to assess the likelihood or probability of the risk occurring.
It’s important to evaluate both the probability that a risk will occur and the significance of each risk. Probabilities can be broadly classified as low, medium, or high. Assessing the probability of each risk helps to prioritize which risks require response plans and the order in which the plans should be developed.
Like the guidelines set by the Project Management Institute (PMI), the primary output of the Business Impact and Risk Analysis sub-practice is the Risk Register, sometimes called the Risk Log. The Risk Register lists identified risks and the responses that will be carried out if a risk materializes.
In this sub-practice, you determine two important items:
The Risk Owner is responsible for identifying any necessary countermeasures and maintaining them.
ITIL can follow the PMI’s guidance by identifying countermeasures for both positive risks (opportunities) and negative risks (threats) as shown below:
COUNTERMEASURES FOR RISK OPPORTUNITIES & THREATS | ||
---|---|---|
Countermeasure | Strategy | Risk type |
Share | Sharing the benefit/responsibility/threat of a risk with another party | Opportunity/Threat |
Exploit | Acting to ensure that an opportunity occurs | Opportunity |
Enhance | Increasing the size or capacity of the IT service or product being offered | Opportunity |
Escalate | Entrusting the risk to someone outside the project, program, or portfolio who can better realize the opportunity | Opportunity |
Avoid | Avoiding the risk by avoiding the activity that activates the risk | Threat |
Transfer | Reassigning the risk exposure to a third party, such as an insurance company | Threat |
Mitigate | Implementing controls and contingencies to reduce the probability or the impact of the risk | Threat |
Acceptance | For risks that are not covered by other countermeasures, an organization may accept a risk (do nothing) because it is too cumbersome or expensive to control | Threat |
This is the stage where you take action when a risk has been realized and track the progress of implemented countermeasures. It’s important to ensure that the risk response is appropriate in light of the risk impact and to adjust or modify the response as needed.
Monitoring may involve modifying countermeasures if the actual risk impact is more or less severe than anticipated. You should also track how well the planned countermeasure is addressing the risk. Risk monitoring may also require revisiting the other three sub-practices:
Risk management is not a standalone process that is completed once and then forgotten.
Risk management is a continuous process that should be reviewed or reevaluated whenever there are changes within the ITIL 4 Service Value system, particularly changes in opportunity or demand, the Service Value Chain, and other sub-practices under the General Management, Service Management, and Technology Management practices. Risk management sub-practices should also be revisited when a new risk is identified during an incident management event.
Since ITIL 4 is a comprehensive framework that emphasizes co-creating business value, risk management practices should be applied to all aspects of ITSM, not just IT service delivery.
Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.
For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com