Service Management Blog

Risk Management Practices in ITIL® 4 Environments

4 minute read
Joe Hertvik

Dealing with risk is an important part of co-creating value in an IT service management (ITSM) environment. Risk can occur in several areas during service and product delivery, including operational, legal, and financial risks.

Besides minimizing problems in service and product delivery, government and regulatory agencies may also review organizational risk management policies and responses. Implementing and controlling risk in an ITSM environment is not only smart business—it can be a regulatory requirement.

This article looks at risk management inside an ITIL 4 framework environment. Working inside an ITIL v3 environment? See our companion article IT Risk Management Process for ITIL® v3 & ITSM Environments.

(This article is part of our ITIL 4 Guide. Use the right-hand menu to navigate.)

Risk management practices in ITIL 4

In the ITIL 4 framework, risk management is considered a General Management Practice. Its purpose is two-fold, to ensure that the organization:

  1. Understands its risk profile
  2. Knows how to effectively handle its risks

Two types of risks

It’s important to understand the two types of risks:

Two types of risks

You manage your risk profile to exploit or enhance your opportunities while reducing, mitigating, or eliminating your threats. Although many organizations mainly focus on responding to threats, they forget that ITIL 4 also focuses on IT co-creating business value—not just IT service delivery.

With that focus, I would argue that the realization of opportunities in ITIL 4 risk management is just as important as planning for and responding to realized threats.

Critical risk management sub-practices

The ITIL 4 Risk Management practice has four sub-practices.

Risk management support

The risk management support sub-practice defines your risk management framework. Here’s where you answer the basic questions dealing with how you handle risk, including:

  • How do you identify risks, both positive and negative?
  • What risk levels is an organization prepared to allow?
  • Who is responsible (in charge of) the different Risk Management duties?

Again, this sub-practice defines the framework in which you will deal with risk, not how specific risks are dealt with.

Business impact & risk analysis

This sub-practice quantifies the business impact that would occur when risks are realized. It also helps determine the likelihood or probability of risk realization.

It’s important to determine both the probability that a risk will occur as well as the importance of each risk. Probabilities can be classified in simple terms such as a low, medium, or high probability. Determining the probability of each risk occurring helps prioritize which risks you’ll need to develop response plans for and the order in which each response plan should be developed.

Similar to Project Management Institute (PMI) guidelines, the main output of the Business Impact and Risk Analysis sub-practice is the Risk Register, sometimes referred to as the Risk Log. The Risk Register includes a list of identified risks and the responses to be implemented upon risk realization.

Assessment of required risk mitigation

In this sub-practice, you determine two important items:

  • The risk response strategies (or countermeasures) for responding to a risk
  • The Risk Owner for each specific risk

The Risk Owner is responsible for determining any countermeasures required and for the ongoing maintenance of any countermeasures.

In determining countermeasures, we can again take a page from PMI and define countermeasures we can take for positive risks (opportunities), and we can take for negative risks (threats), as shown here:

Countermeasures for risk opportunities & threats
Countermeasure Strategy Risk type
Share Sharing the benefit/responsibility/threat of a risk with another party Opportunity/Threat
Exploit Acting to ensure that an opportunity occurs Opportunity
Enhance Increasing the size or capacity of the IT service or product being offered Opportunity
Escalate Entrusting the risk to someone outside the project, program, or portfolio who can better realize the opportunity Opportunity
Avoid Avoiding the risk by avoiding the activity that activates the risk Threat
Transfer Reassigning the risk exposure to a third party, such as an insurance company Threat
Mitigate Implementing controls and contingencies to reduce the probability or the impact of the risk Threat
Acceptance For risks that are not covered by other countermeasures, an organization may accept a risk (do nothing) because it is too cumbersome or expensive to control Threat

Risk monitoring

Here is where you’ll take action when a risk has been realized, and then monitor the progress of risk countermeasures that have been implemented. Ensuring that the risk response is adequate to the risk impact and adjusting or modifying the response as needed.

Monitoring may involve adjusting countermeasure activities if the realized risk impact is greater or lesser than expected. You will also need to track or report on how effectively the planned countermeasure is addressing the risk. Risk monitoring may also require you to revisit the other three sub-practices by:

  • Modifying your risk framework
  • Revisiting business impacts and risk analysis processes
  • Reassessing your risk mitigation countermeasure planning

ITIL 4 Management practices

Risk management & other ITIL practices

Risk management doesn’t happen in an isolation chamber. It’s not a one-and-done process.

Risk management is a continual process. It should be evaluated or re-evaluated whenever a change occurs within the ITIL 4 Service Value system, particularly for changes in opportunity or demand, the Service Value Chain, and for other sub-practices under the General Management, Service Management, and Technology Management practices. Risk management sub-practices should also be revisited when a new risk is uncovered during an incident management event.

Because ITIL 4 is a holistic framework that focuses on co-creating business value—not just IT services—risk management practices can and should be used for all ITSM elements, not just IT service delivery.

Related reading

ITIL 4 Best Practice e-books

These all-new ITIL e-books highlight important elements of ITIL 4 best practices so that you can quickly understand key changes and actionable concepts. Download now for free!

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing

BMC Brings the A-Game

BMC works with 86% of the Forbes Global 50 and customers and partners around the world to create their future. With our history of innovation, industry-leading automation, operations, and service management solutions, combined with unmatched flexibility, we help organizations free up time and space to become an Autonomous Digital Enterprise that conquers the opportunities ahead.
Learn more about BMC ›

About the author

Joe Hertvik

Joe Hertvik PMP owns Hertvik & Associates, an IT infrastructure and marketing management consultancy. Joe provides contract services for IT environments including Project Management, Data Center, network, Infrastructure, and IBM i management.

His company also provides Marketing, content strategy, and content production services for B2B IT industry companies. Joe has produced over 1,000 articles and IT-related content for various publications and tech companies over the last 15 years.

Joe can be reached via email at or LinkedIn.