Dealing with risk is an important part of co-creating value in an IT service management (ITSM) environment. Risk can occur in several areas during service and product delivery, including operational, legal, and financial risks.
Besides minimizing problems in service and product delivery, government and regulatory agencies may also review organizational risk management policies and responses. Implementing and controlling risk in an ITSM environment is not only smart business—it can be a regulatory requirement.
This article looks at risk management inside an ITIL 4 framework environment. Working inside an ITIL v3 environment? See our companion article IT Risk Management Process for ITIL® v3 & ITSM Environments.
(This article is part of our ITIL 4 Guide. Use the right-hand menu to navigate.)
Risk management practices in ITIL 4
In the ITIL 4 framework, risk management is considered a General Management Practice. Its purpose is two-fold, to ensure that the organization:
- Understands its risk profile
- Knows how to effectively handle its risks
Two types of risks
It’s important to understand the two types of risks:
You manage your risk profile to exploit or enhance your opportunities while reducing, mitigating, or eliminating your threats. Although many organizations mainly focus on responding to threats, they forget that ITIL 4 also focuses on IT co-creating business value—not just IT service delivery.
With that focus, I would argue that the realization of opportunities in ITIL 4 risk management is just as important as planning for and responding to realized threats.
Critical risk management sub-practices
The ITIL 4 Risk Management practice has four sub-practices.
Risk management support
The risk management support sub-practice defines your risk management framework. Here’s where you answer the basic questions dealing with how you handle risk, including:
- How do you identify risks, both positive and negative?
- What risk levels is an organization prepared to allow?
- Who is responsible (in charge of) the different Risk Management duties?
Again, this sub-practice defines the framework in which you will deal with risk, not how specific risks are dealt with.
Business impact & risk analysis
This sub-practice quantifies the business impact that would occur when risks are realized. It also helps determine the likelihood or probability of risk realization.
It’s important to determine both the probability that a risk will occur as well as the importance of each risk. Probabilities can be classified in simple terms such as a low, medium, or high probability. Determining the probability of each risk occurring helps prioritize which risks you’ll need to develop response plans for and the order in which each response plan should be developed.
Similar to Project Management Institute (PMI) guidelines, the main output of the Business Impact and Risk Analysis sub-practice is the Risk Register, sometimes referred to as the Risk Log. The Risk Register includes a list of identified risks and the responses to be implemented upon risk realization.
Assessment of required risk mitigation
In this sub-practice, you determine two important items:
- The risk response strategies (or countermeasures) for responding to a risk
- The Risk Owner for each specific risk
The Risk Owner is responsible for determining any countermeasures required and for the ongoing maintenance of any countermeasures.
In determining countermeasures, we can again take a page from PMI and define countermeasures we can take for positive risks (opportunities), and we can take for negative risks (threats), as shown here:
|Countermeasures for risk opportunities & threats|
|Share||Sharing the benefit/responsibility/threat of a risk with another party||Opportunity/Threat|
|Exploit||Acting to ensure that an opportunity occurs||Opportunity|
|Enhance||Increasing the size or capacity of the IT service or product being offered||Opportunity|
|Escalate||Entrusting the risk to someone outside the project, program, or portfolio who can better realize the opportunity||Opportunity|
|Avoid||Avoiding the risk by avoiding the activity that activates the risk||Threat|
|Transfer||Reassigning the risk exposure to a third party, such as an insurance company||Threat|
|Mitigate||Implementing controls and contingencies to reduce the probability or the impact of the risk||Threat|
|Acceptance||For risks that are not covered by other countermeasures, an organization may accept a risk (do nothing) because it is too cumbersome or expensive to control||Threat|
Here is where you’ll take action when a risk has been realized, and then monitor the progress of risk countermeasures that have been implemented. Ensuring that the risk response is adequate to the risk impact and adjusting or modifying the response as needed.
Monitoring may involve adjusting countermeasure activities if the realized risk impact is greater or lesser than expected. You will also need to track or report on how effectively the planned countermeasure is addressing the risk. Risk monitoring may also require you to revisit the other three sub-practices by:
- Modifying your risk framework
- Revisiting business impacts and risk analysis processes
- Reassessing your risk mitigation countermeasure planning
Risk management & other ITIL practices
Risk management doesn’t happen in an isolation chamber. It’s not a one-and-done process.
Risk management is a continual process. It should be evaluated or re-evaluated whenever a change occurs within the ITIL 4 Service Value system, particularly for changes in opportunity or demand, the Service Value Chain, and for other sub-practices under the General Management, Service Management, and Technology Management practices. Risk management sub-practices should also be revisited when a new risk is uncovered during an incident management event.
Because ITIL 4 is a holistic framework that focuses on co-creating business value—not just IT services—risk management practices can and should be used for all ITSM elements, not just IT service delivery.