Más contenido relacionado
La actualidad más candente (20)
Similar a Management of Risk and its integration within ITIL (20)
Management of Risk and its integration within ITIL
- 1. 1Copyright © Hervé Doornbos 2015. All Rights Reserved
MANAGEMENT OF RISK AND ITS INTEGRATION WITHIN ITIL
Version 1 – 06/06/2015
© 2015 - Hervé Doornbos
- 2. 2Copyright © Hervé Doornbos 2015. All Rights Reserved
Ⅲ RISK PROCESSES DETAILS
Ⅰ INTRODUCTION
INTEGRATING RISK WITHIN ITILⅡ
MANAGEMENT OF RISK AND ITS INTEGRATION WITHIN ITIL
- 3. 3Copyright © Hervé Doornbos 2015. All Rights Reserved
INTRODUCTION – ITIL OVERVIEW
Service
Strategy
Strategy
Management
for IT Services
Service
Portfolio
Management
Financial
Management
for IT Services
Demand
Management
for IT Services
Business
Relationship
Management
Service
Design
Design
coordination
Service
Catalogue
Management
Service Level
Management
Capacity
Management
Availability
Management
IT Service
Continuity
Management
Information
Security
Management
Supplier
Management
Service
Transition
Transition
Planning and
Support
Service Asset
and
Configuration
Management
Change
Management
Release and
Deployment
Management
Service
Validation and
Testing
Change
Evaluation
Knowledge
Management
Service
Operation
Event
Management
Incident
Management
Access
Management
Request
Fulfillment
Problem
Management
Continual
Service
Improvement
Seven-steps
improvement
process
Service desk
Technical
Management
IT Operations
Management
Application
Management
Phase
Process
Function
Legend
- 4. 4Copyright © Hervé Doornbos 2015. All Rights Reserved
INTRODUCTION – ITIL OVERVIEW
Service
Strategy
Strategy
Management
for IT Services
Service
Portfolio
Management
Financial
Management
for IT Services
Demand
Management
for IT Services
Business
Relationship
Management
Service
Design
Design
coordination
Service
Catalogue
Management
Service Level
Management
Capacity
Management
Availability
Management
IT Service
Continuity
Management
Information
Security
Management
Supplier
Management
Service
Transition
Transition
Planning and
Support
Service Asset
and
Configuration
Management
Change
Management
Release and
Deployment
Management
Service
Validation and
Testing
Change
Evaluation
Knowledge
Management
Service
Operation
Event
Management
Incident
Management
Access
Management
Request
Fulfillment
Problem
Management
Continual
Service
Improvement
Seven-steps
improvement
process
Service desk
Technical
Management
IT Operations
Management
Application
Management
Phase
Process
Function
Legend
Metrology
Reporting
Service Mgt.
Office
Project Mgt.
Office
Out-of-ITIL
Function
ITIL interfacing with
other functions is current
What about RISK ???
- 5. 5Copyright © Hervé Doornbos 2015. All Rights Reserved
INTRODUCTION – RISK FRAMEWORK OVERVIEW
Enterprise Risk Frameworks ERM
COSO Enterprise Risk Management
ISO 31000:2009 and its former IT security variant ISO27001:ISO27002
COBIT5 for Risks [Formerly RiskIT and ValIT]
OGC Management of Risk M_o_R [and OGC M_o_V]
ERM Maturity Model
RIMS Risk Maturity Model (RMM)
Other Risk Guidance / IT Risk processes
CMMI-SVC Risk Management RSKM process
TIK IT Risk Framework
Project Risk Management (Prince2, PMP, …)
- 6. 6Copyright © Hervé Doornbos 2015. All Rights Reserved
INTRODUCTION – RISK MANAGEMENT INTEGRATION WITHIN ITIL
According to OGC, risk management is integrated throughout the service lifecycle and
covers the following in ITIL
Problem management
• Proactive and reactive, with the goal of reducing the impact of service outages
Change management
• Help reduce risks, minimize the potential negative impact of change, and reduce the risk
of an undesirable outcome
Service delivery (SLM, SCM, Capacity, Availability, Financial)
• Support easy maintenance of Services via a careful design
Availability management
• Focuses on reliability and putting in place alternative options to ensure the service continues
IT service continuity
• Assessing risk to ensure overall continuity for the business
And also ‘Appendices’ referencing Risk Frameworks with a focus on OGC M_o_R
“Decision-making should include determining any appropriate actions to take to manage the risks
to a level deemed to be acceptable by the organization” (SS, appendix E)
- 7. 7Copyright © Hervé Doornbos 2015. All Rights Reserved
INTRODUCTION – CRITICIZING RISK PRACTICE WITHIN ITIL
Information about Risk Management found in ITIL book
Section about "risks", containing definition of risk and information on Risk Management Framework
Some clues about how to implement risk management across the framework
Some clues about the tools and the risks that are already known
Some risks are enumerated
What is missing in ITIL book
An explanation on how to proceed to cover risk management
Guidelines on how to deal with enumerated risks
A complete tool list for risk assessment with detailed information
Despite M_o_R being referred to in ITIL Books, it is unclear if this is the official way to
treat risk and how to implement this risk management framework in ITIL
- 8. 8Copyright © Hervé Doornbos 2015. All Rights Reserved
INTRODUCTION – WHY RISK MGT. ? IT RISK MGT. BENEFITS
1. Increased consistency and communication of risks within the IT organization
Provides a standard terminology and conceptual framework for all members of IT organization
Visualize the linkage between expectations and risks associated
Share data and information relative to 'risks to achievement of objectives and plans' across IT
2. Enhanced reporting and analysis of IT risks, supporting better decisions
Enable better informed and more believable plans, schedules and budgets
Enable objective comparison of alternatives
Increase the likelihood of delivery of desired outcomes
3. Improved focus, attention and perspective to risk data
Provides a means to further identify and assess key risk indicators
4. More efficient and effective activities related to regulatory, compliance and audit matters
Since risk data involves identifying and monitoring controls and mitigations relevant to various risks across IT,
it provides an effective means for leveraging and reducing the effort and cost of such audits and reviews
5. More cost-effective management and monitoring of IT risks
Through all of the benefits noted above
- 9. 9Copyright © Hervé Doornbos 2015. All Rights Reserved
EXISTING RISK FRAMEWORKS – RISK DEFINITION(S)
As many definitions as Frameworks
OGC: an uncertain event or set of events which, should it occur, will have an effect on the
achievement of objectives. A risk consists of a combination of the probability of a perceived
threat or opportunity occurring and the magnitude of its impact on objective
ISO: Effect (positive and/or negative deviation from the expected) of uncertainty (state, even partial, of
deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood)
on objectives. Risk is often expressed in terms of a combination of the consequences of an event
– including changes in circumstances – and the associated likelihood of occurrence
COSO ERM
TIK IT Risk Framework formula
Other definitions may be found on http://en.wikipedia.org/wiki/IT_risk
( ) ( )AssetValuation
ScoreMeasureCounter
ThreatAssetityVulnerabil
Risk ×
×
=
( )BusinessImpactLikelihoodRisk ×=
- 10. 10Copyright © Hervé Doornbos 2015. All Rights Reserved
CONVENTIONS USED IN THIS DOCUMENT
Scope
Limited to IT Risks, as defined herein
Definitions
Threat
• Anything that is capable of acting against an asset in a manner that can result in harm
Event
• Something that happens at a specific place and/or time
Vulnerability
• A weakness in design, implementation, operation or internal control
Impact
• The net effect on the achievement of business objectives
Risk
• A probable situation with frequency and magnitude of loss
IT Risk
• The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an
enterprise
Risk register
• A repository of the key attributes of potential and known risk issues. Attributes may include name, description, owner,
expected/actual frequency, potential/actual magnitude, potential/actual business impact, disposition
- 11. 11Copyright © Hervé Doornbos 2015. All Rights Reserved
CONVENTIONS USED IN THIS DOCUMENT
Definitions (cont.)
Risk profile
• A representation at a given point in time of an organization’s overall exposure to a group of risks
(i.e. a quantitative analysis of the types of threats an organization faces)
Multiple risk profile may be developed, per business units, service, … or per any organization’s component
Risk scenario
• The description of an event that can lead to a business impact
Countermeasure
• Any process that directly reduces a threat or vulnerability
Control activities
• The means of managing risk, including policies, procedures, guidelines, practices or organizational structures
Resilience
• The ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal
recognizable effect
Risk Avoidance
• The process for systematically avoiding risk, constituting one approach to managing risk
Risk Mitigation
• The management of risk through the use of countermeasures and controls
Risk Transfer
• The process of assigning risk to another enterprise,
usually through the purchase of an insurance policy or by outsourcing the service
- 12. 12Copyright © Hervé Doornbos 2015. All Rights Reserved
CONVENTIONS USED IN THIS DOCUMENT
Threat Asset Event
Threat, Asset, and Event having been illustrated,
Risk = Event likelihood during a determined period of time
(The result of the Event in this case is an Impact which magnitude is a Disaster)
Images from http://www.iffo-rme.fr/le-risque-majeur
- 13. 13Copyright © Hervé Doornbos 2015. All Rights Reserved
BASICS OF RISK – CONCEPTS
In the Unknown Universe, nothing can
be anticipated, as in Star Trek. New
situations occur sometimes, and we
ignore what and when
In the Uncertain Universe, we know
which event could happen, but we don’t
know when
In the Risky Universe, we know all
possible events and their probability or
likelihood, exactly as when we play
Russian roulette
In the Secure Universe, all unacceptable
risks have been eliminated using proper
countermeasures
Unknown
Universe
Uncertain
Universe
Risky
Universe
Secure
Universe
- 14. 14Copyright © Hervé Doornbos 2015. All Rights Reserved
BASICS OF RISK – RISK DUALITY
The word Risk refers to situations where the decision-maker can assign
mathematical probabilities to the randomness of the situation
Risk is however a dual term referring to
Opportunity, which is a risk with positive effects
Threat, which is a risk with negative effects
Threat
Destroyed value
and/or Undelivered benefits
• Unrealized or reduced business value
• Missed business opportunities
• Adverse events destroying value
Opportunity
Business benefits
and/or Preserved value
• New business opportunities
• Enhanced business opportunities
• Sustainable competitive advantage
Risks must be Optimized
- 15. 15Copyright © Hervé Doornbos 2015. All Rights Reserved
BASICS OF RISK – RISK APPETITE AND TOLERANCE POLICIES
Risk Appetite
Amount of risk a company is prepared to accept when trying to achieve its objectives
Can be defined in practice in terms of combinations of frequency and business impact of a risk
Will be different amongst enterprises
No absolute norm or standard of what constitutes acceptable and unacceptable risk
Risk Tolerance
Tolerable deviation from the level set by the risk appetite and business objectives
The risk response cost affect the risk tolerance
Ideally defined at the enterprise level and reflected in company policies
May change over time depending of
internal factors (new organization...)
external factors (new technologies...)
- 16. 16Copyright © Hervé Doornbos 2015. All Rights Reserved
BASICS OF RISK – RISK OVER TIME – UNCERTAINTY
Some risks are dynamic and require continual ongoing monitoring and assessment
Other risks are more static and require reassessment on a periodic basis with ongoing
monitoring triggering an alert to reassess sooner should circumstances change
RevisionPoint
RevisionPointInitial Strategy Revise Strategy Revise Strategy
Risk
Time
Uncertainty increases
with longer Time Horizon
- 17. 17Copyright © Hervé Doornbos 2015. All Rights Reserved
BASICS OF RISK – RISK OVER TIME – KEY RISK INDICATOR(S)
Key Risk Indicators (KRIs) are indicators that are predictive
regarding changes in the risk profile
They enable timely action to be taken to deal with emerging issues
Initial Strategy Revise Strategy Revise Strategy
Risk
Time
Indicator
KRIs
TriggerPoint
KRIs
TriggerPoint
- 18. 18Copyright © Hervé Doornbos 2015. All Rights Reserved
BASICS OF RISK – LINKING OBJECTIVES TO KRIS
Mapping ‘Risks’ to ‘IT Objectives’ via the ‘Critical Success Factors’ puts
management in position to begin identifying the most critical metrics that can
serve as leading Key Risk Indicators
The link between the Risk and the KRI is often a ‘causal map’ (what is the root
cause of the Event ?)
GOAL
Objective 1 (KGI1)
Objective 2 (KGI2)
CSF1
CSF2
CSF3
CSF4
CSF5
Risk 1
Risk 2
Risk 3
Risk 4
KRI 1
KRI 2
KRI 3
KRI 4
- 19. 19Copyright © Hervé Doornbos 2015. All Rights Reserved
Ⅲ RISK PROCESSES DETAILS
Ⅰ INTRODUCTION
INTEGRATING RISK WITHIN ITILⅡ
MANAGEMENT OF RISK AND ITS INTEGRATION WITHIN ITIL
- 20. 20Copyright © Hervé Doornbos 2015. All Rights Reserved
INTEGRATING RISK WITHIN ITIL – TYPES OF INTEGRATION
Mapping missing
process(es) in ITIL
Adoption of an Enterprise
Risk Management (ERM)
Framework and either one
or both of:
• Top-down integration of
ITIL processes within
ERM, creating original
scenarios based on
Enterprise objectives
• Bottom-up integration of
ITIL processes into ERM
by adapting generic Risks
Scenarios to ITIL phases
Type II
Type I
- 21. 21Copyright © Hervé Doornbos 2015. All Rights Reserved
Mapping missing
process(es) in ITIL
Adoption of an Enterprise
Risk Management (ERM)
Framework and either one
or both of:
• Top-down integration of
ITIL processes within
ERM, creating original
scenarios based on
Enterprise objectives
• Bottom-up integration of
ITIL processes into ERM
by adapting generic Risks
Scenarios to ITIL phases
INTEGRATING RISK WITHIN ITIL – INTEGRATION TYPE II
Ensure Full Alignment with Enterprise Objectives
Requires an ERM Framework to be in place
Drastic Enterprise change if ‘ex-nihilo’ project
e.g.: OGC ITIL® and Corporate Risk Alignment Guide
- 22. 22Copyright © Hervé Doornbos 2015. All Rights Reserved
Mapping missing
process(es) in ITIL
Adoption of an Enterprise
Risk Management (ERM)
Framework and either one
or both of:
• Top-down integration of
ITIL processes within
ERM, creating original
scenarios based on
Enterprise objectives
• Bottom-up integration of
ITIL processes into ERM
by adapting generic Risks
Scenarios to ITIL phases
INTEGRATING RISK WITHIN ITIL – INTEGRATION TYPE I
Reinforce ITIL processes with Risk Elements
Add Process(es) to ITIL scope
Minor adaptation of ITIL processes
Respond to limited category of Risk
(mainly internal, tactical and operational)
Suggested starting point for
integrating Risk Management within ITIL
- 23. 23Copyright © Hervé Doornbos 2015. All Rights Reserved
INTEGRATING RISK WITHIN ITIL – TYPE I ADAPTED ITIL MODEL
Service
Strategy
Strategy
Management
for IT Services
Service
Portfolio
Management
Financial
Management
for IT Services
Demand
Management
for IT Services
Business
Relationship
Management
Prepare for
Risk
Management
Service
Design
Design
coordination
Service
Catalogue
Management
Service Level
Management
Capacity
Management
Availability
Management
IT Service
Continuity
Management
Risk
Management
Information
Security
Management
Supplier
Management
Service
Transition
Transition
Planning and
Support
Service Asset
and
Configuration
Management
Change
Management
Release and
Deployment
Management
Service
Validation and
Testing
Change
Evaluation
Knowledge
Management
Service
Operation
Event
Management
Incident
Management
Access
Management
Request
Fulfillment
Problem
Management
Continual
Service
Improvement
Seven-steps
improvement
process
Opportunities
Prioritization
Process
Service desk
Technical
Management
IT Operations
Management
Application
Management
Metrology
Reporting
Service Mgt.
Office
Project Mgt.
Office
Phase
Process
Function
Legend
Out-of-ITIL
Function
Added
Process
- 24. 24Copyright © Hervé Doornbos 2015. All Rights Reserved
TYPE I ADAPTED ITIL MODEL – RESPOND TO OPPORTUNITIES
Service
Strategy
Strategy
Management
for IT Services
Service
Portfolio
Management
Financial
Management
for IT Services
Demand
Management
for IT Services
Business
Relationship
Management
Prepare for
Risk
Management
Service
Design
Design
coordination
Service
Catalogue
Management
Service Level
Management
Capacity
Management
Availability
Management
IT Service
Continuity
Management
Risk
Management
Information
Security
Management
Supplier
Management
Service
Transition
Transition
Planning and
Support
Service Asset
and
Configuration
Management
Change
Management
Release and
Deployment
Management
Service
Validation and
Testing
Change
Evaluation
Knowledge
Management
Service
Operation
Event
Management
Incident
Management
Access
Management
Request
Fulfillment
Problem
Management
Continual
Service
Improvement
Seven-steps
improvement
process
Opportunities
Prioritization
Process
Phase
Process
Function
Legend
Out-of-ITIL
Function
Added
Process
Service desk
Technical
Management
IT Operations
Management
Application
Management
Metrology
Reporting
Service Mgt.
Office
Project Mgt.
Office
Opportunity
Management
• B*Cases
• Prioritizing
Improvement
Initiatives
• Allocating
resources
Refer to my presentation
“Adopting Continual Improvement
– A practical viewpoint”
Not presented here
- 25. 25Copyright © Hervé Doornbos 2015. All Rights Reserved
Service
Strategy
Strategy
Management
for IT Services
Service
Portfolio
Management
Financial
Management
for IT Services
Demand
Management
for IT Services
Business
Relationship
Management
Prepare for
Risk
Management
Service
Design
Design
coordination
Service
Catalogue
Management
Service Level
Management
Capacity
Management
Availability
Management
IT Service
Continuity
Management
Risk
Management
Information
Security
Management
Supplier
Management
Service
Transition
Transition
Planning and
Support
Service Asset
and
Configuration
Management
Change
Management
Release and
Deployment
Management
Service
Validation and
Testing
Change
Evaluation
Knowledge
Management
Service
Operation
Event
Management
Incident
Management
Access
Management
Request
Fulfillment
Problem
Management
Continual
Service
Improvement
Seven-steps
improvement
process
Opportunities
Prioritization
Process
TYPE I ADAPTED ITIL MODEL – RESPOND TO THREATS
Service desk
Technical
Management
IT Operations
Management
Application
Management
Metrology
Reporting
Service Mgt.
Office
Project Mgt.
Office
Threat
Management
• Risk sources
and categories
• Risk Strategy
• Risk Evaluation
• Risk Mitigation
Risk
Management
Phase
Process
Function
Legend
Out-of-ITIL
Function
Added
Process
- 26. 26Copyright © Hervé Doornbos 2015. All Rights Reserved
TYPE I ADAPTED ITIL MODEL – THREAT MGT. ELEMENTS
• Risk
• Key Risk Indicator (KRI)
• Risk Response
Threat Management
Elements
Service
Strategy
Strategy
Management
for IT Services
Service
Portfolio
Management
Financial
Management
for IT Services
Demand
Management
for IT Services
Business
Relationship
Management
Prepare for
Risk
Management
Service
Design
Design
coordination
Service
Catalogue
Management
Service Level
Management
Capacity
Management
Availability
Management
IT Service
Continuity
Management
Risk
Management
Information
Security
Management
Supplier
Management
Service
Transition
Transition
Planning and
Support
Service Asset
and
Configuration
Management
Change
Management
Release and
Deployment
Management
Service
Validation and
Testing
Change
Evaluation
Knowledge
Management
Service
Operation
Event
Management
Incident
Management
Access
Management
Request
Fulfillment
Problem
Management
Continual
Service
Improvement
Seven-steps
improvement
process
Opportunities
Prioritization
Process
Service desk
Technical
Management
IT Operations
Management
Application
Management
Metrology
Reporting
Service Mgt.
Office
Project Mgt.
Office
Phase
Process
Function
Legend
Out-of-ITIL
Function
Added
Process
- 27. 27Copyright © Hervé Doornbos 2015. All Rights Reserved
Ⅰ INTRODUCTION
Ⅲ RISK PROCESSES DETAILS
INTEGRATING RISK WITHIN ITILⅡ
MANAGEMENT OF RISK AND ITS INTEGRATION WITHIN ITIL
- 28. 28Copyright © Hervé Doornbos 2015. All Rights Reserved
OVERVIEW – WHOLE PROCESS
Determine IT
risk sources
and
categories
Define Risk
Parameters
Establish a
Risk
Management
Strategy
Evaluate
Risks
Respond to
Risks
Monitor
Risks
Communication
Service Strategy
Prepare for Risk Management
Service Design
Risk Management
- 29. 29Copyright © Hervé Doornbos 2015. All Rights Reserved
OVERVIEW – LINKS BETWEEN IT RISK MGT. AND ITIL PROCESSES
- 30. 30Copyright © Hervé Doornbos 2015. All Rights Reserved
ROLE – IT RISK MGT. PROCESS OWNER
Overall responsibility for the development and implementation of Risk Project
Negotiate funding, scope, approach and timing of Risk Process deployment with IT management
Define and regularly chair a Risk Committee which will set risk appetite and tolerance
levels for IT in alignment with Business Objectives
Write and submit the risk management policy to the Risk Committee
Define and implement the risk management process
Reinforce and formalize management commitment by clearly articulating the roles and responsibilities
Sets up required organizational structures
Ensure
The parameters of the Risk Framework are set
The Risk Profile is maintained
Risk Reporting and Communication support risk-aware IT decisions
May escalate to Risk Committee
Establish and maintain a common Risk View
Promote a risk-aware culture
- 31. 31Copyright © Hervé Doornbos 2015. All Rights Reserved
ITIL STRATEGY PHASE – PREPARE FOR RISK MANAGEMENT
Prepare for risk management by establishing and maintaining a strategy for
identifying, analyzing, and respond to risks
Produces CSFs, risk scale, and main boundaries
Main practices
DetermineITrisk
sourcesandcategories
Top-down approach
- Processes
- CSF
- Risk sources
Bottom-up approach
- Typical list of risk
sources
DefineRiskParameters
- Consistent risk
scale
- Tolerance per-risk-
category
- Risk management
requirements
- Risk response
bounds
EstablishaRisk
ManagementStrategy
- Scope of the risk
management
effort
- Methods, tools
- Communication
- Risk management
plan
- 32. 32Copyright © Hervé Doornbos 2015. All Rights Reserved
ITIL STRATEGY PHASE – PREPARE FOR RISK MANAGEMENT
List Risk Sources
Top-down approach
• List all implemented processes Critical Success Factor (CSF),
then list all risk sources associated with them
Bottom-up approach
• Adapt a typical list of risk sources (from a framework)
Collect and organize risks in categories – for example, using factors such as
Phases of the work lifecycle
Types of processes used
Types of products used
Work management risks (e.g., contract risks, budget risks, schedule risks, resource risks)
Technical performance risks (e.g., quality attribute related risks, supportability risks)
Phase 1 – Determine Risk Sources and Categories
- 33. 33Copyright © Hervé Doornbos 2015. All Rights Reserved
ITIL STRATEGY PHASE – PREPARE FOR RISK MANAGEMENT
Define a scale to gauge risks
Define consistent criteria for evaluating and quantifying risk likelihood and severity levels
• One way of providing a common basis for comparing dissimilar risks is assigning financial values to the risk impact
through a process of risk monetization
• Often a “Impact X Frequency” matrix which is then translated in a risk level scale
Categorize Risks and define tolerance parameters per-category
Risk evaluation, categorization, and prioritization criteria
Define risk management requirements
Control and approval levels
Reassessment intervals
Define bounds to scope the extent of the risk management effort
Objective of bounds is to avoid excessive resource expenditures
Bounds can include the exclusion of a risk source from a category
Phase 2 – Define Risk Parameters
- 34. 34Copyright © Hervé Doornbos 2015. All Rights Reserved
OUTPUT of this phase
ITIL STRATEGY PHASE – PREPARE FOR RISK MANAGEMENT
Scope of the risk management effort
Methods and tools
For example “IT asset valuation”, which can be done by assigning financial values to IT assets
through a process of monetization (which can also be used for risk monetization) either by
• Assigning IT costs to IT assets (purchase, licensing, maintenance…)
• Valuing data stored in – and/or information flowing through – those IT assets
• Looking at the business value supported by these IT assets, using the Configuration Management System
Risk Communication plan
The strategy should be documented in a risk management plan and reviewed
with relevant stakeholders to promote commitment and understanding
Phase 3 – Establish Risk Management Strategy
- 35. 35Copyright © Hervé Doornbos 2015. All Rights Reserved
ITIL DESIGN PHASE – RISK MANAGEMENT
Evaluate operational risks, respond to, and monitor them
Main practices
EvaluateRisks
- Identify Risks
- Analyze,
Categorize, and
Prioritize Risks
- Maintain risk
profile
RespondtoRisks
- Develop Risk
Responses
- Implement
Validated Risk
Responses
MonitorRisks
- Monitor KRIs to
detect changes in
Risk Profile
- Monitor the
progress of
counter-measure
implementation
- Collect all
necessary and
relevant risk data
- Communicate and
report
Prepare for Risk Mgt.
- 36. 36Copyright © Hervé Doornbos 2015. All Rights Reserved
ITIL DESIGN PHASE – RISK MANAGEMENT
Collect data and Identify Risks for the New Service
Analysis of asset’s value to Business using valuation tools provided by the prepare phase
Identification and classification of the threats to those assets using
• Identified risk sources
• Prepared risk classification (recorded in the risk register)
Analyze, Categorize, and Prioritize Risks
Evaluation of how vulnerable each asset is to its related threat
Define KRIs for identified Risks, and their thresholds with associated actions or tolerance level
Select risks above tolerance level as output for the 2nd phase of the risk management
Maintain risk profile
Record risks an associated data in the risk register
Phase 1 – Evaluate Risks
- 37. 37Copyright © Hervé Doornbos 2015. All Rights Reserved
ITIL DESIGN PHASE – RISK REGISTER RECORD
Record Parts Record Detail Examples
Risk Summary Risk Statement
Risk Owner
Risk Category
Risk Rating (Copied from Risk Analysis Results)
Risk Response Decision [Accept, Transfer, Mitigate, Avoid]
Record Kept Up-to-date ? [Date of Last Assessment , Due Date for Update]
Risk Description Title
High Level Scenario
Detailed Scenario [Actor, Threat Type, Event, Asset/ Resource, Timing]
Risk Analysis Results Scenario Frequency
Scenario Business Impact Rating [=F(Productivity Loss Rating,
Cost of Response Rating,
Competitive Advantage Rating,
Legal Risk Rating]
Risk Rating
Risk Response Risk Response Decision [Accept, Transfer, Mitigate, Avoid]
Detailed Response Description
Status of Risk Action Plan [Overall Status, Major Issues, Completed Responses]
Risk Indicators KRI for this Risk
Controls
- 38. 38Copyright © Hervé Doornbos 2015. All Rights Reserved
ITIL DESIGN PHASE – RISK MANAGEMENT
Risk Response Options
Accept
• No action is taken relative to a particular risk, and loss is accepted when/if it occurs
Mitigate
• Reduce the risk through the use of countermeasures and controls
Transfer
• Process of assigning risk to another enterprise,
(usually through the purchase of an insurance policy or by outsourcing the service)
Avoid – when an unacceptable risk cannot be reduced, neither shared nor transferred
• Exiting the activities or conditions that give rise to an unacceptable risk such as:
– Declining to engage in a very large project when the B*Case shows a notable risk of failure
– Deciding not to use a certain technology or software package because it would prevent future expansion
Phase 2 – Respond to Risks ( Risks above tolerance level )
- 39. 39Copyright © Hervé Doornbos 2015. All Rights Reserved
ITIL DESIGN PHASE – RISK MANAGEMENT
Risk Response Selection Parameters
Cost of response to reduce risk within tolerance level
Risk Level
Capability to Implement the Response
Effectiveness of Response
Efficiency of Response
Develop & Prioritize Risk Response
Example of prioritization matrix
Build the B*Case when needed
Choose the risk action plan Validated Risk Response
Implement Validated Risk Responses
Phase 2 – Respond to Risks
Effectiveness / cost ratio
RiskLevel
Defer
Business
Case
Quick
Wins
( Risks above tolerance level )
- 40. 40Copyright © Hervé Doornbos 2015. All Rights Reserved
ITIL DESIGN PHASE – RISK MANAGEMENT
Monitor KRIs to detect changes in Risk Profile
Monitor Risk Proactively by monitoring KRIs
When a determined threshold is reached, initiate appropriate management initiative in order
to manage the Risk accordingly
Monitor the progress of counter-measure implementation
Take corrective action when and where required
Collect all necessary and relevant risk data
KRIs may be computed using and/or complemented by informative data
Communicate and report
As established in the Risk Communication Plan
Operational & Tactical/Strategic Communication and Reporting
Phase 3 – Monitor Risks
- 41. 41Copyright © Hervé Doornbos 2015. All Rights Reserved
ABOUT THE AUTHOR
20 years of Professional experience.
11 years in Infrastructure Outsourcing Services
Certified ITIL v3 Expert
Areas of Intervention Skills
20 years of IT Experience
11 years of experience in Infrastructure Outsourcing, with
5 years of experience as a Service Management consultant
Definition and implementation of ITIL processes
Continuous Service Improvement integration into processes
4 years as a Skill Group Manager
9 years as a technical expert
Professional Experience
Career SIDO & ONIC [2 years], Transiciel [2 years], Oracle [5 years], Capgemini [11 years]
ITIL v3 / COBIT v5 / Lean IT
IT Service Management
Management
Oracle Expert
IT Service Management
Multi-Sourcing SIAM
Assets, Incident, Problem, Change, Release & Deploy,
Configuration, Continual Improvement, Operational processes
Hervé Doornbos