ITIL 4 Strategic Leader Certification Course: Practices - Risk Management (RM)
Purpose: to ensure that the organization understands and effectively handles risks
Levels of risk management:
- Strategic risk management: long-term risks that may impact the achievement of the mission
- Program and project risk management: risks that may impact mid-term goals and objectives
- Operational risk management: risks that may impact short-term goals and objectives
Every service removes some risk from the consumer but also imposes additional risk on the consumer – the balance between the two is the value proposition of the service
1. Practice success factors (PSF)
Four PSFs for RM:
- Establishing governance of risk management
- Nurturing a risk management culture and identifying risks
- Analyzing and evaluating risks
- Treating, monitoring, and reviewing risks
1.1 Establish governance
Governance of risk requires an understanding of two different concepts:
- Risk capacity: the maximum amount of risk an organization can tolerate (typically based on damage to reputation, assets, etc.)”
- Risk appetite: the amount of risk the organization is willing to accept (should always be less than the risk capacity)”
Define both via organizational governance (provide boundaries of how practitioners operate)
Should be regular discussions at board meetings (governance of risk, risk capacity, risk appetite, and strategic risks)
1.2 Nurture a risk management culture
Once a risk identified, document in a risk register (a record of identified risks that records their current status and history)
Not easy to identify risks, must feel safe to identify mistakes made by themselves or other without fear of reprisal (must be everyone’s responsibility to identify and report risks)
A risk management culture is open and honest
1.3 Analyze and evaluate risks
Qualitative risk analysis:
- Impact
- Likelihood
Use the grid to plot a specific risk and assign an overall risk categorization, put in the risk register and then decide on preventative/mitigation actions
1.4 Analyze and evaluate risks
Quantitative risk analysis uses financial or other numerical impact, likelihood becomes a probability
This type of analysis can be used within a business case to justify investments:
- Annual rate of occurrence (ARO): the probability that a specific risk will occur in a single year. It is calculated based on the expectations of how frequent the risk is likely to occur. An event that occurs once every 50 years has an ARO of 2%
- Single loss expectancy (SLE): the expected financial loss due to a risk, each time that a risk occurs. SLE is calculated based on the average cost incurred if the risk happened; typically expressed in financial terms
- Annualized loss expectancy (ALE): the expected financial loss due to a risk, averaged over a oneyear period. ALE is calculated by multiplying the single loss expectancy (SLE) by the annual rate of occurrence (ARO). The calculated result can be compared to the cost of controls so an informed decision can be made (e.g., how much to invest in managing a specific risk
Quantitative analysis is time consuming; use both types. When qualitative exceeds a specific limit, dive deeper using quantitative methods
1.5 Treat, monitor, and review risks
Document accepted risks, communicate to the stakeholder, and regularly review for changes in probability, impact, or the cost of controls
When a risk is accepted, design and implement suitable controls (method to mitigate or overcome a risk)
Regularly review controls for compliance as well as actions taken if the control isn’t being followed: Define appropriate controls across all four dimensions of service management
Go back to ITIL 4 Strategic Leader Certification Course: Practices to finish this chapter or to the main page ITIL 4 Strategic Leader Certification Course.
Interesting Topics
-
Be successfully certified ITIL 4 Managing Professional
Study, study and study, I couldn’t be successfully certified without studying it, if you are interested...
-
Be successfully certified ITIL 4 Strategic Leader
With my ITIL 4 Managing Professional certification (ITIL MP) in the pocket, it was time to go for the...
-
Hide visual and change background color based on selection
Some small tricks to customize the background colour of a text box...
-
Stacked and clustered column chart or double stacked column chart
In excel, I use a lot the combination of clustered and stacked chart...