Risk: a possible event that could cause harm or loss, or make it more difficult to achieve objectives:

• Negative risk: harm or loss
• Positive risk: opportunities

Purpose of risk management: ensure organization understands risks and handles them effectively

Risk management approach depends on:

• Process-based paradigm
• Model-based paradigm

Digital assets are everywhere: inside/outside the organization, hosted by cloud service providers, mobile apps… (requires everyone to be aware organization’s risk management activities and actively contribute to assessment/mitigation activities)

Successful digital organizations take small, calculated risks to reduce exposure to risk (prototypes; minimally viable products)

Organization’s governing body is responsible for implementing a risk management framework (risk/audit committee performs ongoing maintenance)

1. Managing strategic risk

Digital organizations have great opportunities but also must manage the possibility of disruption and risk (not managing either, out of business)

Tactical risk management: identify ways to manage existing risk as well as new threats and vulnerabilities

Strategic risk management: ensure success of the organization in an environment where rules have changed due to digital technology

2. Risk identification

Most frameworks include risk categories:

• PESTLE
• VUCA
• TECOP
• OODA
• Porter’s five forces analysis
• Force-field analysis

3. DICE risks

Disruption risks: factors that threaten to disrupt the organization’s business model

Innovation risks: risky; develop and test in controlled environments; understand risk appetite and purpose of innovation

Cybersecurity risks: digital organizations survive on data which opens the door for malicious acts; must depend on threat intelligence and ensure risks mitigated

Engagement risks: success is depended on a range of stakeholders; what if engaged with the wrong partner or have the wrong model that doesn’t detect changes in stakeholders?

4. Assess risks: qualitative Determine likelihood that a risk will occur and the impact it will have (prioritize risks that need to be treated first) Risk matrix: Impact x likelihood Eliminate high risks first Low risks are typically accepted but monitored Medium risks are modified or shared Scenario-based: Describe the opportunity

• Scenarios allow organizations to evaluate opportunities
• List assumptions
• Identify variables
• Project effects of changing variables
• Assess likelihood and impact of each change
• Identify actions to mitigate negative risks and ensure achievement of positive risks

5. Assess risks: quantitative

Attempt to place a monetary value on risks: expensive, complex, require research and analysis

Quantitative calculations:

• Annual rate of occurrence (ARO): the probability that a risk will occur in a single year
• Single loss expectancy (SLE): the expected financial loss due to a risk, applicable each time it occurs
• Annualized loss expectancy (ALE): the expected financial loss due to a risk, averaged over a one-year period (SLE x ARO)

6. Risk posture

Key message: an organization’s overall approach to identifying, analyzing, planning for, responding to, and managing risk

Part of developing a strategy is understanding how much risk an organization is willing to accept:

• Risk capacity: the total amount of risk that an organization can tolerate
• Risk appetite: the degree to which an organization will embrace negative risk in pursuit of its objectives

Risk attitude: typical response to risk, based on risk capacity, appetite, tolerance, and thresholds:

• Risk averse
• Risk seeking
• Risk tolerant
• Risk neutral

7. Risk treatment or mitigation

How the organization prepares for and lessens the impact of the risk via policies, plans, processes, and tools

Risk treatment/mitigation categories:

• Risk retention/acceptance: the impact/probability is less than the investment to prevent it
• Risk avoidance: risk is too high (too expensive to mitigate), thus the proposed action is not taken
• Risk-sharing/transfer: invests in a partnership where the partner takes some (or all) of the risk (e.g., cloud service provider, insurance company…). Can transfer risk but can not transfer accountability (provider is still accountable to customers)
• Risk modification/reduction: actions taken to reduce impact or probability:
  • Limiting access to valuable assets; monitoring assets and alerting when a breach or misuse is detected
  • Monitoring environment for theft/compromised assets
  • Build in redundancies; use automation to limit errors; rapid response

8. Developing a risk-informed mindset/culture

Executives determine an organization’s risk posture/attitude, also determine the risk culture

Risk aware is not the same as risk-averse: stop the overreaction, be prepared for events

Within digital organizations:

• Reward prudent risk-taking : fail fast, learn fast; experiment
• Do not accept recklessness: must have (develop) common sense
• Achieve via education and awareness programs

Go back to ITIL 4 Strategic Leader Certification Course: Risk and Opportunities to finish this chapter or to the main page ITIL 4 Strategic Leader Certification Course.