Understanding risk management

‘ITIL is the most widely accepted approach to IT service management worldwide’, quotes AXELOS. Using ITIL best practices can help businesses, organizations, and individuals adapt and embrace change, transformation, and growth. The process enables businesses and individuals to maximize value from their digital services, including IT. Aligned to the business strategy, this will help meet customer needs and develop better procedures with service providers.

Research carried out by AXELOS highlighted that ITIL’s best practices is a fundamental element when aligning business requirements and enabling the business or individual to support their core processes.

While the management of risk within ITIL is not a defined process, there is a recognized framework many adopt through the ITIL lifecycle. Risk is defined as ‘a possible event that could cause loss/harm or affect the ability to achieve objectives’. The ITIL Risk Management process helps businesses identify, assess, and prioritize potential business risks. A risk matrix will highlight a potential risk and its threat level.

The risk matrix

A risk matrix is a set of categories that define the probability of a risk occurring. It uses a simple mechanism that categorizes the severity of the risk, i.e. Critical, Marginal, and Negligible. They’re then matched with the probability of that risk occurring, i.e. Definitely, Likely, Possibly, and Unlikely.

So, the matrix lets businesses individually assess each risk, its threat level, and the likelihood of that risk occurring. Using a risk matrix improves the visibility of this potential risk and its threat impact. This helps risk owners and management in their decision-making process.

The risk management process

The main objectives of ITIL’s risk management process are to identify, assess, and control risks that have been identified using a risk matrix. This may involve analysing business assets, threats to those assets, monitoring threat parameters, and evaluating the business’s vulnerability to those threats. There are a number of stages to ITIL risk management which are:

• Identify and characterize threats
• Assess vulnerability of critical assets to specific threats
• Determine the probability of risks and their impact
• Identify ways to reduce risks
• Prioritize risk reduction measures
• Continuously monitor risk factors

Risk management sub-processes

As well as these stages alongside the risk matrix, there are also four principle sub-processes to the ITIL risk management framework:

1. Risk management support – defining the roles and responsibilities of those involved in ITIL risk management. This sub-process details how to identify a risk, the level of risk that an organization is prepared to allow, and the duties carried out by IT employees.

2. Business impact and risk analysis – measuring the impact of risk to the organization and determining the probability and/or vulnerability of the risk occurring.

3. Assessment of required risk mitigation – determining the risk mitigation measures required and allocating a Risk Owner to the identified risks.

4. Risk monitoring – continuously monitoring the progress of risk mitigation measures and counter-measures that have been implemented. This includes taking action to correct where necessary.

Establish a Risk Register to keep a record of risks and mitigation measures. Once an organization has detailed how they are approaching ITIL risk management, a Risk Management Policy can be written. The policy will detail how the organization approaches ITIL risk, how it is detected, assessed, controlled, and monitored. It also identifies who is responsible for managing ITIL risk.

The Deming cycle, also known as the PDCA cycle, can be used to help improve an ITIL management process and form part of a risk management process model. It is built around four steps: Plan, Do, Check, and Act:

• Plan – using gap analysis, establish a plan to fill the gaps via a set of activities that improve risk management.

• Do – implementing the improvement activities identified by the gap analysis. This may involve updating the process.

• Check – monitoring, measuring, and assessing the results of the improvements.

• Act – the activities that have been identified and implemented in the previous steps.

Risk management is a vital part of ITIL. This continuous process changes and develops over time. As businesses change and grow, transitioning to a digital world and adopting new IT services and technology, the use of an ITIL risk management process model helps to monitor existing potential risks, as well as identify any new risks and their threat level to the organization.  Without these measures businesses open themselves up to unnecessary and avoidable attacks.  Controlling the risk will aid any organisation in reducing threats to the overall business.