management of risk and its integration within itil

1 Copyright © Hervé Doornbos 2015. All Rights Reserved

MANAGEMENT OF RISK AND ITS INTEGRATION WITHIN ITIL

Version 1 – 06/06/2015 © 2015 - Hervé Doornbos

http://www.linkedin.com/in/hdoornbos/en�



Ⅲ RISK PROCESSES DETAILS

Ⅰ INTRODUCTION

INTEGRATING RISK WITHIN ITIL Ⅱ





INTRODUCTION – ITIL OVERVIEW

Service Strategy

Strategy Management

for IT Services

Service Portfolio

Management

Financial Management

for IT Services

Demand Management

for IT Services

Business Relationship Management

Service Design

Design coordination

Service Catalogue

Management

Service Level Management

Capacity Management

Availability Management

IT Service Continuity

Management

Information Security

Management

Supplier Management

Service Transition

Transition Planning and

Support

Service Asset and

Configuration Management

Change Management

Release and Deployment Management

Service Validation and

Testing

Change Evaluation

Knowledge Management

Service Operation

Event Management

Incident Management

Access Management

Request Fulfillment

Problem Management

Continual Service

Improvement

Seven-steps improvement

process

Service desk

Technical Management

IT Operations Management

Application Management

Phase

Process

Function

Legend




INTRODUCTION – ITIL OVERVIEW

Service Strategy

Strategy Management

for IT Services

Service Portfolio

Management


for IT Services

Demand Management

for IT Services


Service Design

Design coordination

Service Catalogue

Management


Capacity Management



Management


Management

Supplier Management

Service Transition


Support

Service Asset and


Change Management



Testing

Change Evaluation


Service Operation

Event Management

Incident Management

Access Management

Request Fulfillment

Problem Management

Continual Service

Improvement


process

Service desk




Phase

Process

Function

Legend

Metrology

Reporting

Service Mgt. Office

Project Mgt. Office

Out-of-ITIL Function

ITIL interfacing with other functions is current

What about RISK ???




INTRODUCTION – RISK FRAMEWORK OVERVIEW

Enterprise Risk Frameworks ERM COSO Enterprise Risk Management ISO 31000:2009 and its former IT security variant ISO27001:ISO27002 COBIT5 for Risks [Formerly RiskIT and ValIT] OGC Management of Risk M_o_R [and OGC M_o_V]

ERM Maturity Model RIMS Risk Maturity Model (RMM)

Other Risk Guidance / IT Risk processes CMMI-SVC Risk Management RSKM process TIK IT Risk Framework Project Risk Management (Prince2, PMP, …)




INTRODUCTION – RISK MANAGEMENT INTEGRATION WITHIN ITIL

According to OGC, risk management is integrated throughout the service lifecycle and covers the following in ITIL Problem management

• Proactive and reactive, with the goal of reducing the impact of service outages Change management

• Help reduce risks, minimize the potential negative impact of change, and reduce the risk of an undesirable outcome

Service delivery (SLM, SCM, Capacity, Availability, Financial) • Support easy maintenance of Services via a careful design Availability management

• Focuses on reliability and putting in place alternative options to ensure the service continues IT service continuity

• Assessing risk to ensure overall continuity for the business And also ‘Appendices’ referencing Risk Frameworks with a focus on OGC M_o_R

“Decision-making should include determining any appropriate actions to take to manage the risks to a level deemed to be acceptable by the organization” (SS, appendix E)




INTRODUCTION – CRITICIZING RISK PRACTICE WITHIN ITIL

Information about Risk Management found in ITIL book Section about "risks", containing definition of risk and information on Risk Management Framework Some clues about how to implement risk management across the framework Some clues about the tools and the risks that are already known Some risks are enumerated

What is missing in ITIL book An explanation on how to proceed to cover risk management Guidelines on how to deal with enumerated risks A complete tool list for risk assessment with detailed information

Despite M_o_R being referred to in ITIL Books, it is unclear if this is the official way to

treat risk and how to implement this risk management framework in ITIL




INTRODUCTION – WHY RISK MGT. ? IT RISK MGT. BENEFITS

1. Increased consistency and communication of risks within the IT organization Provides a standard terminology and conceptual framework for all members of IT organization Visualize the linkage between expectations and risks associated Share data and information relative to 'risks to achievement of objectives and plans' across IT

2. Enhanced reporting and analysis of IT risks, supporting better decisions Enable better informed and more believable plans, schedules and budgets Enable objective comparison of alternatives Increase the likelihood of delivery of desired outcomes

3. Improved focus, attention and perspective to risk data Provides a means to further identify and assess key risk indicators

4. More efficient and effective activities related to regulatory, compliance and audit matters Since risk data involves identifying and monitoring controls and mitigations relevant to various risks across IT,

it provides an effective means for leveraging and reducing the effort and cost of such audits and reviews

5. More cost-effective management and monitoring of IT risks Through all of the benefits noted above





EXISTING RISK FRAMEWORKS – RISK DEFINITION(S)

As many definitions as Frameworks OGC: an uncertain event or set of events which, should it occur, will have an effect on the

achievement of objectives. A risk consists of a combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact on objective

ISO: Effect (positive and/or negative deviation from the expected) of uncertainty (state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood) on objectives. Risk is often expressed in terms of a combination of the consequences of an event – including changes in circumstances – and the associated likelihood of occurrence

COSO ERM

TIK IT Risk Framework formula

Other definitions may be found on http://en.wikipedia.org/wiki/IT_risk

( ) ( )AssetValuationScoreMeasureCounter

Threat AssetityVulnerabilRisk ×

×=

( )BusinessImpact LikelihoodRisk ×=




CONVENTIONS USED IN THIS DOCUMENT

Scope Limited to IT Risks, as defined herein

Definitions Threat

• Anything that is capable of acting against an asset in a manner that can result in harm Event

• Something that happens at a specific place and/or time Vulnerability

• A weakness in design, implementation, operation or internal control Impact

• The net effect on the achievement of business objectives Risk

• A probable situation with frequency and magnitude of loss IT Risk

• The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise

Risk register • A repository of the key attributes of potential and known risk issues. Attributes may include name, description, owner,

expected/actual frequency, potential/actual magnitude, potential/actual business impact, disposition





Definitions (cont.) Risk profile

• A representation at a given point in time of an organization’s overall exposure to a group of risks (i.e. a quantitative analysis of the types of threats an organization faces) Multiple risk profile may be developed, per business units, service, … or per any organization’s component

Risk scenario • The description of an event that can lead to a business impact Countermeasure

• Any process that directly reduces a threat or vulnerability Control activities

• The means of managing risk, including policies, procedures, guidelines, practices or organizational structures Resilience

• The ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal recognizable effect

Risk Avoidance • The process for systematically avoiding risk, constituting one approach to managing risk Risk Mitigation

• The management of risk through the use of countermeasures and controls Risk Transfer

• The process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by outsourcing the service





Threat Asset Event

Threat, Asset, and Event having been illustrated, Risk = Event likelihood during a determined period of time (The result of the Event in this case is an Impact which magnitude is a Disaster)

Images from http://www.iffo-rme.fr/le-risque-majeur



http://www.iffo-rme.fr/le-risque-majeur�


BASICS OF RISK – CONCEPTS

In the Unknown Universe, nothing can be anticipated, as in Star Trek. New situations occur sometimes, and we ignore what and when

In the Uncertain Universe, we know which event could happen, but we don’t know when

In the Risky Universe, we know all possible events and their probability or likelihood, exactly as when we play Russian roulette

In the Secure Universe, all unacceptable risks have been eliminated using proper countermeasures

Unknown Universe

Uncertain Universe

Risky Universe

Secure Universe




BASICS OF RISK – RISK DUALITY

The word Risk refers to situations where the decision-maker can assign mathematical probabilities to the randomness of the situation

Risk is however a dual term referring to Opportunity, which is a risk with positive effects Threat, which is a risk with negative effects

Threat

Destroyed value and/or Undelivered benefits • Unrealized or reduced business value • Missed business opportunities • Adverse events destroying value

Opportunity Business benefits and/or Preserved value • New business opportunities • Enhanced business opportunities • Sustainable competitive advantage

Risks must be Optimized




BASICS OF RISK – RISK APPETITE AND TOLERANCE POLICIES

Risk Appetite Amount of risk a company is prepared to accept when trying to achieve its objectives Can be defined in practice in terms of combinations of frequency and business impact of a risk Will be different amongst enterprises No absolute norm or standard of what constitutes acceptable and unacceptable risk Risk Tolerance Tolerable deviation from the level set by the risk appetite and business objectives The risk response cost affect the risk tolerance

Ideally defined at the enterprise level and reflected in company policies May change over time depending of internal factors (new organization...) external factors (new technologies...)




BASICS OF RISK – RISK OVER TIME – UNCERTAINTY

Some risks are dynamic and require continual ongoing monitoring and assessment Other risks are more static and require reassessment on a periodic basis with ongoing

monitoring triggering an alert to reassess sooner should circumstances change

Rev

isio

n Po

int

Rev

isio

n Po

int

Initial Strategy Revise Strategy Revise Strategy

Risk

Time

Uncertainty increases with longer Time Horizon




BASICS OF RISK – RISK OVER TIME – KEY RISK INDICATOR(S)

Key Risk Indicators (KRIs) are indicators that are predictive regarding changes in the risk profile

They enable timely action to be taken to deal with emerging issues

Initial Strategy Revise Strategy Revise Strategy

Risk

Time

Indicator

KRIs

Trig

ger P

oint

KRIs

Trig

ger P

oint




BASICS OF RISK – LINKING OBJECTIVES TO KRIS

Mapping ‘Risks’ to ‘IT Objectives’ via the ‘Critical Success Factors’ puts management in position to begin identifying the most critical metrics that can serve as leading Key Risk Indicators

The link between the Risk and the KRI is often a ‘causal map’ (what is the root cause of the Event ?)

GOAL

Objective 1 (KGI1)

Objective 2 (KGI2)

CSF1

CSF2

CSF3

CSF4

CSF5

Risk 1

Risk 2

Risk 3

Risk 4

KRI 1

KRI 2

KRI 3

KRI 4





Ⅰ INTRODUCTION






INTEGRATING RISK WITHIN ITIL – TYPES OF INTEGRATION

Mapping missing process(es) in ITIL

Adoption of an Enterprise Risk Management (ERM) Framework and either one or both of:

• Top-down integration of ITIL processes within ERM, creating original scenarios based on Enterprise objectives

• Bottom-up integration of ITIL processes into ERM by adapting generic Risks Scenarios to ITIL phases

Type II

Type I







INTEGRATING RISK WITHIN ITIL – INTEGRATION TYPE II

Ensure Full Alignment with Enterprise Objectives Requires an ERM Framework to be in place

Drastic Enterprise change if ‘ex-nihilo’ project

e.g.: OGC ITIL® and Corporate Risk Alignment Guide


http://www.best-management-practice.com/gempdf/ITIL_and_Corporate_Risk_Alignment_Guide.pdf�







INTEGRATING RISK WITHIN ITIL – INTEGRATION TYPE I

Reinforce ITIL processes with Risk Elements Add Process(es) to ITIL scope

Minor adaptation of ITIL processes Respond to limited category of Risk

(mainly internal, tactical and operational)

Suggested starting point for integrating Risk Management within ITIL




INTEGRATING RISK WITHIN ITIL – TYPE I ADAPTED ITIL MODEL

Service Strategy

Strategy Management

for IT Services

Service Portfolio

Management


for IT Services

Demand Management

for IT Services


Prepare for Risk

Management

Service Design

Design coordination

Service Catalogue

Management


Capacity Management



Management

Risk Management


Management

Supplier Management

Service Transition


Support

Service Asset and


Change Management



Testing

Change Evaluation


Service Operation

Event Management

Incident Management

Access Management

Request Fulfillment

Problem Management

Continual Service

Improvement


process

Opportunities Prioritization

Process

Service desk




Metrology

Reporting

Service Mgt. Office

Project Mgt. Office

Phase

Process

Function

Legend


Added Process




TYPE I ADAPTED ITIL MODEL – RESPOND TO OPPORTUNITIES

Service Strategy

Strategy Management

for IT Services

Service Portfolio

Management


for IT Services

Demand Management

for IT Services


Prepare for Risk

Management

Service Design

Design coordination

Service Catalogue

Management


Capacity Management



Management

Risk Management


Management

Supplier Management

Service Transition


Support

Service Asset and


Change Management



Testing

Change Evaluation


Service Operation

Event Management

Incident Management

Access Management

Request Fulfillment

Problem Management

Continual Service

Improvement


process


Process

Phase

Process

Function

Legend


Added Process

Service desk




Metrology

Reporting

Service Mgt. Office

Project Mgt. Office

Opportunity Management

• B*Cases • Prioritizing

Improvement Initiatives

• Allocating resources

Refer to my presentation “Adopting Continual Improvement

– A practical viewpoint”

Not presented here


http://fr.slideshare.net/hdoornbos/continual-improvement-43536130�



Service Strategy

Strategy Management

for IT Services

Service Portfolio

Management


for IT Services

Demand Management

for IT Services


Prepare for Risk

Management

Service Design

Design coordination

Service Catalogue

Management


Capacity Management



Management

Risk Management


Management

Supplier Management

Service Transition


Support

Service Asset and


Change Management



Testing

Change Evaluation


Service Operation

Event Management

Incident Management

Access Management

Request Fulfillment

Problem Management

Continual Service

Improvement


process


Process

TYPE I ADAPTED ITIL MODEL – RESPOND TO THREATS

Service desk




Metrology

Reporting

Service Mgt. Office

Project Mgt. Office

Threat Management

• Risk sources

and categories • Risk Strategy

• Risk Evaluation • Risk Mitigation

Risk Management

Phase

Process

Function

Legend


Added Process




TYPE I ADAPTED ITIL MODEL – THREAT MGT. ELEMENTS

• Risk

• Key Risk Indicator (KRI)

• Risk Response

Threat Management Elements

Service Strategy

Strategy Management

for IT Services

Service Portfolio

Management


for IT Services

Demand Management

for IT Services


Prepare for Risk

Management

Service Design

Design coordination

Service Catalogue

Management


Capacity Management



Management

Risk Management


Management

Supplier Management

Service Transition


Support

Service Asset and


Change Management



Testing

Change Evaluation


Service Operation

Event Management

Incident Management

Access Management

Request Fulfillment

Problem Management

Continual Service

Improvement


process


Process

Service desk




Metrology

Reporting

Service Mgt. Office

Project Mgt. Office

Phase

Process

Function

Legend


Added Process




Ⅰ INTRODUCTION







OVERVIEW – WHOLE PROCESS

Determine IT risk sources

and categories

Define Risk Parameters

Establish a Risk

Management Strategy

Evaluate Risks

Respond to Risks

Monitor Risks

Communication

Service Strategy

Prepare for Risk Management

Service Design

Risk Management




OVERVIEW – LINKS BETWEEN IT RISK MGT. AND ITIL PROCESSES




ROLE – IT RISK MGT. PROCESS OWNER

Overall responsibility for the development and implementation of Risk Project Negotiate funding, scope, approach and timing of Risk Process deployment with IT management Define and regularly chair a Risk Committee which will set risk appetite and tolerance

levels for IT in alignment with Business Objectives Write and submit the risk management policy to the Risk Committee Define and implement the risk management process Reinforce and formalize management commitment by clearly articulating the roles and responsibilities Sets up required organizational structures Ensure The parameters of the Risk Framework are set The Risk Profile is maintained Risk Reporting and Communication support risk-aware IT decisions May escalate to Risk Committee

Establish and maintain a common Risk View Promote a risk-aware culture




ITIL STRATEGY PHASE – PREPARE FOR RISK MANAGEMENT

Prepare for risk management by establishing and maintaining a strategy for identifying, analyzing, and respond to risks

Produces CSFs, risk scale, and main boundaries Main practices

Det

erm

ine

IT ri

sk

sour

ces

and

cate

gorie

s Top-down approach - Processes - CSF - Risk sources Bottom-up approach - Typical list of risk

sources

Def

ine

Ris

k Pa

ram

eter

s - Consistent risk scale

- Tolerance per-risk-category

- Risk management requirements

- Risk response bounds

Esta

blis

h a

Ris

k M

anag

emen

t Str

ateg

y - Scope of the risk management effort

- Methods, tools - Communication - Risk management

plan





List Risk Sources Top-down approach

• List all implemented processes Critical Success Factor (CSF), then list all risk sources associated with them

Bottom-up approach • Adapt a typical list of risk sources (from a framework)

Collect and organize risks in categories – for example, using factors such as Phases of the work lifecycle Types of processes used Types of products used Work management risks (e.g., contract risks, budget risks, schedule risks, resource risks) Technical performance risks (e.g., quality attribute related risks, supportability risks)

Phase 1 – Determine Risk Sources and Categories





Define a scale to gauge risks Define consistent criteria for evaluating and quantifying risk likelihood and severity levels

• One way of providing a common basis for comparing dissimilar risks is assigning financial values to the risk impact through a process of risk monetization

• Often a “Impact X Frequency” matrix which is then translated in a risk level scale

Categorize Risks and define tolerance parameters per-category Risk evaluation, categorization, and prioritization criteria Define risk management requirements Control and approval levels Reassessment intervals Define bounds to scope the extent of the risk management effort Objective of bounds is to avoid excessive resource expenditures Bounds can include the exclusion of a risk source from a category

Phase 2 – Define Risk Parameters




OUTPUT of this phase


Scope of the risk management effort Methods and tools For example “IT asset valuation”, which can be done by assigning financial values to IT assets

through a process of monetization (which can also be used for risk monetization) either by • Assigning IT costs to IT assets (purchase, licensing, maintenance…) • Valuing data stored in – and/or information flowing through – those IT assets • Looking at the business value supported by these IT assets, using the Configuration Management System

Risk Communication plan The strategy should be documented in a risk management plan and reviewed

with relevant stakeholders to promote commitment and understanding

Phase 3 – Establish Risk Management Strategy




ITIL DESIGN PHASE – RISK MANAGEMENT

Evaluate operational risks, respond to, and monitor them Main practices

Eval

uate

Ris

ks - Identify Risks

- Analyze, Categorize, and Prioritize Risks

- Maintain risk profile

Res

pond

to R

isks

- Develop Risk Responses

- Implement Validated Risk Responses

Mon

itor R

isks

- Monitor KRIs to detect changes in Risk Profile

- Monitor the progress of counter-measure implementation

- Collect all necessary and relevant risk data

- Communicate and report

Prepare for Risk Mgt.





Collect data and Identify Risks for the New Service Analysis of asset’s value to Business using valuation tools provided by the prepare phase Identification and classification of the threats to those assets using

• Identified risk sources • Prepared risk classification (recorded in the risk register)

Analyze, Categorize, and Prioritize Risks Evaluation of how vulnerable each asset is to its related threat Define KRIs for identified Risks, and their thresholds with associated actions or tolerance level Select risks above tolerance level as output for the 2nd phase of the risk management Maintain risk profile Record risks an associated data in the risk register

Phase 1 – Evaluate Risks




ITIL DESIGN PHASE – RISK REGISTER RECORD

Record Parts Record Detail Examples Risk Summary Risk Statement

Risk Owner

Risk Category

Risk Rating (Copied from Risk Analysis Results)

Risk Response Decision [Accept, Transfer, Mitigate, Avoid]

Record Kept Up-to-date ? [Date of Last Assessment , Due Date for Update]

Risk Description Title

High Level Scenario

Detailed Scenario [Actor, Threat Type, Event, Asset/ Resource, Timing]

Risk Analysis Results Scenario Frequency

Scenario Business Impact Rating [=F(Productivity Loss Rating, Cost of Response Rating, Competitive Advantage Rating, Legal Risk Rating]

Risk Rating

Risk Response Risk Response Decision [Accept, Transfer, Mitigate, Avoid]

Detailed Response Description

Status of Risk Action Plan [Overall Status, Major Issues, Completed Responses]

Risk Indicators KRI for this Risk

Controls





Risk Response Options Accept

• No action is taken relative to a particular risk, and loss is accepted when/if it occurs Mitigate

• Reduce the risk through the use of countermeasures and controls Transfer

• Process of assigning risk to another enterprise, (usually through the purchase of an insurance policy or by outsourcing the service)

Avoid – when an unacceptable risk cannot be reduced, neither shared nor transferred • Exiting the activities or conditions that give rise to an unacceptable risk such as:

– Declining to engage in a very large project when the B*Case shows a notable risk of failure – Deciding not to use a certain technology or software package because it would prevent future expansion

Phase 2 – Respond to Risks ( Risks above tolerance level )





Risk Response Selection Parameters Cost of response to reduce risk within tolerance level Risk Level Capability to Implement the Response Effectiveness of Response Efficiency of Response Develop & Prioritize Risk Response Example of prioritization matrix Build the B*Case when needed

Choose the risk action plan Validated Risk Response Implement Validated Risk Responses

Phase 2 – Respond to Risks

Effectiveness / cost ratio R

isk

Lev

el

Defer

Business Case

Quick Wins

( Risks above tolerance level )





Monitor KRIs to detect changes in Risk Profile Monitor Risk Proactively by monitoring KRIs When a determined threshold is reached, initiate appropriate management initiative in order

to manage the Risk accordingly Monitor the progress of counter-measure implementation Take corrective action when and where required Collect all necessary and relevant risk data KRIs may be computed using and/or complemented by informative data Communicate and report As established in the Risk Communication Plan Operational & Tactical/Strategic Communication and Reporting

Phase 3 – Monitor Risks




ABOUT THE AUTHOR

20 years of Professional experience. 11 years in Infrastructure Outsourcing Services Certified ITIL v3 Expert

Areas of Intervention

Skills

20 years of IT Experience

11 years of experience in Infrastructure Outsourcing, with 5 years of experience as a Service Management consultant

Definition and implementation of ITIL processes

Continuous Service Improvement integration into processes 4 years as a Skill Group Manager

9 years as a technical expert

Professional Experience

Career SIDO & ONIC [2 years], Transiciel [2 years], Oracle [5 years], Capgemini [11 years]

ITIL v3 / COBIT v5 / Lean IT IT Service Management Management Oracle Expert

IT Service Management Multi-Sourcing SIAM

Assets, Incident, Problem, Change, Release & Deploy, Configuration, Continual Improvement, Operational processes

Hervé Doornbos



management of risk and its integration within itil

Technology

itil management of risk

services demand management

valit ogc management

service lifecycle

support service asset

risk guidance

copyright herv doornbos

itil function itil interfacing