In this tutorial, we will discuss the ITIL Risk Management Process. In this chapter, you will learn what is a Risk in ITIL? What is ITIL Risk Register? and the Definition, Scope, Objective, Activities, Steps, and Sub-Process of Risk Management - ITIL V3 Process.
What is a Risk in ITIL?
ITIL V3 Definition of Risk in exact words: "A possible Event that could cause harm or loss, or affect the ability to achieve Objectives."
As described in ITIL, a Risk is one or more uncertain events that can either have a positive or negative impact on the business process.
A risk that may have a negative effect on business termed as “Threat” and any risk that can have a positive effect on business is termed as “Opportunities”.
The intensity of a Risk is measured by combining the probability of a Threat, the Vulnerability of the Asset to that Threat, and the Impact it would have if it occurred.
What is ITIL Risk Management Process?
Risk Management is NOT an officially defined process under ITIL Service Design, and ITIL V3 official documentation doesn’t describe any deep detail about this process. But this process/framework is used throughout the ITIL lifecycle.
As per the idea we get from ITIL books, ITIL Risk Management is the process of identifying, assessing, and prioritizing of potential business risks.
It also defines the economical application of resources to minimize, monitor, and control the probability or impact of the threat, or to maximize the realization of opportunities.
In case any risk is identified, an entry for that is the created in the ITIL Risk Register.
ITIL Risk Management Scope:
The Risk Management, in ITIL, is shown as an integral part throughout the entire ITIL Service Management Lifecycle.
It also coordinates with Information Security Management to identify and assess security threats before they can actually occur.
So, in view of the above context, we have decided to discuss the ITIL Risk Management Framework to provide you some insight about it. We would not discuss the process in-depth but to provide you sufficient information required for the ITIL Foundation Examination purpose.
ITIL Risk Management Objective:
The primary objective of ITIL Risk Management Process is to identify, assess and control risks. This includes identification of assets, analyzing the value of assets to the business, identifying threats to those assets, evaluating the vulnerability of each asset to those threats, and constant monitoring of threat parameters.
ITIL Risk Management Stages and Activities:
Risk Management, in ITIL, consists of some continuous activities or stages performed more or less in the following order:
- Identification & characterization of threats.
- Assess the vulnerability of critical assets to specific threats.
- Determine the risk probability & risk impact.
- Identify ways to reduce those risks.
- Prioritize risk reduction measures.
- Continuous monitoring of risk factors.
ITIL Risk Management Sub-Process:
ITIL v3 loosely describes four sub-processes under Risk management framework.
Below are the objectives and short descriptions about those sub-processes, followed by a diagram illustrating the ITIL Risk Management Process Flow:
1) Risk Management Support:
This sub-process defines the roles & responsibilities of staffs involved in Risk management. Apart from that, this process specifies how risk is quantified, what risks the organization is willing to accept, and about various duties performable by IT Staffs.
2) Business Impact and Risk Analysis:
Responsible for measure the impact of the risk to the business, and also determines the probability of a threat or vulnerability to actually occur.
The result of the "Business Impact and Risk Analysis" is the Risk Register (or Risk Log).
3) Assessment of Required Risk Mitigation:
This sub-process is used to determine where risk mitigation measures are required, and to identify Risk Owner for the identified risks.
4) Risk Monitoring:
Responsible for continuous monitoring of the progress of counter-measure implementation, and to take corrective action where necessary.
Important Terminologies & Definitions:
- The Risk Register is the database which keeps track of identified risks and subsequent counter-measures.
- In ITIL, Risk Register is also termed as the Risk Log.
Business Impact and Risk Analysis:
- Business Impact Analysis (BIA) and Risk Analysis are concepts associated with ITIL Risk Management & IT Service Continuity Management.
- Their ultimate goal is to identify those risks that are to be managed through risk mitigation measures.
Process and Asset Valuation:
- An estimated value of a process, or other assets used in the business. This value is an important input for Risk Analysis.
Risk Management Policy:
- This Policy Document describes and communicates the organization’s approach to managing risk.
- Most importantly, it defines how risk is detected and who is in charge of specific risk management duties.
- Risk Owner is the person who would be responsible for the implementation of risk mitigation measures & ongoing maintenance of it.
ITIL Risk Management Roles and Responsibilities:
- This Role is the Process Owner of the ITIL Risk Management process.
- The Risk Manager is responsible for identifying, assessing, controlling & monitoring of risks. This includes every activity of this process, such as asset identification, value assessment, impact assessment, implementation of risk mitigation, and risk monitoring.
- From ITIL point of view, this Risk Manager role works in parallel with Availability Manager & IT Service Continuity Manager.
We hope that you have enjoyed the above article describing Risk Management - ITIL V3 Process. Be with us to explore free training on Leading Technologies and Certifications.
Leave us some comments if you have any question or doubts about ITIL Risk Management Framework, we would be very happy to help you.