The latest ITIL 4 IT service management (ITSM) body of knowledge brought about many changes to the ITIL v3/2011 best practices. These “structural” and approach-based changes have been documented in many, many blogs such as “New ITIL 4 Features and What They Mean for Your Organization.” But there has been less written about the new and changed processes/practices – with there now 34 ITIL 4 practices instead of the 26 ITIL v3/2011 processes (and four functions). One of these new practices is risk management, the detail of which we outline in this blog.
“Risk management? That was definitely part of ITIL v3/2011”
You’d be right in saying or thinking this. Risk management has long been part of the ITIL ITSM best practice guidance. But it’s only with ITIL 4 that it’s now become a practice in its own right. You can think of it as finding everything you need to know about risk management in a single place rather than reading a little bit here and a little bit here among the other ITIL processes/practices.
So, if you want to know more about risk management in the context of ITSM, then the ITIL 4 Practice Guide for Risk Management is for you – with it a 38-page document that’s available for download from the AXELOS website (along with the other 33 ITIL practices via subscription).
An overview of the ITIL 4 risk management “explanations”
The first thing to note is that this is now an overarching approach to risk management within ITIL. To quote the Practice Guide’s purpose statement:
“The purpose of the risk management practice is to ensure that the organization understands and effectively handles risks. Managing risk is essential to ensuring the ongoing sustainability of an organization and co-creating value for its customers. Risk management is an integral part of all organizational activities and therefore central to the organization’s service value system (SVS).”
Source: AXELOS, Risk Management ITIL 4 Practice Guide (2020)
The guidance covers the key risk management “pieces” – from risk capacity and risk appetite, through risk registers, to the various possible treatments of risk:
- Risk avoidance – Prevent the risk by not performing the risky activity
- Risk modification/reduction – Implement controls to reduce the likelihood or impact of the risk
- Risk sharing – Reduce the impact by passing some of the risk to a third party
- Risk retention/acceptance – Intentionally decide to accept the risk because it’s below an acceptable threshold (and within the risk appetite of the organization).
All four of the above descriptions are from the ITIL 4 Practice Guide.
An overview of the ITIL 4 risk management scope
The Risk Management ITIL 4 Practice Guide is quick to point out the breadth of scope of risk management – that many of the management practices described in ITIL 4 require risk management. For example:
- Continual improvement – because risk management covers opportunities (positive risks) in addition to negative risks
- Information security management – managing risks that relate to information confidentiality, integrity, and availability, as well as other aspects of information security
- Problem management – because the potential cause of incidents is a risk
- Project management – managing project risks
- Service continuity management – as this is a control used to manage a variety of risks
- Service level management – related to risks that might affect service levels.
Plus, there are ITSM activities related to risk management that are described in the relevant ITIL 4 practice guides. For example, the:
- Implementation of changes to mitigate risks (in multiple practice guides)
- Costs control, financial evaluation of risks, and risk mitigation options (in service financial management)
- Definition of vision and strategic objectives for risk management (in strategy management).
An overview of the ITIL 4 risk management guidance
The ITIL 4 risk management guidance covers a variety of important areas, starting with what it highlights as practice success factors (PSFs):
- “Establishing governance of risk management
- Nurturing a risk management culture and identifying risks
- Analysing and evaluating risks
- Treating, monitoring, and reviewing risks.”
With example key metrics offered against each of these PSFs. For instance, for the latter of the above four PSFs, the example key metrics are:
- Percentage of risks on the risk register with a clearly documented treatment plan and next action date
- Percentage of risks on the risk register that have been reviewed in the last six months
- Percentage of controls that have been subject to a control review and audit within the last six months.
There are also three risk management processes:
- Governance of risk management
- Risk identification, analysis, and treatment
- Risk monitoring and review.
With detailed guidance for each, along with further guidance – as with all ITIL 4 practices – on organizations and people, information and technology, and partners and suppliers.
As you can imagine, this 800-word blog only skims the surface of the 38-page Risk Management ITIL 4 Practice Guide. But hopefully, it’s provided you with some important insight as to what’s included in the guide and how it can be applied within your organization. If you have any comments or queries, please let us know in the comments.