ITIL & Risk Management: How Do They Relate?

Sophie Danby June 28, 2023
- 8 min read

ITIL and Risk Management are closely related. They're both focused on helping organizations run their IT departments efficiently and, most importantly, safely. But here's the thing. The relationship between the two hasn’t always been clearly defined. That is, until the latest version of ITIL launched in 2019. 

A new version of ITIL is always exciting in the IT Service Management (ITSM) world, and incorporating knowledge on dedicated Risk Management practices was a very welcomed inclusion.

This article will outline how ITIL 4 defines Risk Management. Then, because addressing threats is all about effective and measurable actions, we will explain the Risk Management processes described in the framework, the main roles and responsibilities involved, best practices to follow, and some practical examples.

Let's go!

The ITIL Risk Management framework

Let's start with the basics. ITIL defines risk as "a possible event that could cause harm or loss or make it more difficult to achieve objectives." It also encompasses the uncertainty of outcome and can be used to measure the probability of positive and negative outcomes.

In other words, a risk is anything that could harm or disrupt service provision or cause unpredictability to the service environment.

ITIL covers Risk Management using the Risk Management General Management practice within the Service Value System or SVS. The framework defines the objective of Risk Management practice as "to ensure that the organization understands and effectively handles risk."

Think about it like this, if we don't know or understand our current or future risks, how can we take the appropriate measures? If threats aren't logged, assessed, and investigated, how do we know the most appropriate course of action to take?

Risk Management is the practice that ensures that risks are managed effectively, reducing the overall threat level to your organization. It also anticipates and mitigates danger, making it a must for proactive support practices.

Risk Management processes in ITIL 4

The Risk Management practice coordinates the activities within the ITIL framework and ensures that risks are identified, captured, and remediated.

The ITIL guidance recognizes that to manage IT services effectively and in a cost effective way, risk must be under control. This is essential to ensuring your support model operates sustainably and that IT services remain fit for purpose and use.

Basically, Risk Management is integral to all organizational activities and central to the organization's SVS. 

But it’s not all theory. ITIL also provides the guidelines to address Risk Management. The framework breaks down and describes several sub-practices:

  • Risk Management Support - It coordinates the activities across the Risk Management practice. It sets out the roles and responsibilities of all practice stakeholders, including identifying risk, assessing it based on a risk matrix, and managing it appropriately and in line with organizational guidelines.

  • Business impact and risk analysis - It measures the impact of risk on the organization and the probability of the risk event occurring.

  • Assessment of required risk mitigation - It defines the appropriate risk mitigation activities and ensures that each risk has an owner responsible for it to ensure nothing can be lost, ignored, or forgotten about.

  • Risk monitoring - It is responsible for continuously monitoring the process or risk mitigation and ensuring that the appropriate action has been taken. This is also the sub-practice that can most easily feed into Continual Improvement as it includes recommendations for future improvements where applicable.

ITIL Risk Management matrix

In combination with these practices, assigning priority to risks is essential to know where to start. Using a matrix can be a helpful way to assign a tangible and agreed score to risk in a way that makes sense to your team. It also removes the whole "I'm not sure how to score this - let's just assign everything a high score" scenario because, again, if everything is a high priority - what do you address first? 

To build your ITIL Risk Management matrix, risk can be defined by investigating probability versus impact, the possibility or likelihood of a risk event occurring, and the impact's severity if the risk occurs.

Here is a simple risk matrix that you can use to assign risk in your organizations:

Probability / Impact












Highly Likely




ITIL Risk Management best practices

To implement Risk Management processes, the framework also describes best practices to guide your work.

To be effective, risks need to be:

  • Identified and added to a risk register so nothing is missed or forgotten. If it's on the risk register, it will be communicated to your wider GRC community and visible to all.

  • Assessed so that the remediation activity can be prioritized based on the probability and impact defined in the matrix.

  • Treated as appropriate. Treating a risk can mean different things, but in general, typical risk treatment options include:
    • Avoidance - Structure your IT service delivery to be proactive and avoid the risk occurring in the first place. An example could be having a second service desk technician double-check the laptop configuration before it is sent to the end-user to ensure that it is set up correctly.

    • Mitigation - Changing service delivery to minimize the effects of risk that we know will happen frequently. We all know the pain that dropped or damaged mobile phones can cause to both service desks and end-users alike. The service desk has to take the time to rebuild and configure the phone entirely, and the customer doesn’t have a phone until this can be done. This risk can be mitigated by using protective cases and screen protectors.

    • Planned contingency - Having a plan to address risk when it occurs. In ITIL, we call this a definitive hardware store or DHS. This is a supply of pre-configured devices, such as laptops and mobile phones, so they can be easily swapped out if something is lost or damaged.  

    • Shifting the risk - Sometimes we all need extra help. This example of risk control involves a third party's help to ensure your risk is dealt with effectively. An example is relying on external resources to maintain print and scanning equipment if it is challenging to retain that expertise in-house. Note that when shifting the risk, you cannot shift the accountability - you are still ultimately responsible for the service, so make sure everyone's responsibilities are captured at a contractual level and that you have the appropriate SLAs and contracts in place so that everyone knows what is expected of them.

    • Acceptance of risk -. If risks are not covered by the practices described above, organizations may accept these as too difficult or expensive to control. Nevertheless, they should be revisited periodically to ensure this is still the most appropriate action.

As you can imagine, with service desk software, several ITIL Risk Management best practices are taken care of. For instance, you can leverage InvGate Service Desk’s features to implement a proactive approach to IT and avoid risks from happening in the first place. Remember that you can explore its capabilities with our 30-day free trial!

Roles and responsibilities in ITIL Risk Management

The Risk Management practice depends on several roles to perform effectively. These roles include:

Role Responsibilities
Risk Manager

The practice owner of the ITIL Risk Management practice. Key responsibilities include:

  • The day-to-day running of Risk Management.
  • Creation of the Risk Management policy, which sets out the organization's approach to risk.
  • Maintaining the risk register. 
  • Updating key stakeholders of risk remediation activity.
  • Supporting other processes with risk mitigation activity.
Risk Analyst Supports the Risk Manager in their duties.
Risk Owner The person responsible for implementing risk mitigation measures for a specific risk.

Wrapping up

Risk Management ensures that risks are handled throughout their whole progression. This means they are identified, assessed, and managed appropriately. As such, it is central to a strong and proactive ITSM practice and helps protect your organization, reducing unnecessary costs and downtime. 

Although it hadn’t been addressed in detail in the previous versions, ITIL 4 incorporated Risk Management as part of the general management practices. This advancement is useful for many reasons, but particularly because it provides knowledge, guidelines, and processes to define the scope of the practice and systematically address threats. 

Plus, it means that your service desk can take care of most tasks oriented to treat risk. If you want to know more about what InvGate Service Desk can do for you in this area, you can always book a quick call with our experts so that they can help you out.

Frequently Asked Questions

Is Risk Management part of ITSM? 

Yes, Risk Management is absolutely part of ITSM. It's a general practice within the Service Value System in the ITIL framework and supports other practices for effective and safe Service Management.

What's the difference between risk and impact in ITIL? 

Risk is the overall threat to the organization, whereas impact is the pain the organization feels if that particular risk event occurs.

Read other articles like this : ITIL, risk management

Evaluate InvGate as Your ITSM Solution

30-day free trial - No credit card needed