Management of Risk

(M_o_R)

What is M_o_R®?

M_o_R® is a route map

for risk management.

What is ITIL?

Information Technology

Infrastructure Library (ITIL) , is a set of

practices for IT Service

Management (ITSM) that focuses

on aligning IT services with the

needs of business.

What is Risk Management?

Risk management is the systematic application of principles, approaches and processes to the tasks

of identifying and assessing risks and then planning and implementing risk responses

What is a risk?

“an uncertain event which, should it occur, will have an effect on the objectives

achievement of objectives”

Could be:

Good

OPPORTUNITY

Bad

THREAT“Expect the best, plan for the

worst, and prepare to be surprised”

Dwight Eisenhower

Risk is a combination of:

Probability of a perceived threat or opportunity occurring, and magnitude of itsimpact on objectives

ADDITIONAL DEFINITIONS:

Risk Appetite

Risk Tolerance

An opportunity or not?

Would you do it once?

Would you do it again?

Programme

Project

Operational

StrategicLong term(continuous, ad-hoc)

Medium term(all programs)

Short term(all projects)

Business as usual(continuous, ongoing, everyday)

Top-downApproach

When and where risk management should be applied?

Decisions

required for

implementing

actions

Decisions

transforming

strategy into

action

Decisions

on Business

Strategy

What does M_o_R offer?

M_o_R® Principles - derived from corporate governance principles in the recognition

that risk management is a subset of any organization's internal controls.

M_o_R® processes that describe the inputs, outputs and activities involved in ensuring

that risk are identified, assessed and controlled.

M_o_R® Approach needs to be agreed and defined using:

Embedding and Reviewing

M_o_R Framework

Risks in ITIL

Implementing Risk Management in ITIL

Process Critical Analysis

Problem Management There is a proactive and reactive management, with the goal of reducing the impact of service outages.

There is no specification how the actions

that need to be done (e. g. disaster covered

plan) are predicted and implemented.

Change Management Good change management techniques and approach help reducing risks, minimize the potential negative impact of change, and reduce the risk of an undesirable outcome.

What techniques and approaches should be

implemented?

Service Delivery Services must be maintained, so it is important to have a careful design.

Besides the careful design, how to maintain service delivery must be specified as well as plans to recover from threats.

Availability Management Focuses on reliability and on how to put in place alternative options to ensure the service continues.

IT service Continuity Assesses risk to ensure overall continuity for the business.

There is no specification on how to implement risk management across all modules.

M_o_R Principles

Aligns with objectives

Fits the context

Engages stakeholders

Provides clear guidance

Informs decision-making

Facilitates continual improvement

Creates a supportive culture

Achieves measurable value.

M_o_R Approach

Central to the approach is the creation of a set of documentation comprising:

Risk management policy

Risk management process guide

Risk management strategies for each organization activity

Three Categories of documentation

Records

Plans

Reports

M_o_R Processes

Identify

Assess

Plan

Implement

M_o_R Process Broken Down

IDENTIFY and ASSESS

Identify

- Context

- Risks

Assess

- Estimate

- Evaluate

PLAN and IMPLEMENT

Plan Responses

Implement

Embedding Risk Management

Starts with the principles

Changing the culture for risk Management

Measuring the Value

Overcoming the common Barriers to Success

Mapping M_o_R

to

ITIL Process

M_o_R on Service

Strategy

M_o_R on Service Strategy

M_o_R

on

Service

Design

M_o_R in

Service Portfolio

Management

Sub-Process

- Embedding the principles;

- Changing the culture for risk management;

- Measuring the value;

- Overcoming the common barriers to success;

- Identifying and establishing opportunities for change.

Aligning of M_o_R

Embedding &

Reviewing with ITIL

Continual Service

Improvement

Design By

Austin

Songer

Service Strategy -

Example

Service Strategy - Service Portfolio

Management

Service Portfolio Management is all about managing the service portfolio.

M_o_R SPM Sub-Processes

- Identify, Assess and Plan on Defining and Analyzing new or changed Services;

- Assess and Plan on Approve new or changed Services;

- Implement on Service Portfolio Review.

Critical Success Factors are:

- Create planned and unplanned services that fit customer necessities;

- Determine the capability of services and adjust it according to the number of customers;

- Keep the Service Portfolio up-to-date.

Service Portfolio Management (Cont.)

POTENTIAL RISK KEY RISK FACTOR STRATEGIC RESPONSE

Creation of a service that is not aligned with

the organization‘s strategy or

organization/customer.

Decrease/Increase of customers satisfaction.

Decrease /Increase of customers.

Analyze the impacts on existing services and

the creation of new services in the

organization and determine the assets

required to offer the service.

Not keeping the Service Portfolio up-to-date. Number of services registered in the services

portfolio.

Frequency of activity on the Service Portfolio.

After approved the service must be formally

identified in the Service portfolio and

communicated to organization.

Creation of a Service Portfolio Review

Report, a document containing the results

and findings from a Service Portfolio Review.

Service Transition -

Example

Service Transition

The objective of ITIL Service Transition is to build and

deploy IT services. Service Transition also makes sure that

changes to services and Service Management processes

are carried out in a coordinated way while controlling the

risks of failure and disruption.

Associated Risks

Change in accountabilities;

Alienation of some key support;

Additional unplanned costs;

Resistance to change;

Excessive costs to the business;

Knowledge sharing;

Lack of maturity and integration of systems;

Poor integration between the processes;

Loss of productive hours.

Service Transition - Evaluation

M_o_R, the following sub-steps are mapped in Evaluation

- Identify and Plan on Change Evaluation prior to Planning;

- Assess on Change Evaluation prior to Build;

- Assess and Implement on Change Evaluation prior to Deployment;

- Assess and implement on Change Evaluation after Deployment.

Service Transition - Service Asset and Configuration

Management

- Identify on Configuration Identification;

- Assess and Plan on Configuration Control;

- Implement on Configuration Verification and Audit.

The Challenges of Risk Management

To Measure Risk Properly

To Structure a good Risk Management transversally to the entire

organization

To sensitize the organization to the importance of having a well-

structure and documented risk management process.

Recommendations

ITIL should develop a “Risk Management” process

There would be two new processes created

Risk Management – Scope Identification

Risk Management

SERVICE STRATEGY SERVICE DESIGN

Risk Management – Scope

Identification

Risk Management

References

Management of Risk M_o_R . (2009). London: The Stationary Office.

ITIL Service Strategy . (2011). London: The Stationary Office.

ITIL Service Design . (2011). London: The Stationary Office.

ITIL Service Operations . (2011). London: The Stationary Office.

ITIL Service Transitions . (2011). London: The Stationary Office.

ITIL Continual Service Improvement . (2011). London: The Stationary Office.