barcelona

more panorama pictures

excel

1 click excel macro tool

ITIL 4 Managing Professional Certification Course: Direct, Plan and Improve (DPI) - Governance, Risk and Compliance

1. Governance

General Decision-making Direct, Plan and Improve

All decisions made in an organization must align with the mission and strategy

Governance structures: board of directors, shareholders and audit committee

Internal controls are created to align with the governance structure:

  • Risk management
  • Financial, operational, and compliance controls
 itil 4

Governance decisions are at the highest levels of the organization:

  • Teams will also make decisions via delegation
  • Must have consistent and achieve required outcomes to continue to have the decision-making authority

Scope of control will make or break decision-making:

  • Too narrow of a scope, decisions are pushed upwards, slowing down work
  • Too wide a scope, decisions are out of alignment

Define (or check) scope of control through risk tolerance measures

 itil 4

Direct:

  • Dictates the parameters of direction
  • Direction given to all groups must support governance direction
  • Conflicts between governance direction and local management direction can lead to difficulties

Plan:

  • Every plan must support the governance direction of the organization
  • Many plans are specifically intended to ensure compliance or alignment with strategic objectives defined by governing bodies
  • Plans should ensure understanding of what success looks like
  • Changes to governance direction should result in updates to all related plans

Improve:

  • Many improvements directly or indirectly improve compliance
  • Improving processes, practices, and value streams
  • Every aspect of the service value system contributes to achieving strategic objectives, and is subject to continual improvement
 itil 4

2. Risk management

Risks & controls Direction Plan & improve

Risk: a possible event that could cause harm or loss, or make it more difficult to achieve objectives. Can also be defined as uncertainty of outcome and can be used in the context of measuring the probability of positive outcomes as well as negative outcomes

Must understand risk in order to maximize results (and minimize harm or loss)

Manage risks with controls (countermeasures):

  • Organizational/procedural (policies, processes, training…)
  • Logical/technical (scripting, automation, required fields…)
  • Physical (electronic badge entry system, metered intake valve…)

Risk management should be continuous. Risk information should be available when decisions are being made

Long‐term goals:

  • Define risk appetite and risk thresholds
  • Risks associated with strategic decisions may be seen well in the future so evaluate and review decisions regularly, not just once at the time they are made
  • Portfolio management determines risks to products, services, projects etc.

Medium-term goals: risks are usually managed within programs and projects

Short-term goals: operational risk management must support long-term and medium-term

All plans must consider how risks will be managed by considering alternate approaches, such as iteration, to reduce risk

All improvement actions must consider how risks will be managed including the risk of doing nothing

Risks must be actively managed through the life of the plan/improvement

 itil 4

3. Control/Compliance

Controls should be sufficient but not excessive. Each control put in place in an organization must produce the desired result, without creating unintended undesirable consequences. To do this, it is necessary to take the human factor into consideration when designing controls. Controls that don’t meet the purpose they were designed for may as well not exist. Consider people:

  • If you force people to do something, compliance is at risk:
    • Staff may do what is needed to deliver the business result (the risk is distorting or circumventing the intended control)
    • A control that is easy to follow will be effective
    • A control that is hard to follow will be circumvented by staff
    • Consider automated controls, staff don’t need to think about fulfilling or following the controls
  • Avoid excessive measurements
  • A focus on value will identify the most important measurements. If measurements are used to assess people then they will meet the numbers, even if it breaks the organization.
 itil 4 itil 4

Go back to ITIL 4 Managing Professional Certification Course: Direct, Plan and Improve (DPI) to finish this chapter or to the main page ITIL 4 Managing Professional Certification Course.

Interesting Management