Purpose: to ensure that the organization understands and effectively handles risks

Levels of risk management:

• Strategic risk management: long-term risks that may impact the achievement of the mission
• Program and project risk management: risks that may impact mid-term goals and objectives
• Operational risk management: risks that may impact short-term goals and objectives

Every service removes some risk from the consumer but also imposes additional risk on the consumer – the balance between the two is the value proposition of the service

1. Practice success factors (PSF)

Four PSFs for RM:

• Establishing governance of risk management
• Nurturing a risk management culture and identifying risks
• Analyzing and evaluating risks
• Treating, monitoring, and reviewing risks

1.1 Establish governance

Governance of risk requires an understanding of two different concepts:

• Risk capacity: the maximum amount of risk an organization can tolerate (typically based on damage to reputation, assets, etc.)”
• Risk appetite: the amount of risk the organization is willing to accept (should always be less than the risk capacity)”

Define both via organizational governance (provide boundaries of how practitioners operate)

Should be regular discussions at board meetings (governance of risk, risk capacity, risk appetite, and strategic risks)

1.2 Nurture a risk management culture

Once a risk identified, document in a risk register (a record of identified risks that records their current status and history)

Not easy to identify risks, must feel safe to identify mistakes made by themselves or other without fear of reprisal (must be everyone’s responsibility to identify and report risks)

A risk management culture is open and honest

1.3 Analyze and evaluate risks

Qualitative risk analysis:

• Impact
• Likelihood

Use the grid to plot a specific risk and assign an overall risk categorization, put in the risk register and then decide on preventative/mitigation actions

1.4 Analyze and evaluate risks

Quantitative risk analysis uses financial or other numerical impact, likelihood becomes a probability

This type of analysis can be used within a business case to justify investments:

• Annual rate of occurrence (ARO): the probability that a specific risk will occur in a single year. It is calculated based on the expectations of how frequent the risk is likely to occur. An event that occurs once every 50 years has an ARO of 2%
• Single loss expectancy (SLE): the expected financial loss due to a risk, each time that a risk occurs. SLE is calculated based on the average cost incurred if the risk happened; typically expressed in financial terms
• Annualized loss expectancy (ALE): the expected financial loss due to a risk, averaged over a oneyear period. ALE is calculated by multiplying the single loss expectancy (SLE) by the annual rate of occurrence (ARO). The calculated result can be compared to the cost of controls so an informed decision can be made (e.g., how much to invest in managing a specific risk

Quantitative analysis is time consuming; use both types. When qualitative exceeds a specific limit, dive deeper using quantitative methods

1.5 Treat, monitor, and review risks

Document accepted risks, communicate to the stakeholder, and regularly review for changes in probability, impact, or the cost of controls

When a risk is accepted, design and implement suitable controls (method to mitigate or overcome a risk)

Regularly review controls for compliance as well as actions taken if the control isn’t being followed: Define appropriate controls across all four dimensions of service management

Go back to ITIL 4 Strategic Leader Certification Course: Practices to finish this chapter or to the main page ITIL 4 Strategic Leader Certification Course.