Risk: a possible event that could cause harm or loss, or make it more difficult to achieve objectives:
Purpose of risk management: ensure organization understands risks and handles them effectively
Risk management approach depends on:
Digital assets are everywhere: inside/outside the organization, hosted by cloud service providers, mobile apps… (requires everyone to be aware organization’s risk management activities and actively contribute to assessment/mitigation activities)
Successful digital organizations take small, calculated risks to reduce exposure to risk (prototypes; minimally viable products)
Organization’s governing body is responsible for implementing a risk management framework (risk/audit committee performs ongoing maintenance)
1. Managing strategic risk
Digital organizations have great opportunities but also must manage the possibility of disruption and risk (not managing either, out of business)
Tactical risk management: identify ways to manage existing risk as well as new threats and vulnerabilities
Strategic risk management: ensure success of the organization in an environment where rules have changed due to digital technology
2. Risk identification
Most frameworks include risk categories:
3. DICE risks
Disruption risks: factors that threaten to disrupt the organization’s business model
Innovation risks: risky; develop and test in controlled environments; understand risk appetite and purpose of innovation
Cybersecurity risks: digital organizations survive on data which opens the door for malicious acts; must depend on threat intelligence and ensure risks mitigated
Engagement risks: success is depended on a range of stakeholders; what if engaged with the wrong partner or have the wrong model that doesn’t detect changes in stakeholders?
4. Assess risks: qualitative Determine likelihood that a risk will occur and the impact it will have (prioritize risks that need to be treated first) Risk matrix:
Scenario-based:
|
5. Assess risks: quantitative
Attempt to place a monetary value on risks: expensive, complex, require research and analysis
Quantitative calculations:
6. Risk posture
Key message: an organization’s overall approach to identifying, analyzing, planning for, responding to, and managing risk
Part of developing a strategy is understanding how much risk an organization is willing to accept:
Risk attitude: typical response to risk, based on risk capacity, appetite, tolerance, and thresholds:
7. Risk treatment or mitigation
How the organization prepares for and lessens the impact of the risk via policies, plans, processes, and tools
Risk treatment/mitigation categories:
8. Developing a risk-informed mindset/culture
Executives determine an organization’s risk posture/attitude, also determine the risk culture
Risk aware is not the same as risk-averse: stop the overreaction, be prepared for events
Within digital organizations:
Go back to ITIL 4 Strategic Leader Certification Course: Risk and Opportunities to finish this chapter or to the main page ITIL 4 Strategic Leader Certification Course.
When you are managing a team, “how to be a good manager” is the “must”...
As manager, I am doing many reports, even when I was an ITIL consultant, I still needed to do many reports...
ITIL V3 is going to be obsolete...
Managing an IT service when I start a new company is not an easy task, particularly true, if the service...