Risk Management: Difference between revisions
No edit summary |
No edit summary |
||
(4 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
<itpmch><title>Risk Management | IT Process Wiki</title> | <itpmch><title>Risk Management | IT Process Wiki</title> | ||
<meta name="keywords" content="itil risk management, risk management itil, itil risk management process, risk management process" /> | <meta name="keywords" content="itil risk management, risk management itil, itil risk management process, risk management process" /> | ||
<meta name="description" content=" | <meta name="description" content="The objective of ITIL Risk Management is to identify, assess and control risks. This includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats." /> | ||
<meta property="og:url" content="https://wiki.en.it-processmaps.com/index.php/Risk_Management" /> | <meta property="og:url" content="https://wiki.en.it-processmaps.com/index.php/Risk_Management" /> | ||
<meta property="og:title" content="Risk Management | IT Process Wiki" /> | <meta property="og:title" content="Risk Management | IT Process Wiki" /> | ||
Line 11: | Line 11: | ||
<meta property="fb:admins" content="100002592864414" /> | <meta property="fb:admins" content="100002592864414" /> | ||
<meta property="og:image" content="https://wiki.en.it-processmaps.com/images/b/ba/Itil-risk-management.jpg" /> | <meta property="og:image" content="https://wiki.en.it-processmaps.com/images/b/ba/Itil-risk-management.jpg" /> | ||
<meta property="og:image:width" content=" | <meta property="og:image:width" content="1200" /> | ||
<meta property="og:image:height" content=" | <meta property="og:image:height" content="1200" /> | ||
<link href="https://plus.google.com/108613479011811316823/posts" rel="publisher" /> | <link href="https://plus.google.com/108613479011811316823/posts" rel="publisher" /> | ||
</itpmch> | </itpmch> | ||
<imagemap> | <imagemap> | ||
Image:ITIL-Wiki-de-es.jpg|DE - ES - Risk Management| | Image:ITIL-Wiki-de-es.jpg|right|DE - ES - Risk Management|163px | ||
rect 0 | rect 81 0 114 36 [https://wiki.de.it-processmaps.com/index.php/Risikomanagement diese Seite auf Deutsch] | ||
rect | rect 115 0 163 36 [https://wiki.es.it-processmaps.com/index.php/ITIL_Gestion_del_Riesgo esta página en español] | ||
desc none | desc none | ||
</imagemap> | </imagemap> | ||
<br style="clear:both;"/> | <br style="clear:both;"/> | ||
'''<span id="Overview">Objective:</span>''' <html><span id="md-webpage-description" itemprop="description">The objective of <i>ITIL Risk Management</i> is to identify, assess and control risks. This includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats.</span></p> | '''<span id="Overview">Objective:</span>''' <html><span id="md-webpage-description" itemprop="description">The objective of <i>ITIL Risk Management</i> is to identify, assess and control risks. This includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats.</span></p> | ||
Line 34: | Line 32: | ||
==Process Description== | ==Process Description== | ||
[[Image:Itil-risk-management.jpg|right|thumb| | [[Image:Itil-risk-management.jpg|right|thumb|500px|alt=Risk Management ITIL|link=https://wiki.en.it-processmaps.com/index.php/File:Itil-risk-management.jpg|[https://wiki.en.it-processmaps.com/images/pdf/process_overview_risk_management_itilv3.pdf ITIL Risk Management]]] | ||
Risk management is not on the list of official ITIL 2011 processes, but concepts for dealing with risks are described in several ITIL processes, and ITIL calls for "coordinated risk assessment exercises". So there are good reasons for organizations to define and implement a risk management process, and at IT Process Maps we decided to introduce a specific Risk Management process as part of the [https://en.it-processmaps.com/products/itil-process-map.html ITIL® Process Map]. | |||
Having a basic Risk Management process in place will provide a good starting point for introducing best-practice Risk Management frameworks like M_o_R (as recommended in the ITIL V3 books). | Having a basic Risk Management process in place will provide a good starting point for introducing best-practice Risk Management frameworks like M_o_R (as recommended in the ITIL V3 books). | ||
Following the introduction of [[ITIL Design Coordination|Design Coordination]] in | Following the introduction of [[ITIL Design Coordination|Design Coordination]] in ITIL 2011 the information flows have been adapted slightly. The process overview of [[Media:Itil-risk-management.jpg|ITIL Risk Management (.JPG)]] shows the key information flows (see fig. 1). | ||
<p> </p> | [[ITIL 4]] refers to 'Risk Management' as a [[ITIL_4#General_management_practices|general management practice]]. | ||
<p style="clear:both;"> </p> | |||
==Sub-Processes== | ==Sub-Processes== | ||
Line 50: | Line 49: | ||
<p><span itemprop="name" content="Risk Management sub-processes:">These are the <strong class="selflink">ITIL Risk Management</strong> sub-processes and their process objectives:</span> | <p><span itemprop="name" content="Risk Management sub-processes:">These are the <strong class="selflink">ITIL Risk Management</strong> sub-processes and their process objectives:</span> | ||
</p> | </p> | ||
<p><b><span id="ITIL_Risk_Management_Support" itemprop="itemListElement">Risk Management Support</span></b> | <p><b><span id="ITIL_Risk_Management_Support" itemprop="itemListElement">Risk Management Support</span></b> | ||
</p> | </p> | ||
<ul><li itemprop="description">Process Objective: To define a framework for Risk Management. Most importantly, this process specifies how risk is quantified, what risks the organization is willing to accept, and who is in charge of the various Risk Management duties. | <ul><li itemprop="description">Process Objective: To define a framework for Risk Management. Most importantly, this process specifies how risk is quantified, what risks the organization is willing to accept, and who is in charge of the various Risk Management duties. | ||
</li></ul> | </li></ul> | ||
<p><b><span id="ITIL_Risk_Analysis" itemprop="itemListElement">Business Impact and Risk Analysis</span></b> | |||
</p> | </p> | ||
<ul><li itemprop="description">Process Objective: To quantify the impact to the business that a loss of service or asset would have, and to determine the likelihood of a threat or vulnerability to actually occur. The result of the "<a href="/index.php/Risk_Management#Business_Impact_and_Risk_Analysis" title="Risk Management">Business Impact and Risk Analysis</a>" is the <a href="/index.php/Risk_Management#Risk_Register" title="Risk Management">Risk Register</a>, a prioritized list of risks which must be subsequently addressed. | <ul><li itemprop="description">Process Objective: To quantify the impact to the business that a loss of service or asset would have, and to determine the likelihood of a threat or vulnerability to actually occur. The result of the "<a href="/index.php/Risk_Management#Business_Impact_and_Risk_Analysis" title="Risk Management">Business Impact and Risk Analysis</a>" is the <a href="/index.php/Risk_Management#Risk_Register" title="Risk Management">Risk Register</a>, a prioritized list of risks which must be subsequently addressed. | ||
</li></ul> | </li></ul> | ||
<p><b><span id="ITIL_Risk_Management_Assessment" itemprop="itemListElement">Assessment of Required Risk Mitigation</span></b> | |||
</p> | </p> | ||
<ul><li itemprop="description">Process Objective: To determine where risk mitigation measures are required, and to identify Risk Owners who will be responsible for their implementation and ongoing maintenance. | <ul><li itemprop="description">Process Objective: To determine where risk mitigation measures are required, and to identify Risk Owners who will be responsible for their implementation and ongoing maintenance. | ||
</li></ul> | </li></ul> | ||
<p><b><span id="Risk_Monitoring_ITIL" itemprop="itemListElement">Risk Monitoring</span></b> | |||
</p> | </p> | ||
<ul><li itemprop="description">Process Objective: To monitor the progress of counter measure implementation, and to take corrective action where necessary. | <ul><li itemprop="description">Process Objective: To monitor the progress of counter measure implementation, and to take corrective action where necessary. | ||
</li></ul> | </li></ul> | ||
</div><!-- end of schema.org/ItemList --><p></html> | </div><!-- end of schema.org/ItemList --><p></html> | ||
==Definitions== | ==Definitions== | ||
Line 77: | Line 71: | ||
<html><div itemscope="itemscope" itemtype="https://schema.org/ItemList"><!-- define schema.org/ItemList --> | <html><div itemscope="itemscope" itemtype="https://schema.org/ItemList"><!-- define schema.org/ItemList --> | ||
<meta itemprop="itemListOrder" content="Ascending" /> | <meta itemprop="itemListOrder" content="Ascending" /> | ||
<p><span itemprop="name">The following <a href="/index.php/ | <p><span itemprop="name">The following <a href="/index.php/ITIL_Glossary#ITIL_Glossary_A-Z" title="ITIL Glossary">ITIL terms and acronyms</a> (<i>information objects</i>) are used in the ITIL Risk Management process to represent process outputs and inputs:</span> | ||
</p> | </p> | ||
<p><b><span id="Business_Impact_and_Risk_Analysis" itemprop="itemListElement">Business Impact and Risk Analysis</span></b> | <p><b><span id="Business_Impact_and_Risk_Analysis" itemprop="itemListElement">Business Impact and Risk Analysis</span></b> | ||
</p> | </p> | ||
<ul><li itemprop="description">Business Impact Analysis (BIA) and Risk Analysis are concepts associated with Risk Management. Their ultimate goal is to identify which risks must be managed and addressed by risk mitigation measures. | <ul><li itemprop="description">Business Impact Analysis (BIA) and Risk Analysis are concepts associated with Risk Management. Their ultimate goal is to identify which risks must be managed and addressed by risk mitigation measures. | ||
</li></ul> | </li></ul> | ||
<p><b><span id="Process_and_Asset_Valuation" itemprop="itemListElement">Process and Asset Valuation</span></b> | |||
</p> | </p> | ||
<ul><li itemprop="description">An estimate of the value a process or other asset represents for the business. This value is an important input for <a href="/index.php/Risk_Management#Business_Impact_and_Risk_Analysis" title="Risk Management">Risk Analysis</a>. | <ul><li itemprop="description">An estimate of the value a process or other asset represents for the business. This value is an important input for <a href="/index.php/Risk_Management#Business_Impact_and_Risk_Analysis" title="Risk Management">Risk Analysis</a>. | ||
</li></ul> | </li></ul> | ||
<p><b><span id="Risk_Management_Policy" itemprop="itemListElement">Risk Management Policy</span></b> | |||
</p> | </p> | ||
<ul><li itemprop="description">The Risk Management Policy describes and communicates the organization’s approach to managing risk. Most importantly, it defines how risk is quantified and who is in charge of specific risk management duties. The Risk Management Policy is maintained by the <a href="/index.php/Risk_Management#Risk_Manager" title="Risk Management">Risk Manager</a> role, but to be effective it needs the backing of senior management. | <ul><li itemprop="description">The Risk Management Policy describes and communicates the organization’s approach to managing risk. Most importantly, it defines how risk is quantified and who is in charge of specific risk management duties. The Risk Management Policy is maintained by the <a href="/index.php/Risk_Management#Risk_Manager" title="Risk Management">Risk Manager</a> role, but to be effective it needs the backing of senior management. | ||
</li></ul> | </li></ul> | ||
<p><b><span id="Risk_Register" itemprop="itemListElement">Risk Register</span></b> | |||
</p> | </p> | ||
<ul><li itemprop="description">The Risk Register is a tool used by the Risk Management process to keep an overview of identified risks and corresponding counter measures. The Risk Register is sometimes referred to as the <i>Risk Log</i>. | <ul><li itemprop="description">The Risk Register is a tool used by the Risk Management process to keep an overview of identified risks and corresponding counter measures. The Risk Register is sometimes referred to as the <i>Risk Log</i>. | ||
</li></ul> | </li></ul> | ||
</div><!-- end of schema.org/ItemList --><p></html> | </div><!-- end of schema.org/ItemList --><p></html> | ||
==Roles | Responsibilities== | ==Roles | Responsibilities== | ||
Line 109: | Line 98: | ||
<p> </p> | <p> </p> | ||
{| | {| class="wikitable" style="background: white;" | ||
|- | |- | ||
| style=" | |+ style="background:#013b5e; color:#ffffff; font-size: 120%" colspan="5"|'''<span id="RACI-Matrix-Risk-Management">Verantwortlichkeits-Matrix: ITIL Risk Management</span>''' | ||
|- | |- | ||
!style="background:#ffffee; width: 50%; text-align:center" | ITIL Role | !style="background:#ffffee; width: 50%; text-align:center" | ITIL Role / Sub-Process | ||
! style="background:# | ! style="background:#eeeeee;" | [[Risk Management#Risk Manager|Risk Manager]] | ||
! style="background:# | ! style="background:#eeeeee;" | Other roles involved | ||
|- | |- | ||
|style="text-align:left;" |[[#ITIL Risk Management Support|Risk Management Support]] | |style="text-align:left;" |[[#ITIL Risk Management Support|Risk Management Support]] | ||
Line 134: | Line 123: | ||
|- | |- | ||
|} | |} | ||
'''Remarks''' | '''Remarks''' | ||
Line 144: | Line 131: | ||
<span id="ITIL Risk Management Group">[3] Availability Manager, IT Service Continuity Manager, Information Security Manager, Compliance Manager, and Supplier Manager (see [[ITIL Roles|→ Role descriptions]])</span> | <span id="ITIL Risk Management Group">[3] Availability Manager, IT Service Continuity Manager, Information Security Manager, Compliance Manager, and Supplier Manager (see [[ITIL Roles|→ Role descriptions]])</span> | ||
==Notes== | ==Notes== | ||
<html>By:  Stefan Kempter <a rel="author" href="https:// | <html>By:  Stefan Kempter <a rel="author" href="https://www.linkedin.com/in/stefankempter"><img style="margin:0px 0px 0px 0px;" src="/images/bookmarking/linkedin.png" width="16" height="16" title="By: Stefan Kempter | Profile on LinkedIn" alt="Author: Stefan Kempter, IT Process Maps GbR" /></a>, IT Process Maps.</p> | ||
<p> </p> | <p> </p> | ||
<p><small> | <p><small> | ||
<span itemscope="itemscope | <span itemprop="breadcrumb" itemscope itemtype="http://schema.org/BreadcrumbList"> | ||
<a href="https://wiki.en.it-processmaps.com/index.php/Risk_Management#Process_Description | <span itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"> | ||
</span> | <a itemprop="item" href="https://wiki.en.it-processmaps.com/index.php/Risk_Management#Process_Description"> | ||
<span | <span itemprop="name">Process Description</span></a> | ||
<a href="https://wiki.en.it-processmaps.com/index.php/Risk_Management#Sub-Processes | <meta itemprop="position" content="1"></span> › | ||
</span> | <span itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"> | ||
<span | <a itemprop="item" href="https://wiki.en.it-processmaps.com/index.php/Risk_Management#Sub-Processes"> | ||
<a href="https://wiki.en.it-processmaps.com/index.php/Risk_Management#Definitions | <span itemprop="name">Sub-Processes</span></a> | ||
</span> | <meta itemprop="position" content="2"></span> › | ||
<span | <span itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"> | ||
<a href="https://wiki.en.it-processmaps.com/index.php/Risk_Management#Roles_.7C_Responsibilities | <a itemprop="item" href="https://wiki.en.it-processmaps.com/index.php/Risk_Management#Definitions"> | ||
<span itemprop="name">Definitions</span></a> | |||
<meta itemprop="position" content="3"></span> › | |||
<span itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"> | |||
<a itemprop="item" href="https://wiki.en.it-processmaps.com/index.php/Risk_Management#Roles_.7C_Responsibilities"> | |||
<span itemprop="name">Roles</span></a> | |||
<meta itemprop="position" content="4" /></span> | |||
</span> | </span> | ||
</small></p> | </small></p> | ||
Line 178: | Line 169: | ||
<link itemprop="isPartOf" href="https://wiki.en.it-processmaps.com/index.php/ITIL_Service_Design" /> | <link itemprop="isPartOf" href="https://wiki.en.it-processmaps.com/index.php/ITIL_Service_Design" /> | ||
<link itemprop="primaryImageOfPage" href="https://wiki.en.it-processmaps.com/images/b/ba/Itil-risk-management.jpg" /> | <link itemprop="primaryImageOfPage" href="https://wiki.en.it-processmaps.com/images/b/ba/Itil-risk-management.jpg" /> | ||
<link itemprop="author" href="https:// | <span id="https://wiki.en.it-processmaps.com/images/b/ba/Itil-risk-management.jpg" itemprop="image" itemscope itemtype="https://schema.org/ImageObject"> | ||
<meta itemprop="caption" content="Risk Management"> | |||
<meta itemprop="contentUrl" content="https://wiki.en.it-processmaps.com/images/b/ba/Itil-risk-management.jpg" /> | |||
<meta itemprop="width" content="1200" /> | |||
<meta itemprop="height" content="1200" /> | |||
<meta itemprop="representativeOfPage" content="true"/> | |||
<meta itemprop="dateCreated" content="2011-09-19" /> | |||
<meta itemprop="dateModified" content="2020-06-20" /> | |||
<span itemprop="thumbnail" itemscope itemtype="https://schema.org/ImageObject"> | |||
<meta itemprop="url" content="https://wiki.en.it-processmaps.com/images/thumb/b/ba/Itil-risk-management.jpg/600px-Itil-risk-management.jpg" /> | |||
<meta itemprop="width" content="600" /> | |||
<meta itemprop="height" content="600" /> | |||
</span> | |||
<meta itemprop="keywords" content="Risk Management" /> | |||
<meta itemprop="keywords" content="ITIL Risk Management" /> | |||
</span> | |||
<link itemprop="author" href="https://www.linkedin.com/in/stefankempter" /> | |||
<meta itemprop="author" content="Stefan Kempter" /> | <meta itemprop="author" content="Stefan Kempter" /> | ||
<meta itemprop="creator copyrightHolder publisher" content="IT Process Maps" /> | <meta itemprop="creator copyrightHolder publisher" content="IT Process Maps" /> | ||
Line 184: | Line 191: | ||
<!-- This page is assigned to the following categories: --> | <!-- This page is assigned to the following categories: --> | ||
[[Category:ITIL V3]][[Category:ITIL | [[Category:ITIL 4]][[Category:ITIL 2011]][[Category:ITIL V3]][[Category:ITIL practice]][[Category:ITIL process]][[Category:Service Design|Risk Management]][[Category:Risk Management|!]] | ||
<!-- --- --> | <!-- --- --> |
Latest revision as of 11:52, 31 December 2023
Objective: The objective of ITIL Risk Management is to identify, assess and control risks. This includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats.
Part of: Service Design
Process Owner: Risk Manager
Process Description
Risk management is not on the list of official ITIL 2011 processes, but concepts for dealing with risks are described in several ITIL processes, and ITIL calls for "coordinated risk assessment exercises". So there are good reasons for organizations to define and implement a risk management process, and at IT Process Maps we decided to introduce a specific Risk Management process as part of the ITIL® Process Map.
Having a basic Risk Management process in place will provide a good starting point for introducing best-practice Risk Management frameworks like M_o_R (as recommended in the ITIL V3 books).
Following the introduction of Design Coordination in ITIL 2011 the information flows have been adapted slightly. The process overview of ITIL Risk Management (.JPG) shows the key information flows (see fig. 1).
ITIL 4 refers to 'Risk Management' as a general management practice.
Sub-Processes
These are the ITIL Risk Management sub-processes and their process objectives:
Risk Management Support
- Process Objective: To define a framework for Risk Management. Most importantly, this process specifies how risk is quantified, what risks the organization is willing to accept, and who is in charge of the various Risk Management duties.
Business Impact and Risk Analysis
- Process Objective: To quantify the impact to the business that a loss of service or asset would have, and to determine the likelihood of a threat or vulnerability to actually occur. The result of the "Business Impact and Risk Analysis" is the Risk Register, a prioritized list of risks which must be subsequently addressed.
Assessment of Required Risk Mitigation
- Process Objective: To determine where risk mitigation measures are required, and to identify Risk Owners who will be responsible for their implementation and ongoing maintenance.
Risk Monitoring
- Process Objective: To monitor the progress of counter measure implementation, and to take corrective action where necessary.
Definitions
The following ITIL terms and acronyms (information objects) are used in the ITIL Risk Management process to represent process outputs and inputs:
Business Impact and Risk Analysis
- Business Impact Analysis (BIA) and Risk Analysis are concepts associated with Risk Management. Their ultimate goal is to identify which risks must be managed and addressed by risk mitigation measures.
Process and Asset Valuation
- An estimate of the value a process or other asset represents for the business. This value is an important input for Risk Analysis.
Risk Management Policy
- The Risk Management Policy describes and communicates the organization’s approach to managing risk. Most importantly, it defines how risk is quantified and who is in charge of specific risk management duties. The Risk Management Policy is maintained by the Risk Manager role, but to be effective it needs the backing of senior management.
Risk Register
- The Risk Register is a tool used by the Risk Management process to keep an overview of identified risks and corresponding counter measures. The Risk Register is sometimes referred to as the Risk Log.
Roles | Responsibilities
Risk Manager - Process Owner
- The Risk Manager is responsible for identifying, assessing and controlling risks. This includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats.
ITIL Role / Sub-Process | Risk Manager | Other roles involved |
---|---|---|
Risk Management Support | A[1]R[2] | - |
Business Impact and Risk Analysis | AR | R[3] |
Assessment of Required Risk Mitigation | AR | - |
Risk Monitoring | AR | - |
Remarks
[1] A: Accountable according to the RACI Model: Those who are ultimately accountable for the correct and thorough completion of the ITIL Risk Management process.
[2] R: Responsible according to the RACI Model: Those who do the work to achieve a task within Risk Management.
[3] Availability Manager, IT Service Continuity Manager, Information Security Manager, Compliance Manager, and Supplier Manager (see → Role descriptions)
Notes
By: Stefan Kempter , IT Process Maps.
Process Description › Sub-Processes › Definitions › Roles