Risk Management: Difference between revisions

From IT Process Wiki
No edit summary
Line 1: Line 1:
<seo metakeywords="itil risk management, risk management itil, itil risk management process, risk management process" metadescription="Risk Management: ITIL process definition - subprocesses - Additional information on ITIL Risk Management." />
<seo metakeywords="itil risk management, risk management itil, itil risk management process, risk management process" metadescription="Risk Management: ITIL process definition - Sub-processes - Terms - Additional information on ITIL Risk Management." />
<imagemap>
<imagemap>
Image:ITIL-Wiki-de-es.jpg|DE - ES - Risk Management|100px
Image:ITIL-Wiki-de-es.jpg|DE - ES - Risk Management|100px
Line 8: Line 8:
<br style="clear:both;"/>
<br style="clear:both;"/>


== ITIL Risk Management: Overview ==
<p>&nbsp;</p>


'''Process Objective''': To identify, assess and control risks. This includes analysing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats.
==<span id="ITIL Risk Management">Overview</span>==
 
'''Objective''': The objective of ''ITIL Risk Management'' is to identify, assess and control risks. This includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats.


'''Part of''': [[ITIL V3 Service Design|Service Design]]
'''Part of''': [[ITIL V3 Service Design|Service Design]]


'''Process Owner''': [[Risk Management#Additional Information on Risk Management|Risk Manager]]
'''Process Owner''': [[Risk Management#Risk Manager|Risk Manager]]


<br style="clear:both;"/>
<p>&nbsp;</p>


== ITIL Risk Management: Process Definition ==
== Process Description ==


[[Image:Itil-risk-management.jpg|left|thumb|350px|alt=Risk Management ITIL|[https://wiki.en.it-processmaps.com/images/pdf/process_overview_risk_management_itilv3.pdf ITIL Risk Management]]]
[[Image:Itil-risk-management.jpg|right|thumb|375px|alt=Risk Management ITIL|[https://wiki.en.it-processmaps.com/images/pdf/process_overview_risk_management_itilv3.pdf ITIL Risk Management]]]


Risks are addressed within several processes in ITIL V2 and ITIL V3; there is, however, no dedicated Risk Management process. ITIL V3 calls for “coordinated risk assessment exercises”, so at IT Process Maps we decided to assign clear responsibilities for managing risks, which meant introducing a specific Risk Management process as part of the [https://en.it-processmaps.com/products/itil-process-map.html ITIL&reg; Process Map V3].
Risks are addressed within several processes in ITIL; there is, however, no dedicated Risk Management process. ITIL calls for "coordinated risk assessment exercises", so at IT Process Maps we decided to assign clear responsibilities for managing risks, which meant introducing a specific Risk Management process as part of the [https://en.it-processmaps.com/products/itil-process-map.html ITIL&reg; Process Map].


Having a basic Risk Management process in place will provide a good starting point for introducing best-practice Risk Management frameworks like M_o_R (as recommended in the ITIL V3 books).
Having a basic Risk Management process in place will provide a good starting point for introducing best-practice Risk Management frameworks like M_o_R (as recommended in the ITIL V3 books).


The following sub-processes are part of [[Risk Management|ITIL Risk Management]]:
Following the introduction of [[ITIL Design Coordination|Design Coordination]] in '''''ITIL 2011''''' the information flows have been adapted slightly. The process overview of [[Media:Itil-risk-management.jpg|ITIL Risk Management (.JPG)]] is showing the most important interfaces (see Figure 1).
<br style="clear:both;"/>
 
<p>&nbsp;</p>
 
== Sub-Processes ==
 
These are the ITIL Risk Management sub-processes  and their process objectives:
 
<p>&nbsp;</p>


=== Sub-Processes ===
;<span id="ITIL Risk Management Support">Risk Management Support</span>
:Process Objective: To define a framework for Risk Management. Most importantly, this process specifies how risk is quantified, what risks the organization is willing to accept, and who is in charge of the various Risk Management duties.


;Business Impact and Risk Analysis
;<span id="ITIL Risk Analysis">Business Impact and Risk Analysis</span>
:Process Objective: To quantify the impact to the business that a loss of service or asset would have, and to determine the likelihood of a threat or vulnerability to actually occur. The result of the "[[Risk Management#Business Impact and Risk Analysis|Business Impact and Risk Analysis]]" is the [[Risk Management#Risk Register|Risk Register]], a prioritized list of risks which must be subsequently addressed.
:Process Objective: To quantify the impact to the business that a loss of service or asset would have, and to determine the likelihood of a threat or vulnerability to actually occur. The result of the "[[Risk Management#Business Impact and Risk Analysis|Business Impact and Risk Analysis]]" is the [[Risk Management#Risk Register|Risk Register]], a prioritized list of risks which must be subsequently addressed.


;Assessment of Required Risk Mitigation
;<span id="ITIL Risk Management Assessment">Assessment of Required Risk Mitigation</span>
: Process Objective: To determine where risk mitigation measures are required, and to identify Risk Owners who will be responsible for their implementation and ongoing maintenance.
: Process Objective: To determine where risk mitigation measures are required, and to identify Risk Owners who will be responsible for their implementation and ongoing maintenance.


;Risk Monitoring
;<span id="Risk Monitoring ITIL">Risk Monitoring</span>
:Process Objective: To monitor the progress of counter measure implementation, and to take corrective action where necessary.
:Process Objective: To monitor the progress of counter measure implementation, and to take corrective action where necessary.


<br style="clear:both;"/>
<p>&nbsp;</p>
 
== Definitions ==
 
The following ITIL terms and acronyms (''information objects'') are used in ITIL Risk Management to represent process outputs and inputs:


=== ITIL Terms: Risk Management ===
<p>&nbsp;</p>


;<span id="Business Impact and Risk Analysis">Business Impact and Risk Analysis</span>
;<span id="Business Impact and Risk Analysis">Business Impact and Risk Analysis</span>
Line 48: Line 62:


;<span id="Process and Asset Valuation">Process and Asset Valuation</span>
;<span id="Process and Asset Valuation">Process and Asset Valuation</span>
:An estimate of the value a process or other asset represents for the business. This value is an important input for Risk Analysis.  
:An estimate of the value a process or other asset represents for the business. This value is an important input for [[Risk Management#Business Impact and Risk Analysis|Risk Analysis]].  


;<span id="Risk Management Policy">Risk Management Policy</span>
;<span id="Risk Management Policy">Risk Management Policy</span>
:The Risk Management Policy describes and communicates the organization’s approach to managing risk. Most importantly, it defines how risk is quantified and who is in charge of specific risk management duties.  
:The Risk Management Policy describes and communicates the organization’s approach to managing risk. Most importantly, it defines how risk is quantified and who is in charge of specific risk management duties.  
:The Risk Management Policy is maintained by the Risk Manager role, but to be effective it needs the backing of senior management.  
:The Risk Management Policy is maintained by the [[Risk Management#Risk Manager|Risk Manager]] role, but to be effective it needs the backing of senior management.  


;<span id="Risk Register">Risk Register</span>
;<span id="Risk Register">Risk Register</span>
:The Risk Register is a tool used by the Risk Management process to keep an overview of identified risks and corresponding counter measures. The Risk Register is sometimes referred to as the Risk Log.  
:The Risk Register is a tool used by the Risk Management process to keep an overview of identified risks and corresponding counter measures. The Risk Register is sometimes referred to as the ''Risk Log''.  


<br style="clear:both;"/>
<p>&nbsp;</p>


== Additional Information on Risk Management ==
== Roles | Responsibilities ==


==== ITIL Roles ====
;<span id="Risk Manager">Risk Manager - Process Owner</span>
:The Risk Manager is responsible for identifying, assessing and controlling risks.
:This includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats.


;Risk Manager - Process Owner
<p>&nbsp;</p>
:The Risk Manager is responsible for identifying, assessing and controlling risks.
 
:This includes analysing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats.
{| border="1" align="center" cellpadding="5" cellspacing="0" style="text-align:center;" valign="top"
|-
| valign="top"  colspan="6" style="background:#ffffdd;" align="center"| '''Responsibility Matrix: ITIL Risk Management'''
|-
!  width="50%" align="center" style="background:#ffffee;" | ITIL Role | Sub-Process
! style="background:#ffffee;" | [[Risk Management#Risk Manager|Risk Manager]]
! style="background:#ffffee;" | Other roles involved
|-
| align="left" |[[#ITIL Risk Management Support|Risk Management Support]]
| A[[Risk Management#Accountable|<small>[1]</small>]]R[[Risk Management#Responsible|<small>[2]</small>]]
|
|-
| align="left" |[[#ITIL Risk Analysis|Business Impact and Risk Analysis]]
| AR
| R[[Risk Management#ITIL Roles|<small>[3]</small>]][[#ITIL Risk Management Group|<small>[4]</small>]]
|-
| align="left" |[[#ITIL Risk Management Assessment|Assessment of Required Risk Mitigation]]
| AR
|
|-
| align="left" |[[#Risk Monitoring ITIL|Risk Monitoring]]
| AR
|
|-
|}


<br style="clear:both;"/>
<p>&nbsp;</p>


== Downloads ==
'''Remarks'''


==== Overview ITIL Risk Management ====
<span id="Accountable">[1] ''A: Accountable'' according to the RACI Model: Those who are ultimately accountable for the correct and thorough completion of the ITIL Risk Management process.</span>


{|
<span id="Responsible">[2] ''R: Responsible'' according to the RACI Model: Those who do the work to achieve a task within Risk Management.</span>
| valign="top" |
Use the following links to open the process overview of Risk Management showing the most important interfaces:


* [[Media:Itil-risk-management.jpg|ITIL Risk Management (.JPG)]]
<span id="ITIL Roles">[3] see [[Roles within ITIL V3|&#8594; Role descriptions]]</span>
* [https://wiki.en.it-processmaps.com/images/pdf/process_overview_risk_management_itilv3.pdf ITIL Risk Management (.PDF)]''
| valign="top" |
[[Image:Itil-risk-management.jpg|thumb|150px|left|none|alt=Risk Management ITIL|ITIL Risk Management at a glance]]
|-
|}


<span id="ITIL Risk Management Group">[4] Availability Manager, IT Service Continuity Manager, Information Security Manager, Compliance Manager, and Supplier Manager.


<p>&nbsp;</p>


<!-- This page is assigned to the following categories: -->
<!-- This page is assigned to the following categories: -->
[[Category:ITIL V3]][[Category:ITIL process]][[Category:Service Design|Risk Management]][[Category:Risk Management|!]]
[[Category:ITIL V3]][[Category:ITIL 2011]][[Category:ITIL process]][[Category:Service Design|Risk Management]][[Category:Risk Management|!]]
<!-- --- -->
<!-- --- -->

Revision as of 11:38, 27 November 2011

<seo metakeywords="itil risk management, risk management itil, itil risk management process, risk management process" metadescription="Risk Management: ITIL process definition - Sub-processes - Terms - Additional information on ITIL Risk Management." />

DE - ES - Risk Managementdiese Seite auf Deutschesta página en español
DE - ES - Risk Management


 

Overview

Objective: The objective of ITIL Risk Management is to identify, assess and control risks. This includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats.

Part of: Service Design

Process Owner: Risk Manager

 

Process Description

Risk Management ITIL
ITIL Risk Management

Risks are addressed within several processes in ITIL; there is, however, no dedicated Risk Management process. ITIL calls for "coordinated risk assessment exercises", so at IT Process Maps we decided to assign clear responsibilities for managing risks, which meant introducing a specific Risk Management process as part of the ITIL® Process Map.

Having a basic Risk Management process in place will provide a good starting point for introducing best-practice Risk Management frameworks like M_o_R (as recommended in the ITIL V3 books).

Following the introduction of Design Coordination in ITIL 2011 the information flows have been adapted slightly. The process overview of ITIL Risk Management (.JPG) is showing the most important interfaces (see Figure 1).

 

Sub-Processes

These are the ITIL Risk Management sub-processes and their process objectives:

 

Risk Management Support
Process Objective: To define a framework for Risk Management. Most importantly, this process specifies how risk is quantified, what risks the organization is willing to accept, and who is in charge of the various Risk Management duties.
Business Impact and Risk Analysis
Process Objective: To quantify the impact to the business that a loss of service or asset would have, and to determine the likelihood of a threat or vulnerability to actually occur. The result of the "Business Impact and Risk Analysis" is the Risk Register, a prioritized list of risks which must be subsequently addressed.
Assessment of Required Risk Mitigation
Process Objective: To determine where risk mitigation measures are required, and to identify Risk Owners who will be responsible for their implementation and ongoing maintenance.
Risk Monitoring
Process Objective: To monitor the progress of counter measure implementation, and to take corrective action where necessary.

 

Definitions

The following ITIL terms and acronyms (information objects) are used in ITIL Risk Management to represent process outputs and inputs:

 

Business Impact and Risk Analysis
The Business Impact Analysis (BIA) identifies Vital Business Functions (VBFs) and their dependencies. These dependencies may include suppliers, people, other business processes, services etc.. The Risk Analysis identifies threats and vulnerabilities to business assets, and indicates how vulnerable each asset is to those threats.
Process and Asset Valuation
An estimate of the value a process or other asset represents for the business. This value is an important input for Risk Analysis.
Risk Management Policy
The Risk Management Policy describes and communicates the organization’s approach to managing risk. Most importantly, it defines how risk is quantified and who is in charge of specific risk management duties.
The Risk Management Policy is maintained by the Risk Manager role, but to be effective it needs the backing of senior management.
Risk Register
The Risk Register is a tool used by the Risk Management process to keep an overview of identified risks and corresponding counter measures. The Risk Register is sometimes referred to as the Risk Log.

 

Roles | Responsibilities

Risk Manager - Process Owner
The Risk Manager is responsible for identifying, assessing and controlling risks.
This includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats.

 

Responsibility Matrix: ITIL Risk Management
ITIL Role | Sub-Process Risk Manager Other roles involved
Risk Management Support A[1]R[2]
Business Impact and Risk Analysis AR R[3][4]
Assessment of Required Risk Mitigation AR
Risk Monitoring AR

 

Remarks

[1] A: Accountable according to the RACI Model: Those who are ultimately accountable for the correct and thorough completion of the ITIL Risk Management process.

[2] R: Responsible according to the RACI Model: Those who do the work to achieve a task within Risk Management.

[3] see → Role descriptions

[4] Availability Manager, IT Service Continuity Manager, Information Security Manager, Compliance Manager, and Supplier Manager.