Process: A34 - Risk Management
Identifying risks to IT and mitigating those risks. (Note: This process is described at the activity level only.)
DescriptionWorkflowRolesWork Products
Purpose

The Risk Management process exists to identify risks associated with the activities of the IT endeavor and to make measured, appropriate responses to mitigate, ignore, avoid or transfer those risks in line with the desired level of risk tolerance.

Relationships
Context
Description

Outcomes

As a result of successful implementation of this process:

  • All of the activities carried out within IT support the desired risk posture while providing the maximal benefit
  • The business and IT are able to appropriately respond to threats and opportunities
  • Minimal risk exists in the fulfillment of fiduciary responsibilities to stakeholders of the business

Scope

This process provides the overall framework in which risks are handled. Other processes within IT work in conjunction with this process to ensure that specific risk areas are adequately responded to and covered.

Risks occur from a variety of internal and external sources, and cover the range of strategic, tactical, and operational activities. Consideration of risk covers the potential opportunity from a risk outcome happening in addition to the more traditional consideration of possible downside outcomes.

Includes

  • External risk sources1 such as:
    • Financial: Interest rates, foreign exchange, credit
    • Strategic: Competition, industry and customer changes, mergers and acquisition integration
    • Operational: Regulations, Culture, Board Composition
    • Hazard: Natural events, environment, contracts
  • Internal risk sources:
    • Employees
    • Information systems
    • Accounting controls
    • Cash flow
    • Research and development
    • Facilities
  • Risk workshops
  • Mitigation strategies

Excludes

  • Identification of compliance requirements and controls (Compliance Management)
  • Security-specific risk management (Security Management), though overall decision making is part of this process
  • Implementation and operation of the recommended risk controls (responsibility of the target IT processes)
  • Business Continuity Management (Business responsibility in conjunction with IT Service Continuity Management) 

Key performance indicators

  • Number of identified risks
  • Average risk probability
  • Average probability of top 100 risks
  • Number of implemented controls
  • Number of controls implemented on an emergency basis

Relation to other processes

  • Project proposals must be assessed for risks before initiating projects (Program and Project Management). In addition, programs and projects are monitored for risks in an ongoing manner. 
  • New solutions are assessed for risks before completion (Solution Analysis and Design). 
  • Identified risks are important for creating the Security Policy (Security Management). Security reports also provide a basis for assessing the effectiveness of controls. 

For more information

For more information, see Risk Management in the ITIL® documentation.

 1Taken from A Risk Management Standard. The Institute of Risk Management. 2002

Properties
Event Driven
Multiple Occurrences
Ongoing
Optional
PlannedYes
RepeatableYes

©Copyright IBM Corp. 2005, 2008. All Rights Reserved.