Submit Search
Upload
Management of Risk and its integration within ITIL
•
14 likes
•
10,007 views
H
hdoornbos
Follow
Integration of a Risk Management process with ITIL Framework
Read less
Read more
Technology
Report
Share
Report
Share
1 of 41
Download now
Download to read offline
Recommended
ISMS Requirements
ISMS Requirements
humanus2
Top management role to implement ISO 27001
Top management role to implement ISO 27001
PECB
Iso 31000 presentation
Iso 31000 presentation
christianaegerter1
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB
BUSINESS CONTINUITY PLANNING AND RISK MANAGEMENT
BUSINESS CONTINUITY PLANNING AND RISK MANAGEMENT
Continuity and Resilience
Governance, risk and compliance framework
Governance, risk and compliance framework
Ceyeap
Security Metrics Program
Security Metrics Program
Cydney Davis
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB
Recommended
ISMS Requirements
ISMS Requirements
humanus2
Top management role to implement ISO 27001
Top management role to implement ISO 27001
PECB
Iso 31000 presentation
Iso 31000 presentation
christianaegerter1
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB
BUSINESS CONTINUITY PLANNING AND RISK MANAGEMENT
BUSINESS CONTINUITY PLANNING AND RISK MANAGEMENT
Continuity and Resilience
Governance, risk and compliance framework
Governance, risk and compliance framework
Ceyeap
Security Metrics Program
Security Metrics Program
Cydney Davis
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
Aligning Risk Management with ITIL
Aligning Risk Management with ITIL
Austin Songer
An Introduction to Risk Management for Healthcare Institution - ROJoson
An Introduction to Risk Management for Healthcare Institution - ROJoson
Reynaldo Joson
ISO 31000 risk management process
ISO 31000 risk management process
Muizz Anibire
ITSM Foundation Course Material
ITSM Foundation Course Material
stefanhenry
ISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009
Ahmad Azwang Aisram Omar
CMMI Implementation Guide
CMMI Implementation Guide
Vishnuvarthanan Moorthy
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
ISO 22301 Business Continuity Management
ISO 22301 Business Continuity Management
Ramiro Cid
What is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
Jack Nichelson
PMI-RMP Exam Prep Presentation
PMI-RMP Exam Prep Presentation
scottdreynolds
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Assess Your Business Continuity Management Process
Assess Your Business Continuity Management Process
Anand Subramaniam
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
CMMI Certification (Level 1-5)
CMMI Certification (Level 1-5)
Akshat Gupta
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
Goutama Bachtiar
ايزو27001أسس ومبادئ
ايزو27001أسس ومبادئ
A. M. Wadi Qualitytcourse
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
InfosecTrain
Qatar Proposal
Qatar Proposal
Absar Husain
Information Risk Management - Cyber Risk Management - IT Risks
Information Risk Management - Cyber Risk Management - IT Risks
Hernan Huwyler, MBA CPA
More Related Content
What's hot
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
Aligning Risk Management with ITIL
Aligning Risk Management with ITIL
Austin Songer
An Introduction to Risk Management for Healthcare Institution - ROJoson
An Introduction to Risk Management for Healthcare Institution - ROJoson
Reynaldo Joson
ISO 31000 risk management process
ISO 31000 risk management process
Muizz Anibire
ITSM Foundation Course Material
ITSM Foundation Course Material
stefanhenry
ISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009
Ahmad Azwang Aisram Omar
CMMI Implementation Guide
CMMI Implementation Guide
Vishnuvarthanan Moorthy
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
ISO 22301 Business Continuity Management
ISO 22301 Business Continuity Management
Ramiro Cid
What is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
Jack Nichelson
PMI-RMP Exam Prep Presentation
PMI-RMP Exam Prep Presentation
scottdreynolds
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Assess Your Business Continuity Management Process
Assess Your Business Continuity Management Process
Anand Subramaniam
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
CMMI Certification (Level 1-5)
CMMI Certification (Level 1-5)
Akshat Gupta
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
Goutama Bachtiar
ايزو27001أسس ومبادئ
ايزو27001أسس ومبادئ
A. M. Wadi Qualitytcourse
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
InfosecTrain
What's hot
(20)
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
Aligning Risk Management with ITIL
Aligning Risk Management with ITIL
An Introduction to Risk Management for Healthcare Institution - ROJoson
An Introduction to Risk Management for Healthcare Institution - ROJoson
ISO 31000 risk management process
ISO 31000 risk management process
ITSM Foundation Course Material
ITSM Foundation Course Material
ISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009
CMMI Implementation Guide
CMMI Implementation Guide
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
ISO 22301 Business Continuity Management
ISO 22301 Business Continuity Management
What is iso 27001 isms
What is iso 27001 isms
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
PMI-RMP Exam Prep Presentation
PMI-RMP Exam Prep Presentation
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Assess Your Business Continuity Management Process
Assess Your Business Continuity Management Process
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
CMMI Certification (Level 1-5)
CMMI Certification (Level 1-5)
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
ايزو27001أسس ومبادئ
ايزو27001أسس ومبادئ
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
Similar to Management of Risk and its integration within ITIL
Qatar Proposal
Qatar Proposal
Absar Husain
Information Risk Management - Cyber Risk Management - IT Risks
Information Risk Management - Cyber Risk Management - IT Risks
Hernan Huwyler, MBA CPA
File000170
File000170
Desmond Devendran
CRISC Course Preview
CRISC Course Preview
Invensis Learning
D1 security and risk management v1.62
D1 security and risk management v1.62
AlliedConSapCourses
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
CPaschal
DDHI Board Report.ppsx
DDHI Board Report.ppsx
LaurenCampbell84
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
Accenture Operations
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
Erm talking points
Erm talking points
EnterpriseGRC Solutions, Inc.
Convergence innovative integration of security
Convergence innovative integration of security
ciso_insights
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Jacqueline Fick
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
EnterpriseGRC Solutions, Inc.
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
NICSA
S36169184
S36169184
American Research Journal of Humanities & Social Science
GRCAlert Capabilities Deck - 2018
GRCAlert Capabilities Deck - 2018
Richard Marti - Principal
Similar to Management of Risk and its integration within ITIL
(20)
Qatar Proposal
Qatar Proposal
Information Risk Management - Cyber Risk Management - IT Risks
Information Risk Management - Cyber Risk Management - IT Risks
File000170
File000170
CRISC Course Preview
CRISC Course Preview
D1 security and risk management v1.62
D1 security and risk management v1.62
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
DDHI Board Report.ppsx
DDHI Board Report.ppsx
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
Erm talking points
Erm talking points
Convergence innovative integration of security
Convergence innovative integration of security
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
S36169184
S36169184
GRCAlert Capabilities Deck - 2018
GRCAlert Capabilities Deck - 2018
Recently uploaded
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Sergiu Bodiu
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
comworks
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
charlottematthew16
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Enterprise Knowledge
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
RankYa
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Precisely
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Zilliz
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
NavinnSomaal
How to write a Business Continuity Plan
How to write a Business Continuity Plan
Databarracks
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
Pixlogix Infotech
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
Commit University
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
Hervé Boutemy
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
UiPathCommunity
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Fwdays
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
Sri Ambati
Recently uploaded
(20)
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
How to write a Business Continuity Plan
How to write a Business Continuity Plan
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
Management of Risk and its integration within ITIL
1.
1Copyright © Hervé
Doornbos 2015. All Rights Reserved MANAGEMENT OF RISK AND ITS INTEGRATION WITHIN ITIL Version 1 – 06/06/2015 © 2015 - Hervé Doornbos
2.
2Copyright © Hervé
Doornbos 2015. All Rights Reserved Ⅲ RISK PROCESSES DETAILS Ⅰ INTRODUCTION INTEGRATING RISK WITHIN ITILⅡ MANAGEMENT OF RISK AND ITS INTEGRATION WITHIN ITIL
3.
3Copyright © Hervé
Doornbos 2015. All Rights Reserved INTRODUCTION – ITIL OVERVIEW Service Strategy Strategy Management for IT Services Service Portfolio Management Financial Management for IT Services Demand Management for IT Services Business Relationship Management Service Design Design coordination Service Catalogue Management Service Level Management Capacity Management Availability Management IT Service Continuity Management Information Security Management Supplier Management Service Transition Transition Planning and Support Service Asset and Configuration Management Change Management Release and Deployment Management Service Validation and Testing Change Evaluation Knowledge Management Service Operation Event Management Incident Management Access Management Request Fulfillment Problem Management Continual Service Improvement Seven-steps improvement process Service desk Technical Management IT Operations Management Application Management Phase Process Function Legend
4.
4Copyright © Hervé
Doornbos 2015. All Rights Reserved INTRODUCTION – ITIL OVERVIEW Service Strategy Strategy Management for IT Services Service Portfolio Management Financial Management for IT Services Demand Management for IT Services Business Relationship Management Service Design Design coordination Service Catalogue Management Service Level Management Capacity Management Availability Management IT Service Continuity Management Information Security Management Supplier Management Service Transition Transition Planning and Support Service Asset and Configuration Management Change Management Release and Deployment Management Service Validation and Testing Change Evaluation Knowledge Management Service Operation Event Management Incident Management Access Management Request Fulfillment Problem Management Continual Service Improvement Seven-steps improvement process Service desk Technical Management IT Operations Management Application Management Phase Process Function Legend Metrology Reporting Service Mgt. Office Project Mgt. Office Out-of-ITIL Function ITIL interfacing with other functions is current What about RISK ???
5.
5Copyright © Hervé
Doornbos 2015. All Rights Reserved INTRODUCTION – RISK FRAMEWORK OVERVIEW Enterprise Risk Frameworks ERM COSO Enterprise Risk Management ISO 31000:2009 and its former IT security variant ISO27001:ISO27002 COBIT5 for Risks [Formerly RiskIT and ValIT] OGC Management of Risk M_o_R [and OGC M_o_V] ERM Maturity Model RIMS Risk Maturity Model (RMM) Other Risk Guidance / IT Risk processes CMMI-SVC Risk Management RSKM process TIK IT Risk Framework Project Risk Management (Prince2, PMP, …)
6.
6Copyright © Hervé
Doornbos 2015. All Rights Reserved INTRODUCTION – RISK MANAGEMENT INTEGRATION WITHIN ITIL According to OGC, risk management is integrated throughout the service lifecycle and covers the following in ITIL Problem management • Proactive and reactive, with the goal of reducing the impact of service outages Change management • Help reduce risks, minimize the potential negative impact of change, and reduce the risk of an undesirable outcome Service delivery (SLM, SCM, Capacity, Availability, Financial) • Support easy maintenance of Services via a careful design Availability management • Focuses on reliability and putting in place alternative options to ensure the service continues IT service continuity • Assessing risk to ensure overall continuity for the business And also ‘Appendices’ referencing Risk Frameworks with a focus on OGC M_o_R “Decision-making should include determining any appropriate actions to take to manage the risks to a level deemed to be acceptable by the organization” (SS, appendix E)
7.
7Copyright © Hervé
Doornbos 2015. All Rights Reserved INTRODUCTION – CRITICIZING RISK PRACTICE WITHIN ITIL Information about Risk Management found in ITIL book Section about "risks", containing definition of risk and information on Risk Management Framework Some clues about how to implement risk management across the framework Some clues about the tools and the risks that are already known Some risks are enumerated What is missing in ITIL book An explanation on how to proceed to cover risk management Guidelines on how to deal with enumerated risks A complete tool list for risk assessment with detailed information Despite M_o_R being referred to in ITIL Books, it is unclear if this is the official way to treat risk and how to implement this risk management framework in ITIL
8.
8Copyright © Hervé
Doornbos 2015. All Rights Reserved INTRODUCTION – WHY RISK MGT. ? IT RISK MGT. BENEFITS 1. Increased consistency and communication of risks within the IT organization Provides a standard terminology and conceptual framework for all members of IT organization Visualize the linkage between expectations and risks associated Share data and information relative to 'risks to achievement of objectives and plans' across IT 2. Enhanced reporting and analysis of IT risks, supporting better decisions Enable better informed and more believable plans, schedules and budgets Enable objective comparison of alternatives Increase the likelihood of delivery of desired outcomes 3. Improved focus, attention and perspective to risk data Provides a means to further identify and assess key risk indicators 4. More efficient and effective activities related to regulatory, compliance and audit matters Since risk data involves identifying and monitoring controls and mitigations relevant to various risks across IT, it provides an effective means for leveraging and reducing the effort and cost of such audits and reviews 5. More cost-effective management and monitoring of IT risks Through all of the benefits noted above
9.
9Copyright © Hervé
Doornbos 2015. All Rights Reserved EXISTING RISK FRAMEWORKS – RISK DEFINITION(S) As many definitions as Frameworks OGC: an uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. A risk consists of a combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact on objective ISO: Effect (positive and/or negative deviation from the expected) of uncertainty (state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood) on objectives. Risk is often expressed in terms of a combination of the consequences of an event – including changes in circumstances – and the associated likelihood of occurrence COSO ERM TIK IT Risk Framework formula Other definitions may be found on http://en.wikipedia.org/wiki/IT_risk ( ) ( )AssetValuation ScoreMeasureCounter ThreatAssetityVulnerabil Risk × × = ( )BusinessImpactLikelihoodRisk ×=
10.
10Copyright © Hervé
Doornbos 2015. All Rights Reserved CONVENTIONS USED IN THIS DOCUMENT Scope Limited to IT Risks, as defined herein Definitions Threat • Anything that is capable of acting against an asset in a manner that can result in harm Event • Something that happens at a specific place and/or time Vulnerability • A weakness in design, implementation, operation or internal control Impact • The net effect on the achievement of business objectives Risk • A probable situation with frequency and magnitude of loss IT Risk • The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise Risk register • A repository of the key attributes of potential and known risk issues. Attributes may include name, description, owner, expected/actual frequency, potential/actual magnitude, potential/actual business impact, disposition
11.
11Copyright © Hervé
Doornbos 2015. All Rights Reserved CONVENTIONS USED IN THIS DOCUMENT Definitions (cont.) Risk profile • A representation at a given point in time of an organization’s overall exposure to a group of risks (i.e. a quantitative analysis of the types of threats an organization faces) Multiple risk profile may be developed, per business units, service, … or per any organization’s component Risk scenario • The description of an event that can lead to a business impact Countermeasure • Any process that directly reduces a threat or vulnerability Control activities • The means of managing risk, including policies, procedures, guidelines, practices or organizational structures Resilience • The ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal recognizable effect Risk Avoidance • The process for systematically avoiding risk, constituting one approach to managing risk Risk Mitigation • The management of risk through the use of countermeasures and controls Risk Transfer • The process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by outsourcing the service
12.
12Copyright © Hervé
Doornbos 2015. All Rights Reserved CONVENTIONS USED IN THIS DOCUMENT Threat Asset Event Threat, Asset, and Event having been illustrated, Risk = Event likelihood during a determined period of time (The result of the Event in this case is an Impact which magnitude is a Disaster) Images from http://www.iffo-rme.fr/le-risque-majeur
13.
13Copyright © Hervé
Doornbos 2015. All Rights Reserved BASICS OF RISK – CONCEPTS In the Unknown Universe, nothing can be anticipated, as in Star Trek. New situations occur sometimes, and we ignore what and when In the Uncertain Universe, we know which event could happen, but we don’t know when In the Risky Universe, we know all possible events and their probability or likelihood, exactly as when we play Russian roulette In the Secure Universe, all unacceptable risks have been eliminated using proper countermeasures Unknown Universe Uncertain Universe Risky Universe Secure Universe
14.
14Copyright © Hervé
Doornbos 2015. All Rights Reserved BASICS OF RISK – RISK DUALITY The word Risk refers to situations where the decision-maker can assign mathematical probabilities to the randomness of the situation Risk is however a dual term referring to Opportunity, which is a risk with positive effects Threat, which is a risk with negative effects Threat Destroyed value and/or Undelivered benefits • Unrealized or reduced business value • Missed business opportunities • Adverse events destroying value Opportunity Business benefits and/or Preserved value • New business opportunities • Enhanced business opportunities • Sustainable competitive advantage Risks must be Optimized
15.
15Copyright © Hervé
Doornbos 2015. All Rights Reserved BASICS OF RISK – RISK APPETITE AND TOLERANCE POLICIES Risk Appetite Amount of risk a company is prepared to accept when trying to achieve its objectives Can be defined in practice in terms of combinations of frequency and business impact of a risk Will be different amongst enterprises No absolute norm or standard of what constitutes acceptable and unacceptable risk Risk Tolerance Tolerable deviation from the level set by the risk appetite and business objectives The risk response cost affect the risk tolerance Ideally defined at the enterprise level and reflected in company policies May change over time depending of internal factors (new organization...) external factors (new technologies...)
16.
16Copyright © Hervé
Doornbos 2015. All Rights Reserved BASICS OF RISK – RISK OVER TIME – UNCERTAINTY Some risks are dynamic and require continual ongoing monitoring and assessment Other risks are more static and require reassessment on a periodic basis with ongoing monitoring triggering an alert to reassess sooner should circumstances change RevisionPoint RevisionPointInitial Strategy Revise Strategy Revise Strategy Risk Time Uncertainty increases with longer Time Horizon
17.
17Copyright © Hervé
Doornbos 2015. All Rights Reserved BASICS OF RISK – RISK OVER TIME – KEY RISK INDICATOR(S) Key Risk Indicators (KRIs) are indicators that are predictive regarding changes in the risk profile They enable timely action to be taken to deal with emerging issues Initial Strategy Revise Strategy Revise Strategy Risk Time Indicator KRIs TriggerPoint KRIs TriggerPoint
18.
18Copyright © Hervé
Doornbos 2015. All Rights Reserved BASICS OF RISK – LINKING OBJECTIVES TO KRIS Mapping ‘Risks’ to ‘IT Objectives’ via the ‘Critical Success Factors’ puts management in position to begin identifying the most critical metrics that can serve as leading Key Risk Indicators The link between the Risk and the KRI is often a ‘causal map’ (what is the root cause of the Event ?) GOAL Objective 1 (KGI1) Objective 2 (KGI2) CSF1 CSF2 CSF3 CSF4 CSF5 Risk 1 Risk 2 Risk 3 Risk 4 KRI 1 KRI 2 KRI 3 KRI 4
19.
19Copyright © Hervé
Doornbos 2015. All Rights Reserved Ⅲ RISK PROCESSES DETAILS Ⅰ INTRODUCTION INTEGRATING RISK WITHIN ITILⅡ MANAGEMENT OF RISK AND ITS INTEGRATION WITHIN ITIL
20.
20Copyright © Hervé
Doornbos 2015. All Rights Reserved INTEGRATING RISK WITHIN ITIL – TYPES OF INTEGRATION Mapping missing process(es) in ITIL Adoption of an Enterprise Risk Management (ERM) Framework and either one or both of: • Top-down integration of ITIL processes within ERM, creating original scenarios based on Enterprise objectives • Bottom-up integration of ITIL processes into ERM by adapting generic Risks Scenarios to ITIL phases Type II Type I
21.
21Copyright © Hervé
Doornbos 2015. All Rights Reserved Mapping missing process(es) in ITIL Adoption of an Enterprise Risk Management (ERM) Framework and either one or both of: • Top-down integration of ITIL processes within ERM, creating original scenarios based on Enterprise objectives • Bottom-up integration of ITIL processes into ERM by adapting generic Risks Scenarios to ITIL phases INTEGRATING RISK WITHIN ITIL – INTEGRATION TYPE II Ensure Full Alignment with Enterprise Objectives Requires an ERM Framework to be in place Drastic Enterprise change if ‘ex-nihilo’ project e.g.: OGC ITIL® and Corporate Risk Alignment Guide
22.
22Copyright © Hervé
Doornbos 2015. All Rights Reserved Mapping missing process(es) in ITIL Adoption of an Enterprise Risk Management (ERM) Framework and either one or both of: • Top-down integration of ITIL processes within ERM, creating original scenarios based on Enterprise objectives • Bottom-up integration of ITIL processes into ERM by adapting generic Risks Scenarios to ITIL phases INTEGRATING RISK WITHIN ITIL – INTEGRATION TYPE I Reinforce ITIL processes with Risk Elements Add Process(es) to ITIL scope Minor adaptation of ITIL processes Respond to limited category of Risk (mainly internal, tactical and operational) Suggested starting point for integrating Risk Management within ITIL
23.
23Copyright © Hervé
Doornbos 2015. All Rights Reserved INTEGRATING RISK WITHIN ITIL – TYPE I ADAPTED ITIL MODEL Service Strategy Strategy Management for IT Services Service Portfolio Management Financial Management for IT Services Demand Management for IT Services Business Relationship Management Prepare for Risk Management Service Design Design coordination Service Catalogue Management Service Level Management Capacity Management Availability Management IT Service Continuity Management Risk Management Information Security Management Supplier Management Service Transition Transition Planning and Support Service Asset and Configuration Management Change Management Release and Deployment Management Service Validation and Testing Change Evaluation Knowledge Management Service Operation Event Management Incident Management Access Management Request Fulfillment Problem Management Continual Service Improvement Seven-steps improvement process Opportunities Prioritization Process Service desk Technical Management IT Operations Management Application Management Metrology Reporting Service Mgt. Office Project Mgt. Office Phase Process Function Legend Out-of-ITIL Function Added Process
24.
24Copyright © Hervé
Doornbos 2015. All Rights Reserved TYPE I ADAPTED ITIL MODEL – RESPOND TO OPPORTUNITIES Service Strategy Strategy Management for IT Services Service Portfolio Management Financial Management for IT Services Demand Management for IT Services Business Relationship Management Prepare for Risk Management Service Design Design coordination Service Catalogue Management Service Level Management Capacity Management Availability Management IT Service Continuity Management Risk Management Information Security Management Supplier Management Service Transition Transition Planning and Support Service Asset and Configuration Management Change Management Release and Deployment Management Service Validation and Testing Change Evaluation Knowledge Management Service Operation Event Management Incident Management Access Management Request Fulfillment Problem Management Continual Service Improvement Seven-steps improvement process Opportunities Prioritization Process Phase Process Function Legend Out-of-ITIL Function Added Process Service desk Technical Management IT Operations Management Application Management Metrology Reporting Service Mgt. Office Project Mgt. Office Opportunity Management • B*Cases • Prioritizing Improvement Initiatives • Allocating resources Refer to my presentation “Adopting Continual Improvement – A practical viewpoint” Not presented here
25.
25Copyright © Hervé
Doornbos 2015. All Rights Reserved Service Strategy Strategy Management for IT Services Service Portfolio Management Financial Management for IT Services Demand Management for IT Services Business Relationship Management Prepare for Risk Management Service Design Design coordination Service Catalogue Management Service Level Management Capacity Management Availability Management IT Service Continuity Management Risk Management Information Security Management Supplier Management Service Transition Transition Planning and Support Service Asset and Configuration Management Change Management Release and Deployment Management Service Validation and Testing Change Evaluation Knowledge Management Service Operation Event Management Incident Management Access Management Request Fulfillment Problem Management Continual Service Improvement Seven-steps improvement process Opportunities Prioritization Process TYPE I ADAPTED ITIL MODEL – RESPOND TO THREATS Service desk Technical Management IT Operations Management Application Management Metrology Reporting Service Mgt. Office Project Mgt. Office Threat Management • Risk sources and categories • Risk Strategy • Risk Evaluation • Risk Mitigation Risk Management Phase Process Function Legend Out-of-ITIL Function Added Process
26.
26Copyright © Hervé
Doornbos 2015. All Rights Reserved TYPE I ADAPTED ITIL MODEL – THREAT MGT. ELEMENTS • Risk • Key Risk Indicator (KRI) • Risk Response Threat Management Elements Service Strategy Strategy Management for IT Services Service Portfolio Management Financial Management for IT Services Demand Management for IT Services Business Relationship Management Prepare for Risk Management Service Design Design coordination Service Catalogue Management Service Level Management Capacity Management Availability Management IT Service Continuity Management Risk Management Information Security Management Supplier Management Service Transition Transition Planning and Support Service Asset and Configuration Management Change Management Release and Deployment Management Service Validation and Testing Change Evaluation Knowledge Management Service Operation Event Management Incident Management Access Management Request Fulfillment Problem Management Continual Service Improvement Seven-steps improvement process Opportunities Prioritization Process Service desk Technical Management IT Operations Management Application Management Metrology Reporting Service Mgt. Office Project Mgt. Office Phase Process Function Legend Out-of-ITIL Function Added Process
27.
27Copyright © Hervé
Doornbos 2015. All Rights Reserved Ⅰ INTRODUCTION Ⅲ RISK PROCESSES DETAILS INTEGRATING RISK WITHIN ITILⅡ MANAGEMENT OF RISK AND ITS INTEGRATION WITHIN ITIL
28.
28Copyright © Hervé
Doornbos 2015. All Rights Reserved OVERVIEW – WHOLE PROCESS Determine IT risk sources and categories Define Risk Parameters Establish a Risk Management Strategy Evaluate Risks Respond to Risks Monitor Risks Communication Service Strategy Prepare for Risk Management Service Design Risk Management
29.
29Copyright © Hervé
Doornbos 2015. All Rights Reserved OVERVIEW – LINKS BETWEEN IT RISK MGT. AND ITIL PROCESSES
30.
30Copyright © Hervé
Doornbos 2015. All Rights Reserved ROLE – IT RISK MGT. PROCESS OWNER Overall responsibility for the development and implementation of Risk Project Negotiate funding, scope, approach and timing of Risk Process deployment with IT management Define and regularly chair a Risk Committee which will set risk appetite and tolerance levels for IT in alignment with Business Objectives Write and submit the risk management policy to the Risk Committee Define and implement the risk management process Reinforce and formalize management commitment by clearly articulating the roles and responsibilities Sets up required organizational structures Ensure The parameters of the Risk Framework are set The Risk Profile is maintained Risk Reporting and Communication support risk-aware IT decisions May escalate to Risk Committee Establish and maintain a common Risk View Promote a risk-aware culture
31.
31Copyright © Hervé
Doornbos 2015. All Rights Reserved ITIL STRATEGY PHASE – PREPARE FOR RISK MANAGEMENT Prepare for risk management by establishing and maintaining a strategy for identifying, analyzing, and respond to risks Produces CSFs, risk scale, and main boundaries Main practices DetermineITrisk sourcesandcategories Top-down approach - Processes - CSF - Risk sources Bottom-up approach - Typical list of risk sources DefineRiskParameters - Consistent risk scale - Tolerance per-risk- category - Risk management requirements - Risk response bounds EstablishaRisk ManagementStrategy - Scope of the risk management effort - Methods, tools - Communication - Risk management plan
32.
32Copyright © Hervé
Doornbos 2015. All Rights Reserved ITIL STRATEGY PHASE – PREPARE FOR RISK MANAGEMENT List Risk Sources Top-down approach • List all implemented processes Critical Success Factor (CSF), then list all risk sources associated with them Bottom-up approach • Adapt a typical list of risk sources (from a framework) Collect and organize risks in categories – for example, using factors such as Phases of the work lifecycle Types of processes used Types of products used Work management risks (e.g., contract risks, budget risks, schedule risks, resource risks) Technical performance risks (e.g., quality attribute related risks, supportability risks) Phase 1 – Determine Risk Sources and Categories
33.
33Copyright © Hervé
Doornbos 2015. All Rights Reserved ITIL STRATEGY PHASE – PREPARE FOR RISK MANAGEMENT Define a scale to gauge risks Define consistent criteria for evaluating and quantifying risk likelihood and severity levels • One way of providing a common basis for comparing dissimilar risks is assigning financial values to the risk impact through a process of risk monetization • Often a “Impact X Frequency” matrix which is then translated in a risk level scale Categorize Risks and define tolerance parameters per-category Risk evaluation, categorization, and prioritization criteria Define risk management requirements Control and approval levels Reassessment intervals Define bounds to scope the extent of the risk management effort Objective of bounds is to avoid excessive resource expenditures Bounds can include the exclusion of a risk source from a category Phase 2 – Define Risk Parameters
34.
34Copyright © Hervé
Doornbos 2015. All Rights Reserved OUTPUT of this phase ITIL STRATEGY PHASE – PREPARE FOR RISK MANAGEMENT Scope of the risk management effort Methods and tools For example “IT asset valuation”, which can be done by assigning financial values to IT assets through a process of monetization (which can also be used for risk monetization) either by • Assigning IT costs to IT assets (purchase, licensing, maintenance…) • Valuing data stored in – and/or information flowing through – those IT assets • Looking at the business value supported by these IT assets, using the Configuration Management System Risk Communication plan The strategy should be documented in a risk management plan and reviewed with relevant stakeholders to promote commitment and understanding Phase 3 – Establish Risk Management Strategy
35.
35Copyright © Hervé
Doornbos 2015. All Rights Reserved ITIL DESIGN PHASE – RISK MANAGEMENT Evaluate operational risks, respond to, and monitor them Main practices EvaluateRisks - Identify Risks - Analyze, Categorize, and Prioritize Risks - Maintain risk profile RespondtoRisks - Develop Risk Responses - Implement Validated Risk Responses MonitorRisks - Monitor KRIs to detect changes in Risk Profile - Monitor the progress of counter-measure implementation - Collect all necessary and relevant risk data - Communicate and report Prepare for Risk Mgt.
36.
36Copyright © Hervé
Doornbos 2015. All Rights Reserved ITIL DESIGN PHASE – RISK MANAGEMENT Collect data and Identify Risks for the New Service Analysis of asset’s value to Business using valuation tools provided by the prepare phase Identification and classification of the threats to those assets using • Identified risk sources • Prepared risk classification (recorded in the risk register) Analyze, Categorize, and Prioritize Risks Evaluation of how vulnerable each asset is to its related threat Define KRIs for identified Risks, and their thresholds with associated actions or tolerance level Select risks above tolerance level as output for the 2nd phase of the risk management Maintain risk profile Record risks an associated data in the risk register Phase 1 – Evaluate Risks
37.
37Copyright © Hervé
Doornbos 2015. All Rights Reserved ITIL DESIGN PHASE – RISK REGISTER RECORD Record Parts Record Detail Examples Risk Summary Risk Statement Risk Owner Risk Category Risk Rating (Copied from Risk Analysis Results) Risk Response Decision [Accept, Transfer, Mitigate, Avoid] Record Kept Up-to-date ? [Date of Last Assessment , Due Date for Update] Risk Description Title High Level Scenario Detailed Scenario [Actor, Threat Type, Event, Asset/ Resource, Timing] Risk Analysis Results Scenario Frequency Scenario Business Impact Rating [=F(Productivity Loss Rating, Cost of Response Rating, Competitive Advantage Rating, Legal Risk Rating] Risk Rating Risk Response Risk Response Decision [Accept, Transfer, Mitigate, Avoid] Detailed Response Description Status of Risk Action Plan [Overall Status, Major Issues, Completed Responses] Risk Indicators KRI for this Risk Controls
38.
38Copyright © Hervé
Doornbos 2015. All Rights Reserved ITIL DESIGN PHASE – RISK MANAGEMENT Risk Response Options Accept • No action is taken relative to a particular risk, and loss is accepted when/if it occurs Mitigate • Reduce the risk through the use of countermeasures and controls Transfer • Process of assigning risk to another enterprise, (usually through the purchase of an insurance policy or by outsourcing the service) Avoid – when an unacceptable risk cannot be reduced, neither shared nor transferred • Exiting the activities or conditions that give rise to an unacceptable risk such as: – Declining to engage in a very large project when the B*Case shows a notable risk of failure – Deciding not to use a certain technology or software package because it would prevent future expansion Phase 2 – Respond to Risks ( Risks above tolerance level )
39.
39Copyright © Hervé
Doornbos 2015. All Rights Reserved ITIL DESIGN PHASE – RISK MANAGEMENT Risk Response Selection Parameters Cost of response to reduce risk within tolerance level Risk Level Capability to Implement the Response Effectiveness of Response Efficiency of Response Develop & Prioritize Risk Response Example of prioritization matrix Build the B*Case when needed Choose the risk action plan Validated Risk Response Implement Validated Risk Responses Phase 2 – Respond to Risks Effectiveness / cost ratio RiskLevel Defer Business Case Quick Wins ( Risks above tolerance level )
40.
40Copyright © Hervé
Doornbos 2015. All Rights Reserved ITIL DESIGN PHASE – RISK MANAGEMENT Monitor KRIs to detect changes in Risk Profile Monitor Risk Proactively by monitoring KRIs When a determined threshold is reached, initiate appropriate management initiative in order to manage the Risk accordingly Monitor the progress of counter-measure implementation Take corrective action when and where required Collect all necessary and relevant risk data KRIs may be computed using and/or complemented by informative data Communicate and report As established in the Risk Communication Plan Operational & Tactical/Strategic Communication and Reporting Phase 3 – Monitor Risks
41.
41Copyright © Hervé
Doornbos 2015. All Rights Reserved ABOUT THE AUTHOR 20 years of Professional experience. 11 years in Infrastructure Outsourcing Services Certified ITIL v3 Expert Areas of Intervention Skills 20 years of IT Experience 11 years of experience in Infrastructure Outsourcing, with 5 years of experience as a Service Management consultant Definition and implementation of ITIL processes Continuous Service Improvement integration into processes 4 years as a Skill Group Manager 9 years as a technical expert Professional Experience Career SIDO & ONIC [2 years], Transiciel [2 years], Oracle [5 years], Capgemini [11 years] ITIL v3 / COBIT v5 / Lean IT IT Service Management Management Oracle Expert IT Service Management Multi-Sourcing SIAM Assets, Incident, Problem, Change, Release & Deploy, Configuration, Continual Improvement, Operational processes Hervé Doornbos
Download now