Risk Management - the lost process of ITIL V3

Is Risk Management the "lost process" of ITIL V3?

The ITIL V3 syllabus refers to an 'element' called Risk Management that students must learn. It is also defined in the ITIL V3 glossary.

Service Operation will own up to "management of risk", but not to describing a process called Risk Management.

And of course every book has a section on "risks".

But no book explicitly covers Risk Management.



Here's ORM guidance I recommend. It's the way I learned it. It works for people in the toughest of circumstances.


Cary King
Minerva Enterprises
Managing Partner

Oh yeah!


Now you're talking. I've been teaching ORM for years. Thanks for introducing this into the conversation!


Risk Management Discipline

Microsoft has created the Risk Management Discipline in their Microsoft Operations Framework. At first it was set apart from the other functions and in their recent released version 4 it is part of the function Governance, Risk and Compliance. When you zoom in on Risk Management you'll find overlap with other functions/processes (pfff... it is difficult to stay political correct), specific problem management. When you talk about pro active problem management, you'll come into the realm of risk management. Specific when discussing possible scenario's (what can go wrong and how can we prevent this from happening?)
It the Operations Management course I've given last week, I've spend a good couple of hours on risk management. Every time I'm surprised to find that most system administrators (the course is meant for operations managers, team leaders and technical supervisors) have difficulty identifying risks in production. They can easily identify project management risks (or risks for change management), but not risks in the day-to-day running of IT services. And according to Forrester and others (I do not have the survey reports ready, so I'm now prime target for the craptoid facts) about 80% of downtime is caused by changes that are implemented hastily and untested and by administrators not following procedures or just being sloppy. I feel that spending some time on identifying risks and coming with ways to mitigate will be very useful. Also, are workarounds for incidents not some kind of contingency plans in the Risk management sense?



Maybe InfoSec should be depreciated and made a subsection of Risk management? As a process is Infosec more important than risk management?

OGC has some guidance

Surprise! Outside of ITIL, OGC does offer guidance for Managment of Risk.

You can find further information here: http://www.best-management-practice.com/Risk-Management-MoR/

Along with Prince2, COBIT, ASL, ISO2700n ... MoR is yet another

They sure do. Along with Prince2, COBIT, ASL, ISO2700n ... MoR is yet another body or knowledge neither integrated nor referenced by ITIL. Great, innit?

P.S. dropping the name once in the intro of a book does not constitute referencing a BOK

Maybe the pieces should be collected to a process...

...or maybe not.

There are many viewpoints to risks.

There are the risks that you need to think when you are doing Service Design, there it is embedded somewhere around Availability and IT Service Continuity, as one would expect.

One should not forget the risks for the business, which I find are described in quite interesting way in Service Strategy. We IT people certainly understand that whenever you start contemplate the possibility of using IT in someway you are in big danger anyways ;-). Some good viewpoints in the green book though, written in a bit novel way. But I guess that Service Strategy really represents the point in ITIL V3, where the new IT really needs to stretch the envelope, move out from the traditional comfort zone and learn the true reasons why organizations are hiring them to play with expensive toys.

Then we have the risk in Service Operation, pretty familiar to IT people.


Maybe not a new process, please. In that way there would be the same danger that we have with security or quality. "It's not MY task to think of them, it's the ________ people who are managing that". So in same way that everybody is responsible for security or improving the quality, everybody should be thinking of the risks.

But it wouldn't be a bad idea to have some condensed guidance for that...



no centralised Risk Management function in IT

Welcome Seppo

it's a study topic so one hopes there is some collated guidance somewhere.

I guess I agree with your points - It is not one of the itSMF's 27 processes - so long as we accept there is no centralised Risk Management function in IT. do we?

plenty of Risk Mgt in ITIL - you just have to see it

It may not be ONE of these 27 'things', but it's definitely there: there's plenty of Risk Mgt in ITIL, you just have to recognize it.
In my definition, Risk Mgt is concerned with a few major activities:
- determine vulnerabilities
- identify risks
- analyze cause
- determine countermeasure
- take action
- evaluate.

If you now look at ITIL's Information Security Mgt, you'll recognize Risk Mgt. If you look at Capacity Mgt, you'll recognize it as well. Same for Availability Mgt, Continuity Mgt, or any other management function of a service quality parameter you've agreed upon in the SLA....

Of course, the functions Availability Mgt, Security Mgt, etcetera, cover more than just Risk Mgt: they also cover their Incident Mgt, Change Mgt, and the other three elementary processes of an IT organization.

Competing Frameworks?


Are the itSMFs 27 processes a competing framework? Last I knew they didn't have one! :-0


itSMF map ITIL V3 processes

itSMF systematically list the processes in ITIL. See page 41 of this booklet

you mean "itSMF-UK"

Skep - you're generalizing too much. That booklet was the product of itSMF-UK, and they obviously follow ITIL by the book, as usual. They may still own the brand name 'itSMF' but they do not represent 'the ítSMF'. There are many others out there that now understand that there are only a few processes and many organizational functions described in ITIL - according to ITIL's own definition of 'process'. We have seen quite a few postings in your blog on that topic.
The latest itSMF publication analyses that very clearly in chapter 6.3 Functions and processes in IT management - Migrating from an ITIL reference model to a universal implementation model (see http://www.itsmbookshop.com/Media/SampleFiles/9789087531003smpl.pdf).
A must read for anyone not already infected by the belief that ITIL is a holy book.

Agree, I would't create a function in IT

I see it a bit like Continual Service Improvement. When you look at CSI, it is very heavily dependent on the role of CSI Manager. He is the sort of torch bearer, evangelist or visionary person driving the CSI initiatives.

In same manner security and risk should be driven or promoted by someone and executed by processes and functions in various parts of the lifecycle.

Not a function in IT, in larger organizations such group or function could exist with larger scope than just IT? After all these are not just IT issues only.


Good point though within ITIL world: it is a requirement in the syllabus. So the students should have some understanding on the various points in the lifecycle where you should spend some effort in managing risk. Cobit would give you some additional handle on what particular actions and artifacts should result...

Syndicate content