Risk Management (ITIL 4)

Parent Process Reference Framework: ITIL 4

Service Value Stream Activities

Highly impacted Service Value System(SVS) Activities:

• Plan
• Engage
• Obtain/build
• Design and Transition
• Deliver and support
• Improve 

Description

The purpose of the risk management practice is to ensure that the organization understands and effectively handles risks. Managing risk is essential to ensuring the ongoing sustainability of an organization and creating value for its customers. Risk management is an integral part of all organizational activities and therefore central to the organization’s SVS. 

Risk is normally perceived as something to be avoided because of its association with threats, and although this is generally true, risk is also associated with opportunity. Failure to take opportunities can be a risk in itself. The opportunity costs of under-served market spaces and unfulfilled demand is a risk to be avoided. 

The organization’s portfolio can be mapped to an underlying portfolio of risks to be managed. When service management is effective, products and services in the service catalogue and pipeline represent opportunities to create and capture value for customers, the organization, and other stakeholders. Otherwise, those products and services can represent threats due to the possibility of failure associated with the demand patterns they attract, the commitments they require, and the costs they generate. Implementing strategy often requires changes to the product and service portfolio, which means managing associated risks. 

Decisions about risk need to be balanced so that the potential benefits are worth more to the organization than the cost to address the risk. For example, innovation is inherently risky but could provide major benefits in improving products and services, achieving competitive advantage, and increasing agility and resilience. The ability of the organization to limit its exposure to risk will also be of relevance. The aim should be to make an accurate assessment of the risks in a given situation, and analyse the potential benefits. The risks and opportunities presented by each course of action should be defined to identify appropriate responses. 

The following principles apply specifically to the risk management practice: 

• Risk is part of business The organization should ensure that risks are appropriately managed. This does not mean that all risks are to be avoided. On the contrary, risk-taking is required to ensure long-term sustainability. However, risks need to be identified, understood, and assessed against the levels of risk the organization is willing to take (i.e. the risk appetite), and appropriately managed and monitored. 
• Risk management must be consistent across the organization It is vital that the risk management practice is managed holistically to achieve consistency across the whole organization. To ensure effectiveness, there should be ongoing consultation with stakeholders and appropriate flexibility for different parts of the organization. This flexibility will allow tailored risk management procedures to be developed so that organizational units and/or customer-specific circumstances are addressed. 
• Risk management culture and behaviours are important The appropriate culture and behaviours demonstrated by all levels of the organization’s personnel are critical and must be embedded as part of the ‘way we do things’. This will be demonstrated by behaviours and beliefs such as:  

• understanding that effective risk management is vital for the sustainability of the organization and supports the achievement of business goals 

• using proactive risk management behaviours 
• ensuring transparency and clarity of risk management procedures, roles, responsibilities, and accountabilities 
• actively encouraging and following up the reporting of risks, incidents, and opportunities 
• ensuring remuneration structures support desired behaviours (i.e. this should not discourage the reporting of incide
• nts nor encourage over-reporting) 
• actively encouraging learning and growth in maturity from the organization’s experiences and the experiences of other organizations. 

ISO 31000:2018 Risk management 

These guidelines provide an overall and general perspective of the purpose and principles of risk management. They are applicable at all levels in any type of organization. ISO 31000 states that ‘the purpose of risk management is the creation and protection of value’ and that risk management ‘improves performance, encourages innovation and supports the achievement of objectives’.