Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
management
in ITIL®?
Pavel Demin
Discussion Paper
March 2018
Contents
1 Risk management 03
2 About AXELOS 08
It seems to be a concise picture, but actually there are more than four criteria for the quality of the service,
alongside ones mentioned above. These include areas such as maintainability, compatibility, compliance,
etc. Who will manage threats in these areas?
One could define risks as things that have not yet occurred but may happen and problems as existing
things to be dealt with. However, this can be disputed when we take a look at proactive problem
management which tackles incident prevention by identifying errors that have not “played” yet, based
on information from sources external to the production environment. These sources include, but are
not limited to, information from vendors, known vulnerabilities, test results, colleagues’ experience and
errors that can be identified and assessed early enough (sometimes even before service operation starts).
Although proactive problem management is initiated at the operation stage, it is managed in the context of
continual service improvement.
“On a practical level, both need tracking and often involve the same sorts of investigations. At least that’s
been my experience in working with business partners on both kinds of effort. Certainly, I have been
involved in any of a number of continuous improvement reviews that have resulted in risk identification.
I’ve also seen risks identified that resulted in a continuous improvement cycle.”3
To return to the point, let’s look at the definition: according to ISO 31000, “risk is the effect of uncertainty
on the objectives”. In turn, risk management is “coordinated activities to direct and control an organization
with regard to risk”. To me, it seems extremely important to point out that we do not manage risks, but
manage an organization that takes risks into account. Going back to the definition of risk and simplifying
it, we find that risk management is the management of an organization in terms of uncertainty. The better
the uncertainty is “worked through” (correctly identified, analysed and evaluated), the more justified the
managerial decisions we make and the more predictable our achievements are.
Now it is relatively clear that risk management is not a forgotten 27th ITIL process, but something that
is present in many sections of the entire library. In addition to the processes mentioned above, it is
not difficult to find risk management in change and release management, and even in service portfolio
management, for example. Moreover, IT service management system as a whole is nothing but a tool
to reduce business risks associated with IT, as well as to optimize resources and gain value from IT.
Therefore, the following answer to the headline question looks quite accurate: “ITIL is risk management in
many ways.”
However, it can be argued that risk management should be its own separate process within ITIL. To some
it can look as though risk management has been skipped over because it does not have its own chapter or
specific process.
Imagine a tyre (an example from the FAIR technique). It is important to consider whether it is used for
its intended purpose or hung from a tree branch by a rope. How worn-out is the rope? How strong is the
branch? Is the tyre hanging within a metre of the ground or over an abyss? Assessments of the same risk
can vary widely depending on who the assessors are, where they are located and what information they
have. Obviously, risk management benefits greatly from scale and from the use of an integrated approach
to identifying and analyzing risks and making decisions about countermeasures. It is also helpful if the
assessment reports from experts in different fields are reduced to a common denominator.
When we say that there is no risk management described in ITIL, first of all we mean that there is no
centralized function for risk management: a single centre for accumulating and maintaining information
about risks in their current state (including indicators of probability and impact that can change
significantly over time due to our actions and external factors) and its provision to all interested parties for
making management decisions.
Do you use the concept of risk in your activities? Is there a risk management function in your IT
organization? If you have it in the business organization, then how does it interact with IT? Is there a
shared risk register? If so, how do you assess its effectiveness? What IT service management tasks does
it help to perform? How is the interaction with other processes set up? If there is nothing like that in
place or planned, what are the arguments against it? Your thoughts and experiences are welcome in the
research community.
End Notes
1
https://realitsm.ru/2011/09/zanimatelnaya-arifmetika-upravlenie-riskami/ accessed 07 February 2018.
2
https://cleverics.ru/subject-field/articles/581-service-design-as-risk-management-practice accessed 07
February 2018.
3
http://www.itskeptic.org/itil-problem-versus-risk comments section, accessed 07 February 2018
It is responsible for developing, enhancing and promoting a number of best practice methodologies used
globally by professionals working primarily in project, programme and portfolio management, IT service
management and cyber resilience.
The methodologies, including ITIL®, PRINCE2®, MSP® and the new collection of cyber resilience best
practice products, RESILIA®, are adopted in more than 150 countries to improve employees’ skills,
knowledge and competence in order to make both individuals and organizations work more effectively.
In addition to globally recognized qualifications, AXELOS equips professionals with a wide range of content,
templates and toolkits through the CPD aligned AXELOS Membership and our online community of
practitioners and experts.
Visit www.AXELOS.com for the latest news about how AXELOS is ‘Making organizations more effective’ and
registration details to join AXELOS’ online community. If you have specific queries, requests or would like to
be added to the AXELOS mailing list please contact Ask@AXELOS.com.
Reuse of any content in this Discussion Paper is permitted solely in accordance with the permission terms
at https://www.axelos.com/policies/legal/permitted-use-of-white-papers-and-case-studies
Our Discussion Paper series should not be taken as constituting advice of any sort and no liability is
accepted for any loss resulting from or use of or reliance on its content. While every effort is made
to ensure the accuracy and reliability of information, AXELOS cannot accept responsibility for errors,
omissions or inaccuracies. Content, diagrams, logos, and jackets are correct at time of going to press but
may be subject to change without notice.