Where is risk

management
in ITIL®?
Pavel Demin

Discussion Paper
March 2018
Contents
1 Risk management 03

2 About AXELOS 08

3 Trade marks and statements 08

02 Where is risk management in ITIL? AXELOS.COM

1. Risk management
The expression “risk management” can be found 245 times in the 2011 ITIL® lifecycle suite1.
However, what will not be found in the five volumes is a description of risk management practices.
The question “why not?” is not so important. But “where not?” is a more interesting topic.

1.1 SERVICE DESIGN AS RISK MANAGEMENT

Konstantin Naryzhny has already written extensively on the subject2. In the “warranty” processes
(availability management, capacity management, continuity management and information security
management) there is a small but very important risk management component with a requirement
to continually analyze the threats relating to each process and introduce effective and efficient
countermeasures. And it is better done together: one service, one budget, and ideally one leader.
The importance of communication between processes on the issue of risks is described in ITIL.

It seems to be a concise picture, but actually there are more than four criteria for the quality of the service,
alongside ones mentioned above. These include areas such as maintainability, compatibility, compliance,
etc. Who will manage threats in these areas?

1.2 PROBLEM MANAGEMENT AS RISK MANAGEMENT

When first hearing about problem management, our course participants often exclaim: “So this is risk
management!” It is difficult to disagree: problem identification, classification, diagnosis and root cause
analysis, solution implementation, ongoing control - the activities that are part of the process strongly
resemble those in the risk management cycle.

One could define risks as things that have not yet occurred but may happen and problems as existing
things to be dealt with. However, this can be disputed when we take a look at proactive problem
management which tackles incident prevention by identifying errors that have not “played” yet, based
on information from sources external to the production environment. These sources include, but are
not limited to, information from vendors, known vulnerabilities, test results, colleagues’ experience and
errors that can be identified and assessed early enough (sometimes even before service operation starts).
Although proactive problem management is initiated at the operation stage, it is managed in the context of
continual service improvement.

1.3 RISK MANAGEMENT AS PART OF CONTINUAL

SERVICE IMPROVEMENT
Charles T. Betz has noted of risk management and continual service improvement:

“On a practical level, both need tracking and often involve the same sorts of investigations. At least that’s
been my experience in working with business partners on both kinds of effort. Certainly, I have been
involved in any of a number of continuous improvement reviews that have resulted in risk identification.
I’ve also seen risks identified that resulted in a continuous improvement cycle.”3

To return to the point, let’s look at the definition: according to ISO 31000, “risk is the effect of uncertainty
on the objectives”. In turn, risk management is “coordinated activities to direct and control an organization
with regard to risk”. To me, it seems extremely important to point out that we do not manage risks, but
manage an organization that takes risks into account. Going back to the definition of risk and simplifying
it, we find that risk management is the management of an organization in terms of uncertainty. The better
the uncertainty is “worked through” (correctly identified, analysed and evaluated), the more justified the
managerial decisions we make and the more predictable our achievements are.

AXELOS.COM Where is risk management in ITIL? 03

If risk/uncertainty is an inevitable part of a purposeful activity, and management is a means of
administering the purposeful activity, risk management is part of a manager’s work at any level. It is the
part that makes outcomes more predictable, and management more mature in general.

Now it is relatively clear that risk management is not a forgotten 27th ITIL process, but something that
is present in many sections of the entire library. In addition to the processes mentioned above, it is
not difficult to find risk management in change and release management, and even in service portfolio
management, for example. Moreover, IT service management system as a whole is nothing but a tool
to reduce business risks associated with IT, as well as to optimize resources and gain value from IT.
Therefore, the following answer to the headline question looks quite accurate: “ITIL is risk management in
many ways.”

However, it can be argued that risk management should be its own separate process within ITIL. To some
it can look as though risk management has been skipped over because it does not have its own chapter or
specific process.

Imagine a tyre (an example from the FAIR technique). It is important to consider whether it is used for
its intended purpose or hung from a tree branch by a rope. How worn-out is the rope? How strong is the
branch? Is the tyre hanging within a metre of the ground or over an abyss? Assessments of the same risk
can vary widely depending on who the assessors are, where they are located and what information they
have. Obviously, risk management benefits greatly from scale and from the use of an integrated approach
to identifying and analyzing risks and making decisions about countermeasures. It is also helpful if the
assessment reports from experts in different fields are reduced to a common denominator.

When we say that there is no risk management described in ITIL, first of all we mean that there is no
centralized function for risk management: a single centre for accumulating and maintaining information
about risks in their current state (including indicators of probability and impact that can change
significantly over time due to our actions and external factors) and its provision to all interested parties for
making management decisions.

Do you use the concept of risk in your activities? Is there a risk management function in your IT
organization? If you have it in the business organization, then how does it interact with IT? Is there a
shared risk register? If so, how do you assess its effectiveness? What IT service management tasks does
it help to perform? How is the interaction with other processes set up? If there is nothing like that in
place or planned, what are the arguments against it? Your thoughts and experiences are welcome in the
research community.

End Notes
1
https://realitsm.ru/2011/09/zanimatelnaya-arifmetika-upravlenie-riskami/ accessed 07 February 2018.
2
https://cleverics.ru/subject-field/articles/581-service-design-as-risk-management-practice accessed 07
February 2018.
3
http://www.itskeptic.org/itil-problem-versus-risk comments section, accessed 07 February 2018

04 Where is risk management in ITIL? AXELOS.COM

2. About AXELOS
AXELOS is a joint venture company co-owned by the UK Government’s Cabinet Office and Capita plc.

It is responsible for developing, enhancing and promoting a number of best practice methodologies used
globally by professionals working primarily in project, programme and portfolio management, IT service
management and cyber resilience.

The methodologies, including ITIL®, PRINCE2®, MSP® and the new collection of cyber resilience best
practice products, RESILIA®, are adopted in more than 150 countries to improve employees’ skills,
knowledge and competence in order to make both individuals and organizations work more effectively.

In addition to globally recognized qualifications, AXELOS equips professionals with a wide range of content,
templates and toolkits through the CPD aligned AXELOS Membership and our online community of
practitioners and experts.

Visit www.AXELOS.com for the latest news about how AXELOS is ‘Making organizations more effective’ and
registration details to join AXELOS’ online community. If you have specific queries, requests or would like to
be added to the AXELOS mailing list please contact Ask@AXELOS.com.

3. Trade marks and statements

AXELOS®, the AXELOS swirl logo®, ITIL®, PRINCE2®, PRINCE2 Agile®, MSP®, M_o_R®, P3M3®,
P3O®, MoP®, MoV® and RESILIA® are registered trade marks of AXELOS Limited. All rights reserved.

Original content produced by Cleverics LLC. (www.cleverics.ru). Translated by AXELOS Limited.

Original essay in Russian available here: https://realitsm.ru/2016/04/guiding_principles_for_itsm/

[accessed 11 December 2017]

Cover image is copyright Getty/DutchScenery

Reuse of any content in this Discussion Paper is permitted solely in accordance with the permission terms
at https://www.axelos.com/policies/legal/permitted-use-of-white-papers-and-case-studies

A copy of these terms can be provided on application to AXELOS at Licensing@AXELOS.com

Our Discussion Paper series should not be taken as constituting advice of any sort and no liability is
accepted for any loss resulting from or use of or reliance on its content. While every effort is made
to ensure the accuracy and reliability of information, AXELOS cannot accept responsibility for errors,
omissions or inaccuracies. Content, diagrams, logos, and jackets are correct at time of going to press but
may be subject to change without notice.

Sourced and published on www.AXELOS.com

AXELOS.COM Where is risk managment in ITIL? 05

About this Discussion Paper
This Discussion Paper explores the nature of risk
management and its place in ITIL.

WWW.AXELOS.COM @AXELOS_GBP AXELOS AXELOS Global Best Practice AXELOS