To continue discussion from previous post on risk management tied to IT decision making…
First the “why”. There are many reasons listed in the MOF Risk Management Discipline white paper for why risk management is important to an organization. One of the more important ones to me is that there is less time between failure of a service and impact to a business than ever before. The failures are generally more visible as IT supplies many business critical systems that directly interact with customers. As stated in my previous post, it would be impossible to remove risk completely, but sound risk management techniques can drive risk to an acceptable (and more predictable) level.
MOF defines the risk managment process in the following 6 steps:
- Identify. Risk identification allows individuals to identify risks so that the operations staff becomes aware of potential problems. Not only should risk identification be undertaken as early as possible, but it also should be repeated frequently.’
- Analyze and prioritize. Risk analysis transforms the estimates or data about specific risks that developed during risk identification into a consistent form that can be used to make decisions around prioritization. Risk prioritization enables operations to commit resources to manage the most important risks.
- Plan and schedule. Risk planning takes the information obtained from risk analysis and uses it to formulate strategies, plans, change requests, and actions. Risk scheduling ensures that these plans are approved and then incorporated into the standard day-to-day processes and infrastructure.
- Track and report. Risk tracking monitors the status of specific risks and the progress in their respective action plans. Risk tracking also includes monitoring the probability, impact, exposure, and other measures of risk for changes that could alter priority or risk plans and ultimately the availability of the service. Risk reporting ensures that the operations staff, service manager, and other stakeholders are aware of the status of top risks and the plans to manage them.
- Control. Risk control is the process of executing risk action plans and their associated status reporting. Risk control also includes initiating change control requests when changes in risk status or risk plans could affect the availability of the service or SLA.
- Learn. Risk learning formalizes the lessons learned and uses tools to capture, categorize, and index that knowledge in a reusable form that can be shared with others.
So based on this need for risk management and the process that defines it, how do we begin to apply it? MOF recommends that “operations integrate risk management into decision-making in the same way it has already integrated such critical factors as time, money, and labor:
- Risk management should be integrated into operations decision-making in every job function and role.
- Risk management should be taken seriously and given an appropriate amount of effort and formality.
- Management at all levels should encourage the view that identifying risks is a positive activity that is crucial to an effective risk-management process.
- Risk management should be performed continuously to ensure that operations deals with the risks that are relevant today, not just the ones that were relevant last quarter.
Fortunately, formalizing risk management practices is an achievable goal. Organizations can enhance the achievement of this goal by fostering a risk management culture.”
Also, built into the downloadable version of the Risk Management Discipline white paper, at the bottom of Appendix B, is a Contoso Master Risk List Worksheet object that is embedded into the document. Open this Excel spreadsheet and you will have a formatted sample risk worksheet that you can begin utilizing within your company.