Risk Management Practice by ITIL 4
By 2019, ITIL is renewed as ITIL 4 to integrate Agile and DevOps to ITSM strategies and become more customer focused rather than being IT centric. Not a big surprise, ITIL is expected to be aligned with digital transformation and digital organizations while emphasizing soft skills such as communication, collaboration and leadership. For the success of digital transformation not only recent technological changes but also people factor is inevitable which the new version covers both.
Rather than being process-focused as previous versions, ITIL 4 highlights the service value as the core. For me this is the major difference, because the popular approach of IT processes and lifecycles has been removed and replaced with practices. Practices are much more wider and besides processes they include people, roles, units of organizations and policies.
Figure 1: Service Value Chain as the heart of ITIL Service Value System (SVS) and 7 Guiding Principles
ITIL 4 introduces the concept of Service Value System (SVS) which consists of five elements: Guiding Principles, Governance, Practices, Continual Improvement and Service Value Chain. Service value chain positioned at the heart of the SVS to be customer focused. Although it might be seen as many new terms used, the main concepts are not difficult to interpret for those of you who are familiar with ITIL V3.
In this article, I would concentrate on Guiding Principles and Service Value Chain Activities. To be more illustrative I would discuss these two concepts through a practice. I selected Risk Management as a new practice of ITIL 4 which was not a separate process at ITIL V3.
Another reason, why I choose Risk Management is because in real life it might be considered as hot potato issue. Even the name of the Risk Management might be found risky in some organizations. I would break down Risk Management practice into small steps by discussing relevant Guiding Principles and Service Value Chain activities with examples.
7 Guiding Principles and 6 Service Value Chain Activities
Before discussing the principles and activities, let me introduce them. The guiding principles are defined as recommendation that guides all relevant actions of an organization in all circumstances. The guiding principles are independent from the organization’s objectives, strategy or goals. Different form previous versions, ITIL 4 tells what to do but not how to do. The guiding principles are listed in the below, I did not give numbers because they are not sequential.
· Focus on value
· Start where you are
· Collaborate & Promote Visibility
· Think & Work Holistically
· Progress Iteratively with Feedback
· Keep it simple & practical
· Optimize & automate
Figure 2: Service Value Chain Activities
Service value chain is defined as operating model for service providers that cover all the key activities required to effectively manage products and services. It is a series of groups of activities that are triggered by demand and resulted in value. The activities listed in the below are not in lifecycle manner and not sequential. Because one step of a practice might include more than one value chain activity.
· Plan
· Engage
· Improve
· Design & transition
· Obtain / build
· Deliver & support
After briefly introducing the Guiding Principles and Service Value Chain activities, I am ready to break down the Risk Management practice into steps. To be simple, I focus on five clear steps of Risk Management.
Figure 3: Guiding Principles and Service Value Chain activities of Risk Management Practice
1. Plan for Risk Management
Risk Management should have a separate plan aligned with the objectives of the organization. At this step, initially the value should be defined in order to determine what is risk because value creation is achieved by balance of risk and costs. Value is perceived benefit in terms of customer loyalty, revenue, reduced costs or growth opportunities. In case of risk realization, the value would be affected negatively. The guiding principle Focus on Value and value chain activity Plan are most relevant with this step. The purpose of Plan activity is ensuring shared understanding of the vision, current status and improvement directions which would support determining risk plan. Understanding the strategy and risk appetite of the organization, relevant legislations and other constraints would be key contributors of the risk plan.
2. Identify Risk
At the step of identifying risk, it is not necessarily expected to quantify risk whereas getting as many ideas as possible to investigate the current status is crucial. The current state should be understood by all stakeholders. Checking whether any risk is recorded previously or any risk policy is already documented would help to understand as-is situation of the organization. Involving each stakeholder and the communication between each party would bring different perspectives together. Contribution of different parties would prevent hidden points in identifying risk. The guiding principle Start Where You Are and value chain activity Engage are most relevant with this step.
3. Analyze Risk
At the step of analysing risk, impact and probability of the risk would be quantified. Assessment of the risk consequences is included at this step as well. Transparency would be critical at analysing risk. The stakeholders who were involved in the previous step, should build a trustful relationship at this step. Hidden agendas or any kind of manipulation would lead in to underestimation of risk impact or even not finding out risks. Each party should be encouraged to involve in decision making process in a trustful approach for risk analysis. These aspects indicate the guiding principle of Collaborate and Promote Visibility. Analysing the risk would contribute that the service or product meet stakeholder’s expectations in terms of cost, time to market and quality. In the opposite case, when stakeholder’s expectations are not counterbalanced, risk arises and probably that is because risk is not analysed properly before. Thus, value chain activity Design & Transition is most relevant with this step.
4. Manage Risk
After analysing and assessing, it should be decided how to manage risk. Regarding to risk appetite of the organization, avoiding or mitigating risk options should be considered. This step might require investment decisions or risk acceptance. Based on the size of the risk, mitigation plans could be implemented through programs, projects or daily operational activities. Technology based plans including “organization and people” dimension as well as partners and suppliers would be evaluated. So taking a holistic approach is important which is mostly related to guiding principle of Think & Work Holistically. Customer satisfaction, cost and time factors should be taken into account in an effective and efficient manner while managing risk. By this approach it would be ensured that service or product meet agreed specifications. Thus, value chain activity Obtain/ Build is most relevant with this step.
5. Review Risk
Risk management should be a continuous practice which is embedded into several day-to-day activities because risk management is not based on a single project. Regular review of risk is necessary to respond changing internal and external factors. Priorities and circumstances might change during the implementation of the risk plan. Changes in legislations (e.g new regulations), in technology (e.g new security patches or upgraded versions), in the market (new competitors) and in customer demand (e.g seasonal factors) are possible. Being responsive to recent changes and updating risk plans ensure continual improvement of products and services. The guiding principle Progress Iteratively with Feedback and value chain activity Improve are most relevant with this step.
I tried to highlight only the most relevant guiding principle and value chain activity for each step of risk management practice. Remember that other guiding principles and value chain activities would contribute to each step. ITIL 4 emphasizes that value chain activities are not in a lifecycle manner or sequenced order.
Moreover each four dimensions of service management should be taken into consideration in every step. (Organization and people, information and technology, partners and suppliers, value streams and processes)
The two guiding principles which I did not mentioned are still relevant at these steps as well. Let me discuss these two guiding principles with the most relevant steps. Principle of Keep it simple and practical is mostly related to “Analyze Risk” step. Having outcome-based approach to produce results and avoiding complex methods would be meaningful. For example, complex impact and probability matrix should not be preferred. Principle of Optimize and automate could be considered at “Review Risk” step. Risk management practice requires human intervention but technology supports the organization for effective review. Risk Review could be embedded into various automated workflows and practices. For example, in the impact analysis step of change management practice, users could be enforced to review risk at the same time. Another automation option is sending scheduled reminders periodically to the responsible users for risk review.