If you organization is like most, Risk Management is a discipline that is not given a lot of attention.  Quite often companies take a very basic approach and place risk management into a cloud of high, medium, and low without further definition.  Other companies take a very negative approach to risk from upper management that discourages risk identification, mitigations, and contingencies from even being looked at.  Once clear guidance is adopted and the benefits of true risk management are realized, your company can begin to look at risk in a whole new way.

As is outlined in the MOF Risk Management Discipline for Operations white paper, risk is neither good nor bad, it just is.  Whether you maintain the status quo or embark on leading edge projects within IT, there is always risk associated with it.  Once this is “really” understood, then the logical step to take is to identify ways to reduce risk, identify when risks are being realized, and plan on ways of dealing with them should they become reality.  This is what MOF risk management is all about.

For any changes that IT may implement, risk should always be managed.  The level of detail associated with risk management should be tied to the complexity of the change.  Significant and major changes should always have more in-depth risk analysis than would the standard and minor changes.  The goal is not to eliminate the risk, as we stated before it will always exist, but to reduce it to an acceptable level.  The following diagram illustrates how MOF risk management fits in to IT decision making.

MOF Risk Management and IT Decision Making

So how do you define a risk?  MOF describes it this way…  “Risk is broadly defined as any event or condition that can have an impact on the outcome of an activity. Within the context of IT operations, risk is the probability, not the certainty, of suffering a loss and the likelihood that the threat will occur. The loss could be anything from diminished quality of a service to increased cost, missed deadlines, or complete service failure.
Risks arise from uncertainty surrounding operational decisions and outcomes. Most individuals associate the concept of risk with the potential for loss in value, control, functionality, quality, or timeliness of completion of an activity. However, outcomes may also result in failure to maximize gain in an opportunity; the uncertainties in decision making leading up to this outcome can also be said to involve elements of risk.”

I will outline more detail on the “how” when applying this risk discipline in my next post.