Risk mitigation and service management: putting in place the right controls and workflows
- Published: Friday, 04 March 2016 09:56
Businesses often overlook the usefulness of service management tools that they already have at their fingertips as a way to streamline and effectively manage internal risk processes. Dean Coleman looks at some practical steps that businesses can take to utilise these for effective IT risk management.
IT is playing an increasingly prominent role within every organization and IT service managers need to be keenly aware of the importance of risk management to ensure they have control and influence over any issues likely to get in the way of the smooth running of the business. Technology is now so pivotal to the healthy running of the majority of companies that IT risk management has become a key discussion point on the corporate agenda of many boardrooms, as downtime of critical systems – whether due to accidental or malicious intention – threatens to undermine the productivity of the entire organization. Yet, despite its importance, many organizations still use manual spreadsheets to manage risk which are not dynamically linked to IT real estate, so lack any ability to equate theoretical IT risk with the actual situation on the ground.
Businesses often overlook the usefulness of service management tools that they already have at their fingertips as a way to streamline and effectively manage internal risk processes. Many service management tools are likely to already have a database of IT assets and users, so it makes sense to link IT risk management to your overall service management capabilities. That being so, what are the practical steps that businesses can take to rest back control of their IT assets and ensure that problems in one area of the business don’t have a knock-on effect on other functions?
Take stock of your IT assets
The first priority is to create a central repository for tracking all IT risk information, including: risks and owners, actions allocated, as well as an assessment of the risk scores associated with each item. This needs to include details of controls and mitigation activities put in place along with full audit trails and history to provide real time visibility of scenarios that could affect the efficient running of the business and the level of service provision to customers; as well as pinpointing at any time the current status of any individual entry.
An important by-product of this exercise is that it will flag up supply chain risks that impact across other departments in the organization. For example, should the delivery of a specific widget be delayed, a well-defined service management process will highlight the impact this could have across the entire business; for example, within the finance department in terms of billings; sales in terms of fulfilment of orders; manufacturing in terms of build schedules etc. The relationship between different activities should also be clearly identified because if two events occurred simultaneously the impact may be that much bigger. Being armed with this information allows the management team to make alternative provisions and notify internal and external stakeholders before the problem becomes a major crisis, as well as determining the financial impact on the business and how much time and resource to allocate to fix it.
Understanding your appetite for risk
Understanding and formalising the businesses attitude to risk is another important step in the process, as it goes without saying that there are cultural, legal and human factors at stake here. Another prerequisite to running an efficient IT services function is ensuring that fundamental processes such as change management, problem resolution and the management of new releases or patches are tightly controlled and integrated into the wider IT infrastructure. Failure to do so will result in a reactive rather than proactive approach to service management and this can have a detrimental effect on both internal customers and end users.
As any management consultant will tell you, it’s often not the fact that you have a problem in itself, but more about how you handle it that determines the overall impact on a business of any challenging situation. Every business needs to have a well-defined incident response policy and IT often sits at the very heart of that strategy. The nature of the business itself may have a direct bearing on how critical any downtime will be.
Where customer service level agreements can be invoked, which can rack up sizeable costs to the company, it is of paramount importance that there is a clear and defined incident response mechanism. One vital asset is such situations is the existence of a risk register which can provide instant advice for management on the impact, probability of an incidence occurring and the potential cost to the business. Armed with such business intelligence, the management team has the opportunity to set in motion the optimal actions and invoke the appropriate policies to mitigate any potential damage to the business both immediate and further down the road.
Ultimately it’s important to determine your risk ratings. This requires defining a standard set of impact and probability ratings and then assessing each in turn to develop a clear overview of your risk status at any time. By doing this, you can prioritise those risks which need to be addressed as a priority and then make the right decisions to avoid, mitigate, transfer or accept the risks. Ultimately the secret to effective IT risk management, as with service management, is having the correct people, processes and tools in place underpinned by a clear strategy and incident response plan to know how to react when things go wrong.