Risk Management
Risk is a possible event that could cause harm or losses, or create obstacles to achieving your objectives. The risk may also be defined as the uncertainty of an outcome that can be used to estimate the probability of a positive or negative outcome. The risk level associated with a change request or other ITSM entity is evaluated using the risk matrix in the ITSM application.
The risk matrix is a tool for a qualitative evaluation of associated risks that depends on the following parameters:
- Impact – the potential effect that the risk may have on the business user, service, or CI. The options are Low, Medium, High, Very high.
- Probability – the probability of the risk associated with the change taking place. The options are High or Low.
- Business criticality – the metric specifies how crucial the disruption of this service for the business can be. The options are High or Low.
The use of risk matrix allows you to approach the changes in a more efficient way. Use the following strategies to avoid or modify the risks:
- Decline the change.
- Remove the risk source.
- Change the probability of the negative event.
- Change the possible consequences.
- Share the risk with other parties (including contracts and risk financing).
- Retain the risk by informed decision.
If you intend to proceed with a high-risk change, it is recommended to increase the number of approvals required for the change request or another ITSM-entity and create an in-depth plan of the change.
Risk metrics for Business criticality = Low
| Probability/Impact | Low | Medium | High | Very high |
|---|---|---|---|---|
| Low | Low | Low | Medium | High |
| High | Medium | Medium | High | High |
Risk metrics Business criticality = High
| Probability/Impact | Low | Medium | High | Very high |
|---|---|---|---|---|
| Low | Low | Medium | High | High |
| High | High | High | High | Very high |
Extend the risk matrix
Add new impact, probability, and business criticality options
The "out-of-the-box" solution has a risk matrix with standard settings, but you can customize it based on your business tasks and priorities. Firstly, add more impact, probability, or business criticality options.
To add a new impact, probability or business criticality option, complete the following steps:
- Open any record that has the Impact, Probability, and Business cruciality fields.
- Right-click the title of the field you need and in the context menu that appeared, select Configure field.
- In the Related Lists area, select the Choice tab.
- Click New and fill in the fields.
- Click Save or Save and exit to apply the changes.
See the Choice Fields article to learn how to create choice options.
The Value field: the value must be relevant to the impact, probability or business criticality.
For example, the High option of Impact has a value of 3. If you add a Very high option for Impact that is higher than High, set the value to 4.
And if you add the Medium option for Impact that is lower than High, set the value to 2.
After you have added a new impact, probability, or business criticality option, perform the same steps for the Risk Matrix (itsm_dl_change_risk) table.
Add new risk combinations
After adding new choice options, extend the risk matrix. To do so, complete the following steps:
- Navigate to Data Matching Definition → Risk Matrix.
- Click New and fill in the fields.
- Click Save or Save and exit to apply the changes.
Risk Matrix form fields
| Field | Mandatory | Description |
|---|---|---|
| Impact | N | The impact value you plan to use in the new risk value. |
| Risk | N | The risk value that is calculated based on the impact, probability, and business criticality. |
| Probability | N | The probability value you plan to use in the new risk value. |
| Business criticality | N | The business criticality value you plan to use in the new risk value. |
| Order | N | The Order field is temporarily out of service – our team is working on restoring its functionality. We will inform you about the changes in one of our next releases. |
| Script | N | The Script field is temporarily out of service – our team is working on restoring its functionality. We will inform you about the changes in one of our next releases. |
Repeat these steps until your risk matrix covers all the possible combinations of the impact, probability and business criticality.