本帖最后由 FYIRH 于 2022-8-10 17:27 编辑
返回 ITIL 4理论与实践整体知识体系中文版发布文件汇总
2.2 术语和概念
2.2.1 风险
2.2.2 风险容量
2.2.3 风险的胃口
2.2.4 风险寄存器
● 唯一身份
● 类别(将相似类型的风险分组)
● 描述
● 可能性
● 影响
● 总体评分或分数
● 所有者
● 治疗
● 治疗后更新的评分或评分(剩余风险)
● 性能或绩效日期。
2.2.5 风险所有者
2.2.6 风险处理
表2.1 风险处理选项
2.2.7 控制
组织和人员 ● 办公桌策略
● 安全认知培训
信息和技术 ● 网络防火墙
● 审计记录
● 将供应商认证为质量管理体系标准的合同要求
● 供应商的常规审计活动
价值流和流程 ● 部署之前评价的更改
● 员工招聘期间的参考检查
2.2.8 剩余风险
Risk management is performed at all levels of the organization. Strategic risk management considers long-term risks that may impact the ability of the organization to perform its mission. Programme and project risk management considers risks that may affect medium-term goals and objectives. Operational risk management is focused on short-term goals and objectives. Risk management at each of these levels must be based on direction from the governors of the organization.
The ITIL definition of a service specifically identifies that managing risks on behalf of service consumers is an essential part of every service.
A means of enabling value co-creation by facilitating outcomes that customers want to achieve, without the customer having to manage specific costs and risks.
Every service removes some risks from the service consumer, but also imposes additional risks on the service consumer. The service provider must understand and manage these risks in a controlled manner. The balance between the risks removed and the risks imposed, is part of the value proposition of the service.
The risk management practice provides an organization with the resources required to identify and manage risks efficiently and effectively, across all four dimensions of service management.
2.2.1 Risk
A possible event that could cause harm or loss, or make it more difficult to achieve objectives. Can also be defined as uncertainty of outcome, and can be used in the context of measuring the probability of positive outcomes as well as negative outcomes.
Risk is normally avoided because of its association with threats. Although this is generally true, risk is also associated with opportunity.
Any uncertain outcome is a risk. When the risk is negative the uncertain outcome would result in harm or loss. Yet, when the risk is positive the uncertain outcome would result in benefits to one or more stakeholders. For example, an organization may invest in a new service, in the expectation that it will attract customers and generate revenue. However, a positive outcome is not guaranteed, instead the outcome is uncertain or a risk. Positive risks are sometimes called opportunities.
The failure to take opportunities can be a risk. An organization that does not invest in its services or in developing its customer relationships will not retain its market position. The environment in which organizations operate is constantly evolving, and the failure to evolve can pose a risk to the organization.
2.2.2 Risk capacity
Risk capacity is defined by the governance of the organization. Risk management activities must ensure that risks remain below the risk capacity.
If the level of risk in an organization is too high, then this could have a major impact on the organization’s ability to continue operating. The risk capacity of an organization is the maximum amount of risk that the organization can tolerate and is often based on factors such as damage to reputation, assets, and so on.
2.2.3 Risk appetite
Risk appetite is defined by the governance of the organization and is used to facilitate decision- making and risk management activities.
Some organizations choose to take significant risks to make significant gains. Other organizations prefer to take few risks, but this also reduces their opportunities. The risk appetite of an organization is the amount of risk that the organization is willing to accept. This should always be less than the risk capacity of the organization.
2.2.4 Risk register
It is important to keep a record of identified risks, that records the risk’s current status and history. This record is known as a risk register. Each entry in the risk register shows the history and status of a single risk. Typically, this will include the following information (but this can vary depending on the needs of the organization):
● unique ID
● category (to group similar types of risk)
● description
● probability
● impact
● overall rating or score
● owner
● treatment
● updated rating or score after treatment (residual risk)
● action date(s).
An organization may have more than one risk register depending on the size and structure of the organization, and the number and types of risks that are being managed.
2.2.5 Risk owner
The risk owner may not be responsible for the actions needed to manage the risk, but they must ensure that these actions are appropriate and that they are actually taken.
Every risk must have an assigned owner who is accountable for ensuring that the risk has been understood and appropriately managed. The risk owner should be assigned as soon as the risk has been identified and should be documented in the risk register.
2.2.6 Risk treatment
Sometimes it is possible to eliminate a risk, but this is unusual. After the probability and the impact of the risk has been understood, the risk owner must agree on a suitable way to treat the risk. Actions that can be taken to treat a risk are shown in Table 2.1
Table 2.1 Risk treatment options
Risk avoidance
Prevent the risk by not performing the risky activity
Avoid the risk of an investment failing to deliver the expected value, by rejecting the business case proposing the investment
Risk modification (or risk reduction)
Implement controls to reduce the likelihood or impact of the risk
Encrypt sensitive information when it is transmitted on the network to reduce the likelihood of it being intercepted
Risk sharing
Reduce the impact by passing some of the risk to a third party
Take out insurance against fire, or against a cyber attack
Risk retention (or risk acceptance)
Intentionally decide to accept the risk because it is below an acceptable threshold (and within the risk appetite of the organization)
Accept the risk of an investment failing to deliver the expected value, by accepting the business case proposing the investment
When dealing with positive risks (opportunities), the terms are usually expressed slightly differently. Risk avoidance becomes risk exploitation and risk reduction becomes risk enhancement. However, the term risk modification covers both positive and negative risks.
2.2.7 Control
The means of managing a risk, ensuring that a business objective is achieved, or that a process is followed.
Risk modification requires implementation of controls to reduce the likelihood or impact of a risk.
A control can be based on technology, for example a firewall or a resilient network configuration, but it can also be related to any of the other dimensions of service management. Some examples of controls for each dimension are shown in Table 2.2
Table 2.2 Example controls
Example controls
Organizations and people ● Clear desk policy
● Security awareness training
Information and technology ● Network firewall
● Audit records
Suppliers and partners
● Contractual requirements for the supplier to be certified to a quality management system standard
● Regular audit of supplier activities
Value streams and processes ● Evaluation of changes before deployment
● Reference checks during employee recruitment
2.2.8 Residual risk
Risk treatment does not usually eliminate a risk completely. Therefore, after the application of controls, it is necessary to perform a new risk assessment. This is to understand the new likelihood and impact and to then calculate the residual risk. The organization could then choose to apply more controls to further reduce the risk. Alternatively, the organization could accept the residual risk which should be documented in the risk register and communicated to the interested stakeholders, in the same way as any other retained risk.
本文档由长河(微信achotsao)在机译的基础上经初步整理而成,精细化翻译工作正由ITIL先锋论坛组织的ITIL专家团队进行之中,预计将于2020年年底之前全部完成。需要下载最终翻译版本请关注微信公众号:ITIL先锋论坛,或访问www.ITIL4hub.cn or www.ITILxf.com。
ITIL先锋论坛专家团队仅仅只是进行了这些著作的语种转换工作,我们并不拥有包括原著以及中文发行文件的任何版权,所有版权均为Axoles持有,读者在使用这些文件(含中文翻译版本)时需完全遵守Axoles 和 TSO所申明的所有版权要求。
上一篇: Practice_Service request management 服务请求管理实践下一篇: Practice_Service continuity management 服务连续性管理实践