How To Deal With Risks In IT Environments Using ITIL Best Practices

(Image by Nick Youngson, hosted at Alpha Stock Images

I had lots of fun writing my previous blog on change management using ITIL best practices, and I really appreciate the feedback and kind words from readers who enjoyed it. I would like to say thanks to our content expert who made sure that I was motivated enough to keep writing interesting blog posts. This week, I am going to discuss another important process of ITIL, which is risk management.

What Is Risk Management In ITIL?

As the name indicates, risk management is about dealing with risks. It is considered as one of the most important processes defined and discussed in ITIL.

ITIL discusses 26 processes and four functions in its foundation certification. Risk Management is also addressed in some well-known information security certifications like CISSP and CompTIA Security+. I have the honor of teaching these two certifications as well so I will get into more details of this topic.

Risks are applicable in various environments but we will limit our discussion to risks associated in IT environments only, since we are talking about best practices recommended by ITIL. Risk Management, unlike other processes, can be carried out throughout the service lifecycle and does not have to be limited to a particular phase of the service lifecycle.

Risk in simple words can be defined as “the potential for damage, loss, or destruction of an asset as a result of a threat exploiting a vulnerability.” In ITIL books, risk is defined as “a possible event that could cause loss/ harm or affect the ability to achieve objectives.”

As I have used terms like “threat”, “asset” and “vulnerability” in the above definition, let me quickly shed some light on these terms as well.

What Is An Asset In An IT Environment?

An asset (in an IT environment) can either be a resource or a capability. For example, infrastructure, hardware/software, applications, information, skilled employees, knowledge etc. are all examples of assets in an IT environment.

What Is A Vulnerability In An IT Environment?

Vulnerability can be defined as “a flaw/weakness or gap in our protection efforts.”. Examples of vulnerability can be not having an anti-virus installed on your system, or not having updated patches installed on your operating system, which makes it easier for attacker to exploit your system. Another example of vulnerability is having open ports in your server due to running un-necessary services. These open ports can be a source of entry for attackers.

A threat is defined as “something that can materialize or exploit a vulnerability, intentionally or un-intentionally, and damage or destroy an asset.” For example, you are under threat when you are part of an unsecure network like the internet where any attacker with malicious intent can pose a serious threat to your IT assets by exploiting vulnerabilities.

Relationship Between Risk, Vulnerability, And Threat

So then, what is the mathematical relationship between a risk, a vulnerability, and a threat? Well, there are two defined in various reference materials which I am going to share here; however, I am more inclined towards the second one.

Risk = Asset + Threat + Vulnerability   


Risk = Threat x Vulnerability

In the second equation, it can be clearly seen that either by decreasing threat or vulnerability (or both), you can reduce the risk or bring the risk at a minimal level (I don’t think you can make it zero but it is debatable).

Let’s say you are using a computer without anti-virus installed (vulnerable to malware) over an unsecure network. In this situation, the risk will be high because both vulnerability and threat have higher values. However, if you can manage any one of those (or ideally both), the risk will drop significantly. In this case, installing an anti-virus system will overcome the vulnerability or disconnecting it from unsecure network will avoid threat. Or managing both will avoid risk so this is how you can deal with a risk.

So How Do You Deal With Risks In An IT Environment?

In order to deal with a risk, you need to do the following:

  1. 1. Identify it (type and nature)
  2. 2. Analyze it (impact and probability)
  3. 3. Manage it (have an action plan)

Let’s start with identifying a risk first. A risk can be one of the following:


-          - Natural (flood, hurricane, tsunami, earthquake etc.)

-          - Man-made (theft of equipment/data, information disclosure, break-in etc.)

-          - System-based (network/application/service/device related)

Once you have identified the risk, you now need to analyze it. For example, what would be its impact on the business (quantitative or qualitative impact assessment) and how likely or frequently it can occur. So, we should have some $$ value or subjective idea (in case of qualitative assessment) in our mind (let’s say medium/high/low etc.) after the assessment.

I won’t go into much details of risk calculations, but it is very important to have a figure in mind depending upon your IT business nature and asset estimates. The last part is to have an action plan for it.

What Action Plans Can You Have?

Well, it depends on what is possible for you or what you are capable to do in order to manage risks. For example, there are various ways you can apply an action plan. Your risk response strategy can be one or more depending on circumstances e.g. mitigation, deterrence, avoidance, transference, acceptance etc.

Mitigation and avoidance are the two best risk response strategies if you are capable to apply those. Avoidance means completely getting rid of that particular risk, which may not be possible if the risk is natural. However, in our earlier example, by having anti-virus software installed and disconnecting your system from unsecure networks can result in risk avoidance.

In the same example, mitigation is possible if you are just able to take care of one thing out of those two, i.e. either having an anti-virus installed or disconnect from unsecure network.

Transference response strategy is possible when you can get the services of an insurance company and in this way, you are able to transfer your risk to someone else. Acceptance strategy means when you can’t do much, think earth quakes, and you don’t have much choice but to accept it and add the damage cost to your expenses. However, it is not 100% true and you still need to take actions which can somehow reduce the risk level. In case of a higher risk of natural disaster, you can may be store your data on the cloud, and take measures to minimize the damage done to your infrastructure. You can also train your employees in responding to these situations.

Deterrence is a response strategy when you want to openly discourage its cause. For example, having CCTV cameras or security guards at your facility reduces any risk of intrusion by an outsider/unauthorized person. There is also another risk response strategy possible (e.g. risk rejection) but as it is not very common and have to do with regulatory laws and legal aspects so I haven’t included it in this introductory blog.

My next blog will be on a security related topic, so stay tuned for that. I hope you will continue to read my blog posts and won’t hesitate to share your response/feedback with me. Please do visit our community portal to gain access to all the resources/blogs/discussions.