The risks are known errors...

..Or at least many of them are, especially the ones most closely related with the technology and infrastructure that underpins the services. This is very fortunate for us, because we receive two for one, risk management and problem management (more or less) for the same price.
I am not going to discuss a mature risk management of the type used in ISO27000 certifications or conducted for a proper implementation of ENS. These risk management systems are adequate for purpose, and so I can’t contribute much there.
But outside of the aforementioned scope, how many organizations do not adopt any measures for risk management or for detection, analysis or mitigation of risks? Unfortunately, there are quite a few, and one of the reasons that they don’t do anything might be that they are afraid to add a new framework specifically for risk management, one more new process,...
The good news is that if you don’t have a specific process for risk management, then a preliminary approximation can be very easy, based simply on problem management (and known errors). It would be an incipient process, not very mature, but it would be a good first step toward increasing confidence, and it could be refined in the future.
And what are the risks?
Without getting into technical matters, and if the purists will allow me to say so, it is a danger, something “not very nice” that could happen and cause problems for us (please note: I am focusing on the negative risks and not on positive opportunities, and there are some of the latter). This “something negative” is something that you are aware is present, and that you should resolve, but you have to live with it in the meantime and be more or less prepared to take action if it becomes a reality. If we understand it this way, the risk is a known error within the scope of (proactive) problem management, with its respective workaround (preferably documented in the knowledge base) so that we know what to do if it becomes a reality. To identify easily which known errors really correspond to risks, you can simply play with the classification a little bit and create a series of categories and attributes specific to these records (using a fairly configurable ITSM tool it should not be very hard).
And you are ready to go, no more effort needed, a rather simple thought process to successfully encourage Proactive problem management in support of the risk management process (at least in its initial version, I repeat, which must continue to evolve later...)
Of course, a fundamental part of risk management is missing: namely mitigating actions. But if the risks are problems, then what do you think the mitigating actions will be...? 😉 Another reused process (in case you haven’t noticed, it is the segnahc management process -written in code-)

Optimization of the Service Desk with ITIL problem management
