All IT changes present a certain amount of risk, effective change management, however, can ensure that these risks are analyzed and managed. Moreover, change risk analysis, as tabled by Greg Sanker in this article in ITSMTransition.com, relates to risk in terms of the whole organization. All the risks come down to a variation of “Will I be able to do business after the change is made?”.
Let’s take a practical approach to risk analysis in managing changes.
It is important to list out as many threats as possible, with experience, the manager will be able to distinguish key threats from the others. However, listing unlikely risks will not be helpful and must be avoided.
Analyzing the Risks
We need to assess the probability of the change risk, and how it will affect the business.
In this regard, the following points should be considered:
- For this platform, have we seen this happen before?
- Have we recently made this upgrade on other servers?
- How old is the hardware?
- How complex is the server configuration?
- What’s the word on the street?
Employ simplicity while labeling risks i.e., label them as low, medium & high.
How bad is bad?
After analyzing each risk, we need to assess the business impact if the risk happens. These things should be considered:
- Do we understand the criticality of the desired business outcome(s)?
- Has the business been consulted on the timing and risk of proposed change?
- Can the service be fully restored during the agreed change window?
- Is there a tested and documented recovery/rollback plan in place?
A simple risk matrix can be helpful. It is also good practice to pre-identify high-risk infrastructure components, as any impact on these components entails a high-risk change. Still, other high-risk changes can be labeled as such based on organizational culture or previous experience. Here, the risk to business as a whole must be considered, and not merely a technical or IT-focused risk.
It is good practice to focus on high-risk threats and develop workable and realistic mitigation strategies for each. Depending on business requirements, moderate plans can be made for medium risks.
Identifying risks, and analysis of how each was dealt with will help bring about continual improvement.
To view the original article in full, click the following link: http://itsmtransition.com/2018/08/it-change-risk-analysis/