mikea 发表于 2020-4-15 11:19:54

Practice_Risk management 风险管理实践

本帖最后由 FYIRH 于 2022-8-10 17:27 编辑

返回 ITIL 4理论与实践整体知识体系中文版发布文件汇总

最新消息,本实践中文翻译正式版已经开放下载,请点击http://ITIL-foundation.cn/thread-140696-1-1.html

需要下载最新翻译版本请关注微信公众号:ITILXF,并回复“风险管理”即可。


风险管理在组织的所有级别上执行。战略性风险管理考虑了可能使影响具有组织执行其使命能力的长期风险。方案和项目风险管理考虑了可能影响中期目标的风险。运行的风险管理专注于短期目标。每个级别的风险管理必须基于组织调速器的指示。


服务的ITIL定义明确指出,代表服务消费者管理风险是每个服务的重要组成部分。
服务
一种通过促进客户想要实现的结果来实现价值共创的方法,而客户不必管理特定的成本和风险。




每个服务都消除了服务消费者的某些风险,但也对服务消费者施加了其他风险。服务提供者必须以受控方式理解和管理这些风险。服务的价值提议的一部分是消除的风险与施加的风险之间的平衡。


风险管理实践为组织提供了在所有服务管理四维模型上高效,有效地识别和管理风险所需的资源。
2.2      术语和概念      
2.2.1      风险


风险
可能造成伤害或损失,或使其更难以实现目标的事态。也可以定义为成果的不确定性,并且可以在背景中用于测量阳性结果和阴性结果的概率。




通常避免使用风险,因为它与威胁相关联。尽管通常这是正确的,但风险也与机会相关。

任何不确定的成果都是风险。当风险为负时,不确定的成果将导致伤害或损失。但是,当风险为正时,不确定的成果将为一个或多个利益相关者带来利益。例如,组织可能会投资新的服务,以期吸引客户并产生收入。但是,不能保证成果的正值,而是不确定成果或风险。正风险有时称为机会。


借此机会的失效可以是风险。不投资其服务或发展其客户关系的组织将不会保留其市场地位。组织在其中运行的环境一直在发展,而不断发展的失效可以为组织构成风险。


2.2.2      风险容量
风险容量由组织的治理定义。风险管理活动必须确保风险保持在风险容量以下。
如果组织中的风险级别太高,则组织可能具有主要的影响继续运行能力。组织的风险容量是组织可以忍受的风险的最大数量,并且通常基于诸如对声誉的损坏,资产等的因素。


2.2.3      风险的胃口
风险的食欲由组织的治理定义,用于促进决策和风险管理和活动。
一些组织选择承担重大风险以取得重大收益。其他组织更愿意冒险,但这也减少了机会。组织的风险需求是组织愿意接受的风险数量。它应始终小于组织的风险容量。


2.2.4      风险寄存器
保留已识别风险的记录,记录风险的当前状况和历史记录,这一点很重要。该记录被称为风险寄存器。风险寄存器中的每个条目都显示单个风险的历史记录和状况。通常,这将包括以下信息(但是可能会有所不同,具体取决于组织的需求):
●      唯一身份
●      类别(将相似类型的风险分组)
●      描述
●      可能性
●      影响
●      总体评分或分数
●      所有者
●      治疗
●      治疗后更新的评分或评分(剩余风险)
●      性能或绩效日期。




一个组织可能具有多个风险寄存器,具体取决于组织的大小和结构以及所管理风险的数量和类型


2.2.5      风险所有者
风险所有者可能不负责管理风险所需的操作,但是它们必须确保这些操作是适当的并且已被实际采取。
每个风险必须有一个分配的所有者,负责确保已理解和适当地管理风险。一旦确定了风险,就应立即分配风险所有者,并应将其记录在风险寄存器中。


2.2.6      风险处理
有时可以消除风险,但这是不寻常的。在了解了风险的概率和影响之后,风险所有者必须就处理风险的合适方法达成一致。表2.1中显示了可以用来处理风险的操作


表2.1 风险处理选项




治疗      
描述      



风险避免      
通过不执行危险的实现价值来防止风险      
通过拒绝建议投资的商业案例,避免投资的风险无法交付预期的价值


风险修改(或风险减少)      
实施控件以减少风险的可能性或影响      
在网络上传输敏感信息时对其进行加密,以减少被拦截的可能性


风险分享      
通过将一些风险传递给第三方来减少影响      
为火灾或网络攻击购买保险


风险保留(或风险销售活动)      
故意决定接受风险,因为它低于可接受的阈值(并且在风险的胃口之内)
组织)      
通过接受建议投资的商业案例,接受未能交付预期的价值的投资的风险


在处理正风险(机会)时,术语通常略有不同。避免风险成为风险的开发,而减少风险成为风险的增强。但是,术语风险修改涵盖正风险和负风险。

2.2.7      控制




控制
管理风险,确保实现业务目标或遵循流程的方法。
风险的修改要求实施控件以减少风险的可能性。


控制可以基于技术,例如防火墙或弹性网络配置,但它也可以与服务管理的其他任何尺寸有关。表2.2中显示了每个维度的一些控件示例


表2.2控件示例




域      
控件示例


组织和人员      ●      办公桌策略
●      安全认知培训


信息和技术      ●      网络防火墙
●      审计记录


供应商和合作伙伴      
●      将供应商认证为质量管理体系标准的合同要求
●      供应商的常规审计活动


价值流和流程      ●      部署之前评价的更改
●      员工招聘期间的参考检查


2.2.8      剩余风险
风险处理通常不能完全消除风险。因此,在控制完应用程序之后,有必要执行新的风险评估。这是为了了解新的可能性和影响,然后计算残差风险。组织然后可以选择应用更多控件来进一步减小风险。或者,组织可以接受剩余的风险,应将其记录在风险寄存器中,并以与其他保留的风险相同的方式传达给感兴趣的涉众。






Risk management is performed at all levels of the organization. Strategic risk management considers long-term risks that may impact the ability of the organization to perform its mission. Programme and project risk management considers risks that may affect medium-term goals and objectives. Operational risk management is focused on short-term goals and objectives. Risk management at each of these levels must be based on direction from the governors of the organization.


The ITIL definition of a service specifically identifies that managing risks on behalf of service consumers is an essential part of every service.
Service
A means of enabling value co-creation by facilitating outcomes that customers want to achieve, without the customer having to manage specific costs and risks.




Every service removes some risks from the service consumer, but also imposes additional risks on the service consumer. The service provider must understand and manage these risks in a controlled manner. The balance between the risks removed and the risks imposed, is part of the value proposition of the service.


The risk management practice provides an organization with the resources required to identify and manage risks efficiently and effectively, across all four dimensions of service management.
2.2      TERMS AND CONCEPTS      
2.2.1      Risk


Risk
A possible event that could cause harm or loss, or make it more difficult to achieve objectives. Can also be defined as uncertainty of outcome, and can be used in the context of measuring the probability of positive outcomes as well as negative outcomes.




Risk is normally avoided because of its association with threats. Although this is generally true, risk is also associated with opportunity.

Any uncertain outcome is a risk. When the risk is negative the uncertain outcome would result in harm or loss. Yet, when the risk is positive the uncertain outcome would result in benefits to one or more stakeholders. For example, an organization may invest in a new service, in the expectation that it will attract customers and generate revenue. However, a positive outcome is not guaranteed, instead the outcome is uncertain or a risk. Positive risks are sometimes called opportunities.


The failure to take opportunities can be a risk. An organization that does not invest in its services or in developing its customer relationships will not retain its market position. The environment in which organizations operate is constantly evolving, and the failure to evolve can pose a risk to the organization.


2.2.2      Risk capacity
Risk capacity is defined by the governance of the organization. Risk management activities must ensure that risks remain below the risk capacity.


If the level of risk in an organization is too high, then this could have a major impact on the organization’s ability to continue operating. The risk capacity of an organization is the maximum amount of risk that the organization can tolerate and is often based on factors such as damage to reputation, assets, and so on.


2.2.3      Risk appetite
Risk appetite is defined by the governance of the organization and is used to facilitate decision- making and risk management activities.


Some organizations choose to take significant risks to make significant gains. Other organizations prefer to take few risks, but this also reduces their opportunities. The risk appetite of an organization is the amount of risk that the organization is willing to accept. This should always be less than the risk capacity of the organization.


2.2.4      Risk register
It is important to keep a record of identified risks, that records the risk’s current status and history. This record is known as a risk register. Each entry in the risk register shows the history and status of a single risk. Typically, this will include the following information (but this can vary depending on the needs of the organization):
●      unique ID
●      category (to group similar types of risk)
●      description
●      probability
●      impact
●      overall rating or score
●      owner
●      treatment
●      updated rating or score after treatment (residual risk)
●      action date(s).




An organization may have more than one risk register depending on the size and structure of the organization, and the number and types of risks that are being managed.



2.2.5      Risk owner
The risk owner may not be responsible for the actions needed to manage the risk, but they must ensure that these actions are appropriate and that they are actually taken.
Every risk must have an assigned owner who is accountable for ensuring that the risk has been understood and appropriately managed. The risk owner should be assigned as soon as the risk has been identified and should be documented in the risk register.


2.2.6      Risk treatment
Sometimes it is possible to eliminate a risk, but this is unusual. After the probability and the impact of the risk has been understood, the risk owner must agree on a suitable way to treat the risk. Actions that can be taken to treat a risk are shown in Table 2.1


Table 2.1 Risk treatment options




Treatment      
Description      
Example


Risk avoidance      
Prevent the risk by not performing the risky activity      
Avoid the risk of an investment failing to deliver the expected value, by rejecting the business case proposing the investment


Risk modification (or risk reduction)      
Implement controls to reduce the likelihood or impact of the risk      
Encrypt sensitive information when it is transmitted on the network to reduce the likelihood of it being intercepted


Risk sharing      
Reduce the impact by passing some of the risk to a third party      
Take out insurance against fire, or against a cyber attack


Risk retention (or risk acceptance)      
Intentionally decide to accept the risk because it is below an acceptable threshold (and within the risk appetite of the organization)      
Accept the risk of an investment failing to deliver the expected value, by accepting the business case proposing the investment


When dealing with positive risks (opportunities), the terms are usually expressed slightly differently. Risk avoidance becomes risk exploitation and risk reduction becomes risk enhancement. However, the term risk modification covers both positive and negative risks.

2.2.7      Control




Control
The means of managing a risk, ensuring that a business objective is achieved, or that a process is followed.
Risk modification requires implementation of controls to reduce the likelihood or impact of a risk.


A control can be based on technology, for example a firewall or a resilient network configuration, but it can also be related to any of the other dimensions of service management. Some examples of controls for each dimension are shown in Table 2.2


Table 2.2 Example controls




Domain      
Example controls


Organizations and people      ●      Clear desk policy
●      Security awareness training


Information and technology      ●      Network firewall
●      Audit records


Suppliers and partners      
●      Contractual requirements for the supplier to be certified to a quality management system standard
●      Regular audit of supplier activities


Value streams and processes      ●      Evaluation of changes before deployment
●      Reference checks during employee recruitment


2.2.8      Residual risk
Risk treatment does not usually eliminate a risk completely. Therefore, after the application of controls, it is necessary to perform a new risk assessment. This is to understand the new likelihood and impact and to then calculate the residual risk. The organization could then choose to apply more controls to further reduce the risk. Alternatively, the organization could accept the residual risk which should be documented in the risk register and communicated to the interested stakeholders, in the same way as any other retained risk.




申明:
本文档由长河(微信achotsao)在机译的基础上经初步整理而成,精细化翻译工作正由ITIL培训基地组织的ITIL专家团队进行之中,预计将于2020年年底之前全部完成。需要下载最终翻译版本请关注微信公众号:ITILXF,或访问www.ITIL4hub.cnorITIL-foundation.cn。


ITIL培训基地专家团队仅仅只是进行了这些著作的语种转换工作,我们并不拥有包括原著以及中文发行文件的任何版权,所有版权均为Axoles持有,读者在使用这些文件(含中文翻译版本)时需完全遵守Axoles 和 TSO所申明的所有版权要求。
















OFGFE 发表于 2020-10-23 08:59:18

感谢分享

W尢Z乄厶Z丩i 发表于 2022-2-26 22:26:34

积分不够了
页: [1]
查看完整版本: Practice_Risk management 风险管理实践