I often get asked why there is no risk management process in ISO20000-1 and yet there are many requirements about risk. Basically, without risk management it is not possible to be conformant with ISO20000-1.
Why there is no risk management process
When designing a standard, it is necessary to consider the reality of most organizations and also to consider other standards. Most organizations have a risk management approach – perhaps it is used in project management, information security management or corporate governance.
It is not necessary to have a risk management process that is specific to service management – it simply needs to be applied to service management and the services.
The risk management approach can be a very simple spreadsheet or a complex tool. This will depend on the size, complexity and requirement for risk management in your organization.
There is a standard about risk management – ISO31000. This is referred to from ISO20000-1.
Risk is defined as:
effect of uncertainty on objectives
NOTE 1 An effect is a deviation from the expected — positive and/or negative.
NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
NOTE 3 Risk is often characterized by reference to potential events and consequences, or a combination of these.
NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.
One other term uses risk in the definition:
3.28 service continuity
capability to manage risks and events that could have serious impact on services in order to continually deliver services at agreed levels
What are the requirements for risk in ISO20000-1?
The key requirements for risk are:
4.1.1 Top management is responsible for ‘ensuring that risks to services are assessed and managed’
4.5.2j The SM plan needs to include ‘approach to be taken for the management of risks and the criteria for accepting risks;’
Further requirements for risk are in:
4.5.3d) to implement and operate the SMS requires ‘identification, assessment and management of risks to the services; ‘
184.108.40.206 The management review must include a review of risks
220.127.116.11 Improvement activities include setting targets for various items including reduction of risk
5.2f) Plan new or changed services incudes ‘identification, assessment and management of risks; ‘
6.3.1 Service continuity and availability management requires ‘The service provider shall assess and document the risks to service continuity and availability of services. The service provider shall identify and agree with the customer and interested parties service continuity and availability requirements. The agreed requirements shall take into consideration applicable business plans, service requirements, SLAs and risks.’
6.6 Information security has requirements based on information security risks. This includes defining the approach for the management of information security risks. This approach can be the same or different from the approach for other risks in the SMS.
9.1 Configuration management has control of CIs based on the ‘the risks associated with the CIs’
9.2 Change management has decision making for RFCs based on many factors including risk.
ISO/IEC 20000-2 provides further guidance on all clauses in part 1.
ISO 31000 provides guidance on risk management.
ISO/IEC 27005 provides guidance on risk management for information security.
Lynda Cooper, an independent consultant and trainer, is one of the first people in the world to hold the ITIL Master qualification. Lynda chairs the BSI committee for IT service management (ITSM), sits on various other BSI committees and ISO committees and is the editor of ISO/IEC 20000-1. Lynda sits on various ISO/IEC committees and is the project editor for ISO/IEC 20000-1. Lynda is a qualified ISO20000 consultant and ISO27001 lead auditor. Her consultancy activities cover training and consultancy for service management and information security.