Risk is a possible event that could cause harm or losses, or create obstacles to achieving your objectives. The risk may also be defined as the uncertainty of an outcome that can be used to estimate the probability of a positive or negative outcome. The risk level associated with a change request or other ITSM entity is evaluated using the risk matrix in the ITSM application.

The risk matrix is a tool for a qualitative evaluation of associated risks that depends on the following parameters:

  • Impactthe potential effect that the risk may have on the business user, service, or CI. The options are LowMediumHighVery High.
  • Probability the probability of the risk associated with the change taking place. The options are High or Low.
  • Business criticality – the metric specifies how crucial the disruption of this service for the business can be. The options are High or Low.

The use of risk matrix allows you to approach the changes in a more efficient way. Use the following strategies to avoid or modify the risks:

  • Decline the change.
  • Remove the risk source.
  • Change the probability of the negative event.
  • Change the possible consequences.
  • Share the risk with other parties (including contracts and risk financing).
  • Retain the risk by informed decision.

If you intend to proceed with a high-risk change, it is recommended to increase the number of approvals required for the change request or another ITSM entity and create an in-depth plan of the change.

Risk metrics for Business Criticality = Low

Probability / Impact

Low

Medium

High

Very High

Low

Low

Low

Medium

High

High

Medium

Medium

High

High

 
Risk metrics Business Criticality = High

Probability / Impact

Low

Medium

High

Very High

Low

Low

Medium

High

High

High

High

High

High

Very High

Extend the risk matrix

Add new impact, probability, and business criticality options


The "out-of-the-box" solution has a risk matrix with standard settings, but you can customize it based on your business tasks and priorities. Firstly, add more impact, probability, or business criticality options.

To add a new impact, probability or business criticality option, complete the following steps:

  1. Open any record that has the Impact, Probability, and Business cruciality fields.
  2. Right-click the title of the field you need and in the context menu that appeared, select Configure field.
  3. In the Related Lists area, select the Choice tab.
  4. Click New and fill in the fields.
  5. Click Save or Save and exit to apply the changes.

See the Choice Fields article to learn how to create choice options.

The Value field: the value must be relevant to the impact, probability or business criticality.

For example, the High option of Impact has a value of 3. If you add a Very high option for Impact that is higher than High, set the value to 4.

And if you add the Medium option for Impact that is lower than High, set the value to 2.

After you have added a new impact, probability, or business criticality option, perform the same steps for the Risk Matrix (itsm_dl_change_risk) table. 

Add new risk combinations


After adding new choice options, extend the risk matrix. To do so, complete the following steps:

  1. Navigate to Data Matching Definition → Risk Matrix.
  2. Click New and fill in the fields.
  3. Click Save or Save and exit to apply the changes.

Risk Matrix form fields

FieldMandatoryDescription
ImpactNThe impact value you plan to use in the new risk value.
RiskNThe risk value that is calculated based on the impact, probability, and business criticality.
ProbabilityNThe probability value you plan to use in the new risk value.
Business criticalityNThe business criticality value you plan to use in the new risk value.
OrderN

The Order field is temporarily out of service – our team is working on restoring its functionality. We will inform you about the changes in one of our next releases.

ScriptN

The Script field is temporarily out of service – our team is working on restoring its functionality. We will inform you about the changes in one of our next releases.

Repeat these steps until your risk matrix covers all the possible combinations of the impact, probability and business criticality.

  • No labels