Which ITIL processes include risk analysis and management activities?

There is often disagreement amongst the ITIL students (and also between ITIL trainers and practitioners) as to which ITIL processes include risk analysis and management activities. Of course, processes like Security Management, Change Management, Release & Deployment Management, Availability Management, Supplier Management and IT Service Continuity Management obviously include risk analysis and management activities. In some cases, they are explicitly mentioned in the ITIL books.

What about other ITIL processes? These may not be so obvious. How do we answer such questions (samples below) if they should appear in ITIL examinations?

Q1. Which of the following processes should include risk analysis and management activities?

1. IT Service Continuity Management
2. Information Security Management
3. Incident Management
4. Change Management

a. 1, 2 and 4

b. 3 and 4

c. 1 and 2

d. All of the above

Most of us would have selected (a) as the answer and I think this is probably the “best” or “obvious” answer. However, one could argue that Incident Management would include “risk analysis and management activities”. Examples, if there are two workarounds or potential solutions that could be used, Incident Management (or Service Desk staff) would have to analyse and consider which workaround or solution could potentially be more risky to use when restoring service. The question specifies “should include”. Hmm…, so maybe (d) is the correct answer.

Q2. Which of these processes includes a need to carry out Risk Analysis and Management?

1. 1. IT Service Continuity Management
2. 2. Information Security Management
3. 3. Service Level Management

a) All of the above

b) 1 and 3 only

c) 2 and 3 only

d) 1 and 2 only

Again, most (including myself) would have answered (d) since Service Level Management (SLM) does not have a direct need to perform risk analysis. But one could say that SLM would have to consider risks and uncertainty of outcomes during drafting and negotiation of SLAs. For example, SLM would need to consider the risks that Service Level requirements could not be met and hence should not be committed to. However, one could also say that such activities could be delegated to the other processes like Availability Management, Capacity Management, Security Management, Supplier Management and IT Service Continuity Management.

So, should the answer be (a) or (d) in the questions above?

In general, I think that any Process that includes some form of “PLANNING” or "ANALYSIS" as an activity ought to have included some form of risk analysis and management since we need to take into account the uncertainty of outcome and hence risk when doing any form of planning and analysis. 

Which answers you pick in the ITIL examination would depends on how you interpret the question asked and whether you think this is a straight-forward question or a question to test your deeper understanding.

Perhaps, such examination questions should have been better worded (or avoided) to reduce the risk that the students may have doubt about what the examiner is looking for.