In another article, I spoke of vision management and risk management as the two pillars upon which organizations reside. As I have already spoken about vision, let’s take a minute to examine risk in the context of service management in a little more detail.
Risk, or uncertainty of results, is at the heart of every management activity. If things worked simply, reliably and predictably, our management efforts could focus much more on vision. But even the best services are only 99.9999% sure. That means in a world with 500 million tweets per day, 500 will be in error; with 1 million disks in a global search provider’s infrastructure, several hundred will be down—at best! We rejoin the CEO who said, “20% of our marketing efforts are effective; if only I knew which 20%!”
The general approach to managing risk is to identify a framework for all risk management activities. This high level framework is then applied to various categories of risk. In this way, the governance function of an organization has a ready means for determining if the various types of risks in those categories are being handled appropriately. In addition, the framework allows the organization to express in concrete terms its levels of tolerance for risk. Risk tolerance is then applied in each discipline used for risk management.
Several dozen disciplines have been identified in various frameworks as the core of managing services. In the following table, the principal entities at risk that are managed using the discipline, the key risks to those entities, and several examples of strategies used to control those risks are described. Insofar as the subject matter of this table is the entirety of service management, it cannot possibly be complete. I hope, however, to provide an overview of the main features of risk control in service management.
Here is an illustration of how the table might be used. Availability management is a discipline concerned with risks in the reliability, maintainability and serviceability of service systems and their components, and consequently the services delivered using those service systems. Reliability of a component, for example, is at risk because we can never be sure when that component will cease to function as required. For example, service management would be quite simple if we knew for a fact that a computer would function for precisely three years, then fail. But this is not the case. Instead, there is a certain distribution of probability that it will fail at any given moment. If we knew that a computer would fail in three years, then our control strategy would either be replacement of that computer just before failure, or perhaps some maintenance program. But, since there is a significant possibility that it will fail at any time from its first installation on, we look to other strategies to control that risk. These strategies, such as redundant architectures, would serve to mask the effects of the failure.
Each entity has its particular risks and those risks each have their own types of control strategies. As mentioned, there is hardly any limit to the applicable strategies, so the table provides only several typical strategies for each risk.
| Discipline | Entity Managed | Risk | Examples of Control Strategies |
|---|---|---|---|
| Access Management | Service access | Gap between authorized access and actual access to services | Access logging, automated granting and revoking of access |
| Access Management | Data access | Gap between authorized access and actual access to data | Access logging, automated granting and revoking of access |
| Access Management | Computer access | Gap between authorized access and actual access to computers | Access logging, automated granting and revoking of access |
| Access Management | Application access | Gap between authorized access and actual access to applications | Access logging, automated granting and revoking of access |
| Availability Management | Serviceability | Serviceability of systems and components | Contracts, training, tests |
| Availability Management | Reliability | Reliability of systems and components | System modeling, redundant architecture, training, agreed specifications, tests |
| Availability Management | Maintainability | Maintainability of systems and components | Agreed specifications, standards, defined procedures, training, tests |
| Capacity Management | Performance | Understanding the relationship of service demand to service levels | Common and special cause analysis |
| Capacity Management | Loads | Predicting future loads | Common and special cause analysis |
| Capacity Management | Funding | Funding capacity appropriately | Capacity planning |
| Catalogue Management | Customer expectations | Mismatch between customer expectations and customer perception of services | Catalogue publication, integration of catalogue data in ordering systems |
| Change Management | Resources | Misallocating resources to changes | Prioritization |
| Change Management | Changes | Performing changes slower than required | Modeling, process simplification |
| Change Management | Changes | Causing disruption or incidents as a result of changes | Impact analysis, calendaring, mitigation plans |
| Configuration Management | Systems | Inaccurate or unavailable information about systems resulting in inappropriate or untimely management decisions | Control process, verification and audit, modeling |
| Configuration Management | Components | Inaccurate or unavailable information about components resulting in inappropriate or untimely management decisions | Control process, verification and audit, modeling |
| Continuity Management | Catastrophes | Potential for loss of the means of production of a service | Business impact analysis, customer continuity plans, etc |
| Customer Relationship Management | Customer satisfaction | Gap between the intentions of the service provider and the satisfaction of the service consumer | Satisfaction surveys, complaint handling, performance reviews |
| Customer Relationship Management | Customer expectations | Gap between the service provider’s intended service utility and warranty and the expectations of the customer regarding utility, warranty and risk | Sales visits, performance reviews |
| Demand Management | Demand for services | Gap between expected demand for services and actual demand for services | Customer Relationship Management, analysis of economic cycles, analysis of business news |
| Deployment Management | Application installations | Untimely installation | Automation of package distribution and installation; application streaming; thin client architecture |
| Deployment Management | Application installations | Disruption of users | Pull installations (see also Untimely installation) |
| Deployment Management | Application installations | Inconsistent installations | Packaging, automation |
| Event Management | Event | Failure to recognize the significance of events | Correlation, rule-based event analysis |
| Financial Management | Supplier and customer payments | Payment defaults and inaccuracies | Contract management, automation, aging analysis |
| Financial Management | Resources | Misallocation of financial resources | Budgeting, reforecasting |
| Financial Management | Invoicing | Invoice timeliness and and inaccuracies | Contract management, automation |
| Financial Management | Funding | Treasury shortfalls | Budgeting, reforecasting, loans |
| Improvement Management | Service systems | Mismatch between evolving service provider capabilities and evolving customer expectations | Kanban, lean methods |
| Incident Management | Priorities | Failure to align incident resolution priorities with customer priorities | Impact analysis |
| Information Security Management | User authenticity | Uncertainty that the declared identity of a user is the same as the real identity of the user | Analysis of use patterns, technical access controls |
| Information Security Management | Information repudiation | Uncertainty in roles played in the creation, modification or deletion of information | User authenticity controls |
| Information Security Management | Information integrity | Information full or partial corruption | Transactional systems |
| Information Security Management | Information confidentiality | Information visible to unauthorized persons | Access management |
| Information Security Management | Information availability | Information not available when required (or available when not required) | Various technical, procedural and organizational controls |
| Knowledge Management | Knowledge items | Timeliness, availability and accuracy of knowledge items | Automation, systems integration |
| Problem Management | Resources | Allocation of resources to non-value adding activities (for resolving incidents) | Impact analysis, cause analysis, solution ROI analysis |
| Problem Management | Improvements | Failing to identify the most cost-effective improvements | ROI analysis |
| Problem Management | Causes | Failure to identify causes by using intuition or impressions, rather than analysis | Procedures; structured and semi-structured analysis methods |
| Release Management | Release scope | Scoping releases appropriately | Release policies, agile development and projects, kanban |
| Service Demand Management | Service demands | Mismatch between customer entitlement and fulfillment and between service act value and customer expectations | Automation, self-service |
| Service Design | Strategies | Failure to take strategies into account in service designs | Communications plans, stakeholder involvement in design activities |
| Service Design | Service system | Mismatch between service system structure or dynamics and customer requirements | Testing management, agile and lean approaches, user story management |
| Service Level Management | Service agreements | Gap between customer expectations and both service agreements and service system capabilities | Tuning of agreements |
| Service Level Management | Service acts | Gap between customer expectations and agreements and service acts | Customer relationship management |
| Service Portfolio Management | Resources | Alignment of resource allocation to strategies | Demand management |
| Strategy Generation | Vision and mission | Failure to energize and motivate stakeholders | I guess top management just needs to be in contact with, understand and respect all members of the organization; otherwise, you can fire anyone who does not toe the line. icon_wink |
| Strategy Generation | Service system patterns | Mismatch between strategies and capabilities, mismatch between strategies and customer expectations | Business Relationship Management, capabilities assessments |
| Strategy Generation | Market positioning | Mispositioning of provider organization with respect to its competition | Game theory |
| Strategy Generation | Development plans | Mismatch between the plan and the capabilities of the organization | Critical success factor analysis |
| Supplier Management | Suppliers | Gap between supplier contracts and supplier capabilities | Redundant suppliers, short-term contracts, long-term contracts, analysis of supplier health |
| Test Management | Service systems | Creating solutions that do not meet requirements | Test plans, acceptance criteria, test automation |
Leave a Reply