Risk Management for IT-Service Lifecycle Management is not always performed in a transparent, repeatable and consistent way. In consequence its potential to be used as a key element for successful decision taking is not fully utilized.
This thesis considers applied standards, models and practices in the IT-Service Management to establish a methodology which enables improvement of Risk Management within the IT-Service Lifecycle. The developed methodology determines stages in the Lifecycle where risk assessments should be
performed. It also defines the required information and their sources.
Being based on already existing processes within a service providing organization, this methodology can easily be applied to improve the service quality.
Motivation:
Since one major business sector of Merck is the production of pharmaceutical products the organization is subject to very strict regulations for development and production of their life science products and the business supporting ITServices
therefore underlie a strong IT-Governance. This IT-Governance as
part of the corporate Governance is highly influential on how IT-Services are operated and carried out over their whole lifecycle. In addition, business processes and the management of risks are highly important factors. The provided IT-Services have to be on track with business needs of the respective
customers. To ensure this alignment strategic decisions need to be based on relevant information. To improve this decision making process various types of information on IT-Services are needed.
The author’s professional background served as a foundation for addressing this corporate need of Merck. Having obtained basic knowledge on IT-Services, related organizations and processes, the author took this opportunity to pursue his growing interest within this field of research.
Table of Contents
1 Introduction
2 The Service Lifecycle
2.1 Lifecycle concepts
2.2 ITIL Service Lifecycle
2.3 Merck IT-Service Lifecycle
3 Management of Risk
3.1 Definition of Risk
3.2 Risk Management principles
3.3 Risk Management process
3.4 Risk Management relevant process roles
4 Risk Priorities
4.1 Legal and regulatory Risk Priorities
4.1.1 Qualification
4.1.2 Validation
4.2 Project Initiation Risk Priorities
4.3 Risk Priorities derived from ITIL
4.3.1 Service Provider Risks
4.3.2 Contract Risks
4.3.3 Design Risks
4.3.4 Operational Risks
5 Risk Management Methods
5.1 Determination of Risk Priorities
5.2 Risk Tolerance for IT-Services
5.3 Risk Review Checkpoints
5.3.1 Phase Transitions
5.3.2 Major Events (Releases, Changes and Incidents)
5.3.3 Regular Risk Assessment
5.3.4 Legal or regulatory Changes
5.4 Risk Priority Checkpoints
5.4.1 Phase Transitions:
5.4.2 Major Events (Releases, Changes and Incidents)
5.4.3 Regular Service Review
5.4.4 Legal or regulatory Changes
6 Management of Risk Priority Checkpoints
6.1 Risk Treatment
6.2 Risk Communication
7 Visualization for Service Review
8 Results
9 Conclusion
Objectives and Topics
This thesis aims to develop a methodology for integrating Risk Management into the IT-Service Lifecycle to enable risk-based decision-making. By leveraging existing ITIL processes and organizational structures, the study provides a practical approach for identifying and addressing risks from project initiation through service decommissioning, specifically tailored to the needs of the Information Services department at Merck.
- Integration of Risk Management into the IT-Service Lifecycle.
- Application of ITIL and ISO 31000 standards in a practical business environment.
- Identification of risk priorities based on specific ITIL process inputs and regulatory requirements (e.g., GxP).
- Proposal of a visualization method for service review to support decision-making.
- Development of specific risk-based checkpoints across the service lifecycle.
Auszug aus dem Buch
3.1 Definition of Risk
According to the ISO Guide 73 for Risk Management, a risk is an effect of uncertainty on objectives. Which directly relies on the business strategy that sets strategic objectives for a measurable business success. Though the effect may be positive, negative or a deviation from the expected it is often described by an event, change in circumstances or a consequence.(ISO, 2009b) As described in chapter 2, alignment between business strategy and IT Strategy is very important for business success. Therefore Risk Management for IT is highly depending on overall enterprise Risk Management principles and processes. The ISACA (Information Systems Audit and Control Association) equals IT risk as a business risk, specifically business risks associated with the use, ownership, operation, involvement, influence and adoption of IT within the enterprise.(ISACA, 2009) This requires risks to be detected or recognized by the businesses even if the majority of them might not have a cost effective factor. It is important that risks resulting from the use of IT are treated as if they have direct impact on the businesses ability to achieve the strategic objectives. Decisions about risk need to be considered so that the potential benefits are worth more than carrying out the risk treatment (OGC, 2010). Risk Management is also increasingly important in conjunction with IT-Governance. Firstly, because the dependence on IT systems and services is growing, on the other hand due to the increasing legal and regulatory requirements (Fröhlich et al., 2007).
Summary of Chapters
1 Introduction: Provides an overview of the importance of Risk Management in the IT-Service Lifecycle and outlines the thesis's goal to create an applicable methodology for risk-based decision-making.
2 The Service Lifecycle: Discusses the origins and concepts of lifecycle models, detailing the ITIL framework and the specific IT-Service Lifecycle processes used at Merck.
3 Management of Risk: Defines risk and explores the principles and processes of Risk Management based on ISO 31000, including key process roles within the organization.
4 Risk Priorities: Analyzes various risk categories, including legal/regulatory requirements, project initiation risks, and ITIL-derived risks, to establish a framework for risk assessment.
5 Risk Management Methods: Details the methodologies for determining risk priorities, setting risk tolerance, and identifying specific review checkpoints throughout the service lifecycle.
6 Management of Risk Priority Checkpoints: Examines strategies for risk treatment and the importance of effective risk communication between decision-makers.
7 Visualization for Service Review: Proposes a portfolio visualization method to demonstrate and compare risk levels across services to assist in management reviews.
8 Results: Evaluates the simplicity and effectiveness of the proposed methodology in improving information exchange and decision-making at Merck.
9 Conclusion: Summarizes the thesis, highlighting that Risk Management is an essential, yet often overlooked, component of IT-Service management that strengthens the basis for organizational decision-making.
Keywords
Risk Management, IT-Services, Service Lifecycle, ITIL, ISO 31000, Risk Assessment, Merck, GxP, IT-Governance, Decision-making, Risk Priorities, Process Management, Service Portfolio, IT-Service Continuity, Quality Assurance
Frequently Asked Questions
What is the core focus of this thesis?
The thesis focuses on integrating a transparent and repeatable Risk Management methodology into the IT-Service Lifecycle to support better strategic and operational decision-making.
What are the primary thematic areas?
The work covers IT-Service Lifecycle management (specifically ITIL), Risk Management standards (ISO 31000), regulatory compliance (GxP), and practical risk assessment strategies within an IT-service-providing organization.
What is the primary objective or research question?
The primary goal is to establish a methodology that determines when IT-service organizations should assess risks and upon what informational input these assessments should be based.
Which scientific methods are employed?
The author analyzes existing industry standards (ITIL, ISO 31000, ISACA) and compares them with current processes at Merck to build a practical, integrated risk assessment model.
What is addressed in the main body?
The main body details the IT-Service Lifecycle, defines key risk management principles, identifies specific risk priorities (legal, project-based, and ITIL-derived), and establishes actionable risk checkpoints and visualization techniques.
Which keywords characterize the work?
Key terms include Risk Management, IT-Services, Service Lifecycle, ITIL, ISO 31000, GxP, and IT-Governance.
How does this document help a service owner at Merck?
It provides service owners with clear checkpoints for risk assessment and a portfolio visualization method to track the risk level history of their services, enabling more informed decision-making.
What role does GxP play in the proposed methodology?
GxP requirements are treated as critical regulatory constraints; the methodology ensures that any deviations from these standards are identified as high-priority risks, necessitating strict qualification and validation procedures.
Why is the "Plan-Do-Check-Act" (PDCA) cycle mentioned?
The PDCA cycle is used to align the service portfolio activities with broader quality management standards, ensuring that services are continually improved based on objective measurements.
- Arbeit zitieren
- Jan Kussowski (Autor:in), 2014, Risk Management within the IT-Service Lifecycle, München, GRIN Verlag, https://www.grin.com/document/299681
