Risk Management within the IT-Service Lifecycle

Bachelor Thesis, 2014

66 Pages, Grade: 2,0


Table of Contents

List of Figures

List of Tables

List of Abbreviation



1 Introduction

2 The Service Lifecycle
2.1 Lifecycle concepts
2.2 ITIL Service Lifecycle
2.3 Merck IT-Service Lifecycle

3 Management of Risk
3.1 Definition of Risk
3.2 Risk Management principles
3.3 Risk Management process
3.4 Risk Management relevant process roles

4 Risk Priorities
4.1 Legal and regulatory Risk Priorities
4.1.1 Qualification
4.1.2 Validation
4.2 Project Initiation Risk Priorities
4.3 Risk Priorities derived from ITIL
4.3.1 Service Provider Risks
4.3.2 Contract Risks
4.3.3 Design Risks
4.3.4 Operational Risks

5 Risk Management Methods
5.1 Determination of Risk Priorities
5.2 Risk Tolerance for IT-Services
5.3 Risk Review Checkpoints
5.3.1 Phase Transitions
5.3.2 Major Events (Releases, Changes and Incidents)
5.3.3 Regular Risk Assessment
5.3.4 Legal or regulatory Changes
5.4 Risk Priority Checkpoints
5.4.1 Phase Transitions:
5.4.2 Major Events (Releases, Changes and Incidents)
5.4.3 Regular Service Review
5.4.4 Legal or regulatory Changes

6 Management of Risk Priority Checkpoints
6.1 Risk Treatment
6.2 Risk Communication

7 Visualization for Service Review

8 Results

9 Conclusion

List of References

List of Figures

Figure 1 product Lifecycle based on (Matys, 2013)

Figure 2 Value chain of IS organizations and IT resource management based on (Erek, 2012)

Figure 3 Service Lifecycle according to ITIL (Beims, 2012, OGC, 2011c)

Figure 4 process overview for ITIL Service Lifecycle derived from (OGC, 2011c)

Figure 5 Merck IT-Service process overview (Merck 2012)

Figure 6 Business Value Index for Services (BVIS) (Merck 2012)

Figure 7 Service Lifecycle activities (Merck 2012)

Figure 8 Risk Management Process ISO 31000 (Hopkin, 2010)

Figure 9 Risk prioritization(ISPE, 2008)

Figure 10 Phase Transition Risk Review

Figure 11 Major Event Risk Review

Figure 12 Regular Risk Review

Figure 13 Corporate Merck Service Levels (Merck 2013)

Figure 14 Status of Reviewed Services (Merck 2013)

Figure 15 Risk Level Matrix (Merck 2013)

List of Tables

Table 1 Merck service portfolio status in comparison to ITIL Lifecycle Phases

Table 2 Risk Priorities Phase Transition: Initiation Preparation

Table 3 Risk Priorities Phase Transition Preparation Operation

Table 4 Risk Priorities Phase Transition Operation Retirement

Table 5 Risk Priorities Major Releases

Table 6 Risk Priorities Major Changes

Table 7 Risk Priorities Major Incidents

Table 8 Risk Priorities Regular Service Review

Table 9 Risk Priorities legal and regulatory Changes

Table 10 Risk Level Visualization for IT-Services

Table 11 Risk Level Details at specific checkpoints

List of Abbreviations

illustration not visible in this excerpt


Risk Management for IT-Service Lifecycle Management is not always performed in a transparent, repeatable and consistent way. In consequence its potential to be used as a key element for successful decision taking is not fully utilized.

This thesis considers applied standards, models and practices in the IT-Service Management to establish a methodology which enables improvement of Risk Management within the IT-Service Lifecycle. The developed methodology determines stages in the Lifecycle where risk assessments should be performed. It also defines the required information and their sources.

Being based on already existing processes within a service providing organization, this methodology can easily be applied to improve the service quality.

Keywords: Risk Management, IT-Services, Service Lifecycle


Since one major business sector of Merck is the production of pharmaceutical products the organization is subject to very strict regulations for development and production of their life science products and the business supporting IT- Services therefore underlie a strong IT-Governance. This IT-Governance as part of the corporate Governance is highly influential on how IT-Services are operated and carried out over their whole lifecycle. In addition, business processes and the management of risks are highly important factors. The provided IT-Services have to be on track with business needs of the respective customers. To ensure this alignment strategic decisions need to be based on relevant information. To improve this decision making process various types of information on IT-Services are needed.

The author’s professional background served as a foundation for addressing this corporate need of Merck. Having obtained basic knowledge on IT-Services, related organizations and processes, the author took this opportunity to pursue his growing interest within this field of research.

1 Introduction

Risk Management is an important tool to steer and improve IT-Service operations during their lifecycle. This provides an advantage to the service provider as well as the customer. Risk Management already plays an important part in various types of business Key Performance Indicators. For IT-Services which are implemented through a Lifecycle process, an initial risk assessment is carried out, but changes of the risk level within the Lifecycle are very often not measured and addressed.

If the risks during the Lifecycle are recognized, addressed and treated appropriately, the IT-Service management itself and the IT-organization as a whole is able to increase its daily performance and their progress towards strategic goals.

This thesis provides a methodology for integrating Risk Management in the ITService Lifecycle allowing risk based decisions regarding service quality. This is applicable during the whole Lifecycle from project initiation through service provisioning until service decommissioning.

Service providing organizations need to know which risks for the customer and for the providing organization could result from the services they offer. Based on the identification and assessment of these risks the organization is able to decide if and in which way it wants to take action. Risk Management should be beneficial for the assessments of services.

To address this topic, various concepts and standards are taken into account. First, process activities, roles and strategic influences on the Service Lifecycle are described. ITIL and industry related standards are taken into account and compared to currently applied processes at Merck’s Information Services department.

To gain an overview on the existing and relevant Risk Management standards, ISO 31000 and the ISACAs (Information Systems Audit and Control Association) approach are analyzed. This includes Risk Management principles, the Risk Management process and the Risk Management framework.

Important risks during the IT-Service Lifecycle are identified. The relevant risk priorities are determined by KPIs, CSFs as well as Input and Output of applicable ITIL processes at Merck. Additionally, legal and regulatory requirements which Merck is subject to are taken into account. These priorities are then analyzed to point out which of them are important and when they should be reviewed.

Based on the risks previously determined certain points within the Lifecycle are chosen at which applicable priorities are reviewed for each IT-Service. Further recommendations for risk identification, assessment and treatment are presented. As several risks will be assessed throughout the lifecycle a portfolio visualization for the most important risks are chosen. This gives additional possibilities in cases of comparison and evaluation of their potential impact. This provides respective service owners useful assistance for making risk- based decisions on their IT-Service.

By reading this thesis the reader is able to obtain an introduction to Service lifecycle principles and ITIL concepts and processes, as well as Risk Management procedures based on ISO 31000. For this Thesis only practical procedures and concepts are taken into account which fit the need of Merck’s Information Services department. The identified risks and created methods aim to give an extended view on how risks can be assessed and treated in an IT- Service providing environment. This thesis aims to achieve an applicable Risk Management method which serves the business requirements for Merck’s IT- Service department.

2 The Service Lifecycle

When addressing the IT-Service Lifecycle it is important to know the origin of lifecycle models and concepts. In the past manufactured goods went through a production cycle. As soon as IT was developed the way goods were produced drastically changed.

While the diversification over various economic sectors took place, the perception for IT-products changed accordingly. In a society mostly characterized by the service business sector this also applies to the production of Information Technology as the combination of hardware, software and business processes.

2.1 Lifecycle concepts

The Lifecycle concept which attempts to describe the lifespan of a product in various stages has its origin in the industrial production (Porter, 1980). Products run through a Lifecycle which can be divided in the phases Introduction, Growth, Maturity and Decline (Matys, 2013).

illustration not visible in this excerpt

Figure 1 product Lifecycle based on (Matys, 2013).

As the products and processes of a company evolve over the time, the supporting IT-Services have to change similarly to maintain the level of business support. Therefore the changes within the Lifecycle need to be addressed by the responsible for this product in form of management actions. With the development of Computer Integrated Manufacturing (CIM) in the beginning of 80s, the attempt to steer industrial production processes with Information Technology was commencing (Bullinger et al., 2006). Since then the production of goods is getting increasingly complex over the years which created the need for appropriate management tools to support the product Lifecycle in each phase. For IT-products e.g. Software, these phases introduced by (Matys, 2013) can be translated into Plan, Build, Run, and Retirement of the Software based on (Zarnekow et al., 2003).

According to (Bullinger et al., 2006) this Product Lifecycle Management (PLM) is a concept to effectively manage products throughout the whole cycle. This need of product management can easily be transferred to the production of IT- Services. Throughout the years as standards and reference models were developed (e.g. Information Technology Infrastructure Library), the way IT- Service products are seen has gone through a drastically change. Originating from Software Development and Engineering the Service Oriented Architecture (SOA) has gradually taken over and changed how IT-Products are planned, build, run and decommissioned. IT allows customers to use solutions in parts or as a whole on a pay-per-use basis (Software as a Service, Platform as a Service) (Fischbach et al., 2013).

(Zarnekow et al., 2003) addressed this change as Integrated Information Management which serves as a methodology for a product oriented Information Management. Their model states the change towards a Source, Make and Deliver process for IT-products which need to be tailored to the customer’s needs (Zarnekow and Brenner, 2003).

illustration not visible in this excerpt

Figure 2 Value chain of IS organizations and IT resource management based on (Erek, 2012)

As shown in figure 2 the Lifecycle element describes the ongoing influence of strategy and the systems on which the service production process is based. Relationships between service provider and customer become increasingly important since business needs and the procurement of internal or external products have to be aligned to offer the best possible support in order to reach the strategic goals. Therefore this connection between IT and business can be described as a socket which enables businesses to be more effective and efficient (Woitsch et al., 2009).

The fundamental concepts that permit the integration of the basic IT components into a single logically consistent model of the corporate information system include business service, IT service, and service Lifecycle. The concepts of service and its Lifecycle permit satisfactory representation of the operation of the corporate information system as a logical sequence of processes and functions and provide the basis of the effective solution of many pressing IT problems.(Zimin and Kulakov, 2010)

2.2 ITIL Service Lifecycle

Within the previous chapter the concept of the Lifecycle was introduced to clarify the origin of IT-Service production principles. Over the years the “common practice model” ITIL rose to an often referred principle for standardization and suggested management tool for complex IT- Infrastructures. The main goal of ITIL is to implement an IT-Service management with standardized processes and activities. Key factor of this whole reference model is the alignment between the customer (e.g. operational business) and the service providing institution (e.g. internal IT-departments or external IT-provider) (OGC, 2011c).

A service is defined as:

A means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks.” (OGC, 2011c).

Within ITIL the Service Lifecycle is described as process for the IT-Service Management and is defined by 5 different Phases:

illustration not visible in this excerpt

Figure 3 Service Lifecycle according to ITIL (Beims, 2012, OGC, 2011c)

The introduced model describes 5 phases, each suggesting different processes and activities which can lead to a more efficient operation of the IT, deliver a better service quality to the respective customers and increase the customer satisfaction while reducing costs.

Service Strategy

- Serves as a starting point for all activities during the Service Lifecycle and offers support and guidance for service design, development and implementation.
- Securing Alignment of Business and IT-Services.
- Defines strategic aims and identifies chances and possibilities for new IT-Services.
- Reflects on costs and risks of the service portfolio.

Service Design

- Implements the presets that were defined within Service Strategy and delivers Templates for the conception of adequate and innovative ITServices.
- Designing of new and altered services are taken into consideration as well as service management processes.
- Topics covered are the service catalogue, capacity, continuity and service level management.

Service Transition

- Delivers a guidance and process elements for the transition into to the business environment
- Addresses Topics such as Changes within the business culture, knowledge- and Risk Management

Service Operation

- Focusses on daily business of the service operation.
- Addresses the effective and efficient delivery and support of services, which aims to generate a value for the customer and the service provider.
- Includes processes such as Incident or problem management as well as application management and technical management for measurement and controlling of functions and processes.

Continual Service Improvement (CSI)

- Basic support and guidance for value generation and conservation for the customer through continuously improving Service Design, Service Transition and Operation.
- Methods for Quality management, Change Management and Capability Improvement are combined.

illustration not visible in this excerpt

Figure 4 shows relevant ITIL processes which carry out the activities described within the 5 phases of the IT-Service Lifecycle.

Figure 4 process overview for ITIL Service Lifecycle derived from (OGC, 2011c)

Roles and activities

ITIL defines various roles which aim to assist the above mentioned processes and actives during the Lifecycle.

Service Owner
- Aims to preserve the accordance of services and customer requests.
- Identifies and realizes means to improve the services.
- Gathers all relevant information for effective service Monitoring.
- Guarantees Service Level Agreement (SLA) compliant Service Performance.

Process Owner

- Documents and reviews the processes
- Defines Key Performance Indicators for measuring of efficiency and effectiveness of the process.
- Designs and continually improves the process, including constant review of roles, responsible personnel, KPIs and documentation.

2.3 Merck IT-Service Lifecycle

Since Merck is currently in the process of changing and reorganizing their Information Service department, the implementation and improvement of ITIL methods and process is an ongoing project.

As described in chapter 2.1 the strategic alignment between IT-Services and business processes is a crucial part of economic growth for Merck. Key factors which influence the decision on adding new services to the portfolio are the business strategy and business capability which are directly reflected by the IT Strategy.

The IT-Service Lifecycle, its processes and activities are managed by the service owners, who are responsible to actively influence the Service Lifecycle (including new, changed and retired services) by maximizing generated business value by the IT department.

illustration not visible in this excerpt

Figure 5 Merck IT-Service process overview (Merck 2012)

As Figure 5 illustrates, the IT-Service process at Merck originates from ITIL process concepts and terminology. Additionally Merck applied checkpoints within their processes which imply the status in which the IT-Service currently resides.

illustration not visible in this excerpt

Table 1 Merck service portfolio status in comparison to ITIL Lifecycle Phases

The Service Strategy phase serves as the initiation point at which business demand and value of the proposed IT-Service is determined. As described in the IT-Service Lifecycle according to ITIL, key activities according to chapter

2.2 apply. The service owner (SO) is responsible to verify his service Portfolio against the current need of the business based on the strategic aspects and to fulfill the future business needs and innovations. When business requirements are identified, a new draft for a service demand is created. In order to align Business needs and IT capability strategy of business and IT are to be assessed and verified regularly. To assist the decision which services should be operated to support business demand, Merck uses a Business Value Index for Services (BVIS)

illustration not visible in this excerpt

Figure 6 Business Value Index for Services (BVIS) (Merck 2012)

Merck uses this methodology to measure value of the business IT-Services. This helps to evaluate the current strategic position of the respective business IT-Service within the service portfolio. It helps to determine if a service is critical for business success or whether it may be discontinued. The services which are currently supported by the Information Services Department should aim towards a strategic growth, therefore current and future strategic objectives should be supported. If services don’t support strategic objectives they pose a risk to the service providing department (IS) as well as for the operational business itself. Aims for cost efficient service delivery and business value won’t be achieved. Future investing in services that don’t support strategic goals should be reduced to a minimum or the service itself should be exchanged or discontinued.

In the forthcoming chapters this methodology will assist linking risk scenarios to business value to determine the risk tolerance. Merck therefore has adapted a process modell which includes activities defined by the PDCA or Deming Cycle (Deming, 1986) to serve the service portfolio activities included in the service Lifecycle processes.

illustration not visible in this excerpt

Figure 7 Service Lifecycle activities (Merck 2012)

The Plan-Do-Check-Act methodology should focus on the most important aspects for service management (ISO, 2012):

- Understanding and fulfilling the service requirements and achieve customer satisfaction
- Establishing the policy and objectives for the processes
- Designing and delivering services that add value to the customer
- Monitoring, measuring and reviewing performance of services within the service portfolio
- Continually improving the services on objective measurements

The design and transition of services (new or changed) and their requirements should be identified by the customers or stakeholder parties of this service. The Request for Change (RFC) should originate from a business demand or an improvement to the effectiveness of the service. Changes to existing services which could have a major impact on customer or service provider need further risk assessment on whether the change impacts the portfolio or supported business processes. This also applies when services are retired/removed out of the portfolio. Additionally, Service Level contracts are negotiated to offer the necessary and agreed service quality and are changed whenever the relevant service changes.

Service Operation primarily focusses on the operational activities which are needed to maintain and deliver a good service quality for the customer. Therefore it is necessary that operational processes like incident or problem management are not seen as additional costs of the service provided. Management within the Service department and the business itself supports and funds service operation activities. Service operation suffers under the role of daily management business without the prestige of projects initiated in service design or service strategy. Service operation needs to be seen as necessary activity which hast great potential in reducing cost and increasing business value created by the Information services department.

CSI at Merck is carried out as a form of service review and monitoring. Existing SLA’s and scopes are regularly reviewed to assess the successful delivery of services to the customer. The service performance is quantified via amount of tickets and availability indicators. Within the SLA’s agreed service, availability (Maintenance Windows, Outage handling) and service support (Incident Handling, Service Request Handling) are documented.

3 Management of Risk

3.1 Definition of Risk

According to the ISO Guide 73 for Risk Management, a risk is an effect of uncertainty on objectives. Which directly relies on the business strategy that sets strategic objectives for a measurable business success. Though the effect may be positive, negative or a deviation from the expected it is often described by an event, change in circumstances or a consequence.(ISO, 2009b) As described in chapter 2, alignment between business strategy and IT Strategy is very important for business success. Therefore Risk Management for IT is highly depending on overall enterprise Risk Management principles and processes. The ISACA (Information Systems Audit and Control Association) equals IT risk as a business risk, specifically business risks associated with the use, ownership, operation, involvement, influence and adoption of IT within the enterprise.(ISACA, 2009) This requires risks to be detected or recognized by the businesses even if the majority of them might not have a cost effective factor. It is important that risks resulting from the use of IT are treated as if they have direct impact on the businesses ability to achieve the strategic objectives. Decisions about risk need to be considered so that the potential benefits are worth more than carrying out the risk treatment (OGC, 2010). Risk Management is also increasingly important in conjunction with IT-Governance. Firstly, because the dependence on IT systems and services is growing, on the other hand due to the increasing legal and regulatory requirements (Fröhlich et al., 2007).

3.2 Risk Management principles

Within ISO 31000 several principles for the effective use of Risk Management principles are presented. These act as a guideline for Risk Management to be effective in an organization. Risk Management focusses on the assessment of significant risks and the implementation of suitable responses.(ISO, 2009a)

Therefore Risk Management is a continuous process which aims to support the strategy of the related organization or business. All decisions made by the respective management lead to potential opportunities for benefit, threat to success or an increased degree of uncertainty.


Excerpt out of 66 pages


Risk Management within the IT-Service Lifecycle
University of Applied Sciences Brandenburg  (Fachbereich Wirtschaft)
Catalog Number
ISBN (eBook)
ISBN (Book)
File size
1530 KB
Risk Mangement, IT-Services, Service Lifecylce Management, ITIL, ISO
Quote paper
Jan Kussowski (Author), 2014, Risk Management within the IT-Service Lifecycle, Munich, GRIN Verlag, https://www.grin.com/document/299681


  • No comments yet.
Read the ebook
Title: Risk Management within the IT-Service Lifecycle

Upload papers

Your term paper / thesis:

- Publication as eBook and book
- High royalties for the sales
- Completely free - with ISBN
- It only takes five minutes
- Every paper finds readers

Publish now - it's free