Step 4 - Tracking and Reporting Risk
During the risk tracking step, IT operations gathers information about how risks are changing; this information supports the decisions and actions that will be made in the next step (risk control).
The risk tracking step monitors three main changes:
Trigger values - If a trigger becomes true, the contingency plan needs to be executed.
The risk's condition, consequences, probability, and impact - If any of these change (or are found to be inaccurate), they need to be reevaluated.
The progress of a mitigation plan - If the plan is behind schedule or is not having the desired effect, it needs to be reevaluated.
This step monitors the above changes on three main time frames:
Constant - Many risks in operations can be monitored constantly or at least many times each day. For example, automated tools can monitor a Web server's bandwidth usage every few seconds.
Periodic - IT operations stakeholders, especially those in the Service Role Cluster, periodically review the top risks list, looking for changes in the major elements. This often happens at staff meetings, change advisory board meetings, OMRs, and so on.
As-needed - In some cases, someone simply notices that part of a risk has changed. This should still be tracked and recorded.
Risk Status Reporting
Risk reporting should operate at two levels-internal and external. For IT operations (internal), regular risk status reports should consider four possible risk management situations for each risk:
Resolution - A risk is resolved, completing the risk action plan.
Consistency - Risk actions are consistent with the risk management plan, in which case the risk plan actions continue as planned.
Variance - Some risk actions are at variance with the risk management plan, in which case corrective measures should be defined and implemented.
Changeability - The situation has changed significantly with respect to one or more risks and will usually involve re-analyzing the risks or re-planning an activity.
The best practices described below will be beneficial during the risk tracking and reporting step.
Make risk review a part of regular work-for example, making it a permanent agenda item for any recurring meeting. The review can be highly effective without taking very much time. This is the key to managing risks continuously.
Review All Triggers
If the operations staff has highly visible triggers that are automated and constantly monitored, it can be easy to focus on them and overlook triggers that cannot be automated. Forgetting to review such non-monitored triggers means that if one of them has become true, it might not be noticed resulting in further delay of the contingency plan and often compounding the consequences.
Look for trends in risk data. For example, if a particular risk's probability has increased 5 percent every week for the last month, then even though the probability is still low, the trend may justify ranking the risk higher on the top risks list.