Risk Management Discipline for Operations - Microsoft Operations Framework.doc

microsoft operations frameworkversion 3.0published: january 2004for information on microsoft operations framework, see /mofrisk management discipline for operationscontentsabstract1whats new?1introduction2why operations needs risk management6creating a risk management culture10overview of the risk management discipline for operations12step 1: identifying risks in operations17step 2: analyzing and prioritizing risks21step 3: planning and scheduling risk actions26step 4: tracking and reporting risk29step 5: controlling risk31step 6: learning from risk32comparing the risk management discipline for operations to other risk models33summary34references35appendix a: risk management by mof team role cluster36appendix b: risk deliverables and samples45appendix c: resources52contributors57the information contained in this document represents the current view of microsoft corporation on the issues discussed as of the date of publication. because microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of microsoft, and microsoft cannot guarantee the accuracy of any information presented after the date of publication.this paper is for informational purposes only. microsoft makes no warranties, express, implied or statutory, as to the information in this document.complying with all applicable copyright laws is the responsibility of the user. without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of microsoft corporation. microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. except as expressly provided in any written license agreement from microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. 2004 microsoft corporation. all rights reserved.microsoft, msdn, windows, and windows server are either registered trademarks or trademarks of microsoft corporation in the united states and/or other countries.the names of actual companies and products mentioned herein may be the trademarks of their respective owners.risk management discipline for operations57abstractthis paper describes the microsoft operations framework (mof) risk management discipline. anyone reading this paper should have previously read the microsoft operations framework executive overview paper, which contains important background information for this topic. the risk management discipline for operations paper, which is derived from the microsoft solutions framework (msf) risk management discipline, explains the disciplines core principles and components and how they can be applied in an it operations environment. it is intended for operations staff at all levels, as well as microsoft services and partner consultants. the discipline is applicable in nearly all organizations, and the examples illustrate situations commonly found at service providers, dot-com and e-businesses, and information technology (it) groups of large organizations. the paper explains that risk management has become more important and more difficult. it describes the risk management discipline for operations: a process for managing risks with a proactive approach that embeds risk management practices into every it operations role, process, and review. the paper concludes with examples that show how risk management can be applied to real-world operations.the risk management discipline for operations paper is one of a series of publications about mof. for a complete list of these publications, see the mof website at /mof.whats new?the risk management discipline for operations paper has been revised as part of a general revision of the complete microsoft operations framework. the key goals of this revision are to: align the mof risk discipline with the microsoft solutions framework (msf) version 3 risk management discipline to provide one common risk management process across the it life cycle. update and improve the quality of the risk management guidance and examples. provide more explicit guidance regarding the responsibility and accountability of risk management activities in operations. clarify the business value that can be realized by creating a risk management culture and adopting best practices.introductiona demanding environmenttodays business environment places increasing demands (rapid change, financial constraints, security and reliability concerns, global interconnectedness) on it organizations in order to meet the expanding needs of a wide variety of stakeholders. technology advances have enabled it organizations to better meet these demands and have created many new business opportunities. one drawback, however, is that teams dealing with new technology can quickly lose track of its business intent, and the business perception of the value of it can be questioned. at the same time, technology projects continue to challenge itmany projects are unsuccessful or squander precious resources through poor quality results. moreover, enterprise businesses are increasingly dependent on their information technology systems and are therefore more vulnerable to failures in those systems. while rock-solid technology is necessary to meet demands for reliable, available, and secure it services, technology alone is not sufficient; excellence in processes and people (skills, roles, and responsibilities) is also needed.according to industry analysts, 50 percent (or more) of all it budgets is spent operating it systems, and 80 percent of unplanned system downtime is caused by people and process failures. it is vital that enterprise businesses augment technology with skilled it staff having well-defined roles and responsibilities and using effective it operations processes and management skills. microsofts approachmicrosoft understands the challenges facing todays enterprise computing environments and has responded with best-in-class technology and proven best practice guidance on how to effectively design, develop, deploy, operate, and support solutions built on microsoft technologies. this knowledge comes from microsofts internal it and operations experience with large-scale software development and service operation projects, its service consultants experience in conducting projects for customer organizations of all sizes and geographies, and the best knowledge from the worldwide it industry. the guidance is organized into two complementary and well-integrated bodies of knowledge, or “frameworks.” these are microsoft operations framework (mof) and microsoft solutions framework (msf).microsoft operations framework provides guidelines on how to plan, deploy, and maintain it operational processes in support of mission-critical service solutions. mof is a structured, yet flexible, approach based on: microsoft consulting and support teams and their experiences working with enterprise customers and partners, as well as microsofts internal it operations groups. the it infrastructure library (itil), which describes the processes and best practices necessary for the delivery of mission-critical service solutions. iso 15504 (also referred to as spice), from the international organization for standardization (iso), which provides a normalized approach to assessing software process maturity.microsoft solutions framework is an adaptable software development and deployment approach for successfully delivering technology solutions faster, with fewer people and less risk, while producing higher quality results. msf has been widely used by microsoft customers, partners, consulting services, and product teams and observed its tenth anniversary in 2003.msf describes how to: align business and technology goals. establish clear project goals, roles, and responsibilities. implement an iterative, milestone-driven process. manage risk proactively. respond to change effectively.msf is a disciplined approach to managing technology projects based on microsoft internal practices, the experiences of microsoft services working with customers and partners, and industry best practices in software development and project management.the it life cyclein delivering an effective portfolio of it services to the business, it operations and project teams should focus on three key objectives: understand the business and operational needs for the service and create a solution that delivers these within the specified constraints. effectively and efficiently deploy the solution to users with as little disruption to the business as the service levels specify. operate the solution with excellence in order to deliver a service that the business trusts.microsoft solutions framework and microsoft operations framework combine to provide a complementary, integrated set of guidance that addresses the need for a consistent and unified approach to the overall it life cycle. the two frameworks work together to minimize the time to valuethat is, the time between recognition of the need and delivery of the service. consistency of terminology and concepts between the two frameworks also supports the delivery of a high-quality service by facilitating effective communications throughout the life cycle.within the overall it life cycle, msf and mof follow four basic steps to create a new solution (or change to an existing one) and to operate that solution in a production environment; these are: plan the solution using msf and mof.seek first to understand the business and operational requirements in order to create the right solution architecture, design, project plans, and schedules. build the solution using msf.create and complete the features, components, and other elements described in the specifications and plans using the appropriate development tools and processes. deploy the solution using mof and msf.implement a smooth deployment into the production environment using strong release management processes and automation. operate the solution using mof.follow the mof models and processes for solution and systems management to achieve and maintain operational excellence.this approach recognizes that a change to a currently deployed solution can originate from an operations requirement, a new business requirement, or external factors such as regulatory requirements. these changes also need to follow the four basic steps of the life cycle and, depending on their complexity, can trigger either a new (msf) project, or a smaller-scale request for change. microsofts view of the it life cycle unites the varied activities that take place in an it organization to ensure smooth, coordinated, and cost-effective delivery of it services to the business. mof and msf target different, but integral, phases in the end-to-end it life cycle. each framework provides useful and detailed information on the people, processes, and tools required to successfully function within its respective area. both msf and mof provide technology-agnostic guidance for improving it processes that can be used in any environment. figure 1. how msf and mof work together to meet business needshow mof builds on itilsince the 1980s, current industry best practices for it service management has been well documented within the it infrastructure library (itil) from the office of government commerce (ogc) in the united kingdom. the ogc is a u.k. government executive agency chartered with development of best practice advice and guidance on the use of information technology in service management and operations. to accomplish this, the ogc charters projects with leading it companies from around the world to document and validate best practices in the disciplines of it service management. the core itil guidance and publications are organized as follows: itil service supportitil service delivery incident management problem management configuration management change management release management service desk function service level management availability management capacity management financial management it service continuity managementmof “adopts and adapts” itil, and combines these collaborative industry best practices with specific guidelines for running on the microsoft platform in a variety of business scenarios. mof extends the itil code of practice to support distributed it environments and current industry directions such as application hosting, mobile-device computing, and web-based transactional and e-commerce systems.service solutions and it service managementtwo important concepts are key to understanding how microsoft operations framework supports it operations. these two concepts are service solutions and it service management. service solutions are the capabilities, or business functions, that it provides to its customers and users. some examples of service solutions are: line-of-business (lob) applications messaging knowledge management e-commerce web services file and print services information publishing data storage network connectivity mof embraces the concept of it operations providing business-focused service solutions through the use of well-defined service management functions (smfs). these smfs provide consistent policies, procedures, standards, and best practices that can be applied across the entire suite of service solutions found in todays it environments.why operations needs risk managementrisk is broadly defined as any event or condition that can have an impact on the outcome of an activity. within the context of it operations, risk is the probability, not the certainty, of suffering a loss, and the vulnerability or likelihood that the threat will occur. the loss could be anything from diminished quality of a service to increased cost, missed deadlines, or complete service failure.risks arise from uncertainty surrounding operational decisions and outcomes. most individuals associate the concept of risk with the potential for loss in value, control, functionality, quality, or timeliness of completion of an activity. however, outcomes may also result in failure to maximize gain in an opportunity; the uncertainties in decision making leading up to this outcome can also be said to involve elements of risk.increased risk of it failurerisk management is the process of identifying risks and deciding what to do about them. risk management is increasingly important to it in general, and to operations groups in particular, because organizations are more susceptible today to disruptions in service caused by problems in their it environments. both the number and the severity of potential it failures (specifically the ones related to it operations) are increasing over time because: business transactions and processes are increasingly dependent on it, so failures in it are more likely to impact the business, and that impact is more likely to be severe. the it environment is increasingly complex, so even if the environment stays the same size, the number of potential failure points is rising. it directly controls less of the infrastructure, so managing the possibility of failure is more important because it has less ability to react after the failure occurs. when an it failure occurs, there is less time between the occurrence of the failure and its impact on the business. it failures are increasingly visible outside the data center, so more people are negatively affected when a failure occurs.in short, it has more potential to support and enhance business processes than ever before; but, in turn, failures in it have more potential to disrupt business operations and directly affect an organizations profitability and success. the next sections examine the trends in it failure in more detail.business is more dependent on ittoday, more of the systems that it manages are critical to successful business operations. for example, 10 years ago, communication in many companies was based on such non-it services as paper memos, an internal mailroom service, an external postal service, and the telephone. today, it is responsible for e-mail service, intranets, and internet sitescommunication systems that were not considered business-critical a decade ago. because of this increasing reliance on it services, the potential failure of these services presents an increasing source of risk to the business.it environment is more complexa typical it environment contains more components today than in the past. there are more desktops, servers, and connections, more end-to-end services, and more integration of systems. this is partly due to the move from centralized computing, then to client/server computing, and more recently to the vision of microsoft .net, in which all objects are logically distributed. as this progression takes place, the number of items in the infrastructure increases, even if the scope of the infrastructure stays the same.the diversity of the infrastructure has also increased. for example, it groups that