Risk Matrix
Risk is a possible event that could cause harm or losses, or create obstacles to achieving your objectives. The risk may also be defined as the uncertainty of an outcome that can be used to estimate the probability of a positive or negative outcome. The risk level associated with a change request or other ITSM entity is evaluated using the Risk Matrix in the ITSM application.
The Risk Matrix table (itsm_dl_change_risk) is a tool for a qualitative evaluation of associated risks that depends on the following parameters:
- Impact – the potential effect that the risk may have on the business user, service, or CI. The options are Low, Medium, High, Very high. For non-infrastructure incidents, the Impact can be calculated based on the Impact Matrix. In this case, the maximum possible Impact is High.
- Probability – the probability of the risk associated with the change taking place. The options are High or Low.
- Business criticality – the metric specifies how crucial the disruption of this service for the business can be. The options are High or Low.
Role required: matrix_manager.
Using the Risk Matrix allows you to approach the changes in a more efficient way. Apply the following strategies to avoid or modify the risks:
- Decline the change.
- Remove the risk source.
- Change the probability of the negative event.
- Change the possible consequences.
- Share the risk with other parties (including contracts and risk financing).
- Retain the risk by informed decision.
If you intend to proceed with a high-risk change, it is recommended to increase the number of approvals required for the change request or another ITSM entity and create an in-depth plan of the change.
Risk when Business criticality is Low
| Probability/Impact | Low | Medium | High | Very high |
|---|---|---|---|---|
| Low | Low | Low | Medium | High |
| High | Medium | Medium | High | High |
Risk when Business criticality is High
| Probability/Impact | Low | Medium | High | Very high |
|---|---|---|---|---|
| Low | Low | Medium | High | High |
| High | High | High | High | Very high |
Extend the Risk Matrix
Add new impact, probability, and business criticality options
The ITSM solution has a Risk Matrix with standard settings, but you can customize it based on your business tasks and priorities. To do so, you can add more Impact, Probability, or Business criticality options.
To add a new impact, probability or business criticality option, complete the following steps:
- Open any record that has the Impact, Probability, and Business criticality fields.
- Right-click the title of the field you need and in the context menu that appeared, select Configure field.
- In the Related Lists area, select the Choice tab.
- Click New and fill in the fields.
- Click Save or Save and exit to apply the changes.
See the Choice Fields article to learn how to create choice options.
When filling out the Value field, note that the value must be relevant to the impact, probability or business criticality.
For example, the High option of Impact has a value of 3. If you add a Very high option for Impact that is higher than High, set the value to 4.
And if you add the Medium option for Impact that is lower than High, set the value to 2.
After you have added a new impact, probability, or business criticality option, perform the same steps for the Risk Matrix (itsm_dl_change_risk) table.
Add new risk combinations
After adding new choice options, extend the Risk Matrix. To do so, complete the following steps:
- Navigate to Matrices Configuration → Risk Matrix.
- Click New and fill in the fields.
- Click Save or Save and exit to apply the changes.
Risk Matrix form fields
| Field | Mandatory | Description |
|---|---|---|
| Impact | N | The impact value you plan to use in the new risk value. |
| Probability | N | The probability value you plan to use in the new risk value. |
| Business criticality | N | The business criticality value you plan to use in the new risk value. |
| Risk | N | The risk value that is calculated based on the impact, probability, and business criticality. |
Repeat these steps until your Risk Matrix covers all the possible combinations of the impact, probability and business criticality.