View previous topic :: View next topic |
Author |
Message |
Fredizz Newbie


Joined: Sep 22, 2006 Posts: 11
|
Posted: Tue Sep 26, 2006 9:49 pm Post subject: Risk and Impact definition? |
|
|
Is there any difference in the way you define and measure the risk and the impact?
How would you define the difference between them if there is one?
Is there a way to "calculate" them, so i would be able to implement it in my organisation. |
|
Back to top |
|
 |
fighter Senior Itiler

Joined: Mar 15, 2006 Posts: 68 Location: Thailand
|
Posted: Wed Sep 27, 2006 12:43 pm Post subject: |
|
|
Fredizz,
Impact is the step by step analysis of the Risk involved in the change.
Impact can be impact on no of users, Configuration Item likely to be impacted by the change, Implementation complexity & Change Complexity, If the change tested, Backout is tested to name a few...
You can grade them from the scale of 1 - 10 .... the higher the grade the higher the risk..
Hope it helps..
Vimzie!! |
|
Back to top |
|
 |
m_croon Senior Itiler

Joined: Aug 11, 2006 Posts: 262 Location: Netherlands
|
Posted: Wed Sep 27, 2006 4:11 pm Post subject: |
|
|
fighter wrote: | Impact can be impact on no of users, Configuration Item likely to be impacted by the change, ! |
In other words: Impact is the (weight of the) effect that occurs when a risk becomes reality. |
|
Back to top |
|
 |
Fredizz Newbie


Joined: Sep 22, 2006 Posts: 11
|
Posted: Wed Sep 27, 2006 8:48 pm Post subject: Impact and risk definition? |
|
|
So if i understand quite well, you mean that the impact description will define the level of the risk, for example:
(Impact description) number of users affected + metal of application affected+availability affected+....=Risk level (high, medium,small)
So risk description=impact description, am i correct? |
|
Back to top |
|
 |
m_croon Senior Itiler

Joined: Aug 11, 2006 Posts: 262 Location: Netherlands
|
Posted: Thu Sep 28, 2006 4:35 am Post subject: Re: Impact and risk definition? |
|
|
Fredizz wrote: | So if i understand quite well, you mean that the impact description will define the level of the risk, for example:
(Impact description) number of users affected + metal of application affected+availability affected+....=Risk level (high, medium,small)
So risk description=impact description, am i correct? |
I'm afraid my lack of English is getting in the way. Let's say that the risk is "fire". The impact on the central IT department with server room (many or all users potentially affected) is a different one than the impact on a different /decentralized location (only local users affected). your counter measures in case the risk actually occurs should therefor be different when the fire occurs in the central dept as compared to a localized fire. Maybe not the best example. Impact can be defined as users, money, business continuity etc.
Does this make it clearer? |
|
Back to top |
|
 |
fighter Senior Itiler

Joined: Mar 15, 2006 Posts: 68 Location: Thailand
|
Posted: Thu Sep 28, 2006 12:03 pm Post subject: |
|
|
I agree with m_croon
Cannot put it any better! |
|
Back to top |
|
 |
Fredizz Newbie


Joined: Sep 22, 2006 Posts: 11
|
Posted: Thu Sep 28, 2006 6:25 pm Post subject: |
|
|
That's perfectly clear, my next question will be, are those 2 values linked or tighted together or rather, can their value differ?
Can you give an example whether risk will be high and the impact low
and the impact high but the risk low?
and then i'll promise i'm done with this subject... |
|
Back to top |
|
 |
fighter Senior Itiler

Joined: Mar 15, 2006 Posts: 68 Location: Thailand
|
Posted: Thu Sep 28, 2006 6:34 pm Post subject: |
|
|
Ok think about this scenario..
You have software for your organisation no of users is only 10 and revenue is $100K each day on these system and Availability is 24*7.
Impact on no of users 10. which is quite low.
Impact on Revenue is $100k each day
The over all risk is high here...
There might be a internal HR system which ever user accesses lets say 10000 and the revenue generated out of the system is $0. Ofcourse there are other values the system generates.
The risk on this system is low..
Hope this helps!
Vimzie!! |
|
Back to top |
|
 |
Fredizz Newbie


Joined: Sep 22, 2006 Posts: 11
|
Posted: Thu Sep 28, 2006 7:10 pm Post subject: |
|
|
Ok, that make sense, however you'll agree that most likely if the impact is high then the risk should be in most of the cases high too. |
|
Back to top |
|
 |
fighter Senior Itiler

Joined: Mar 15, 2006 Posts: 68 Location: Thailand
|
Posted: Thu Sep 28, 2006 8:28 pm Post subject: |
|
|
Yes Fredizz, you are right.. In most cases if the impact is high, risk is high as well...
Vimzie! |
|
Back to top |
|
 |
UKVIKING Senior Itiler

Joined: Sep 16, 2006 Posts: 3591 Location: London, UK
|
Posted: Fri Sep 29, 2006 10:18 pm Post subject: |
|
|
Risk and Impact will not necessary follow the same scale.
So a High Risk High Impact may occur as well as a Low Risk High Impact and everything in between
The fire analogy was pretty good.
Use Impact as the effect on the users
Use Risk to determine the chance of Impact happening as well as any consequences.
I will use the water balloon scenario.
You have 10 water balloons. You are tossing them one at a time from your apartment
To the fellow walking below, there is a chance of the baloon IMPACTing on him
To the person dropping the balloon, there is RISK of getting caught and getting the crap beat out of you by the fellow below or your parents .... grin _________________ John Hardesty
ITSM Manager's Certificate (Red Badge)
Change Management is POWER & CONTROL. /....evil laughter |
|
Back to top |
|
 |
|