Learning from risk is the sixth and last step in the Microsoft Operations Framework (MOF) Risk Management Discipline and adds a strategic, enterprise, or organizational perspective to risk management activities. Risk learning should be a continuous activity throughout the entire risk management process and may begin at any time. It focuses on three key objectives:
- Providing quality assurance on the current risk management
activities so that the IT operations group can gain regular
- Capturing knowledge and best practices, especially around risk
identification and successful mitigation strategies-this
contributes to the risk knowledge base.
- Improving the risk management process by capturing feedback
from the organization.
Capturing Lessons About Risk
Risk classification is a powerful means for ensuring that lessons learned from previous experience are made available to the groups performing future risk assessments. The following two key aspects of learning are often recorded using risk classifications:
- New risks - If IT operations encounters an issue that
had not been identified earlier as a risk, it should review whether
any signs (leading indicators) could have helped to predict the
risk. You may need to update the existing risk lists to help
identify risks in the future. Alternatively, you might have
identified a new operational risk that should be added to the
existing risk knowledge base.
- Mitigation strategies - The other key learning point is
to capture experiences of strategies that have been used
successfully (or even unsuccessfully) to mitigate risks. Use of a
standard risk classification provides a meaningful way to group
related risks so that operations can easily find details of risk
management strategies that have been successful in the
The best practices described below will be beneficial during the learning from risk step.
Risk Review Meetings
The risk review process should be well managed to ensure all learning is captured. Operations management reviews (OMRs) as well as specific risk review meetings provide a forum for learning from risk. They should be held on a regular basis and, like other reviews, will benefit from advance planning, development of a clear, published agenda, participation by all participants, and free, honest communication in a "blame-free" environment.
Risk Knowledge Base
The risk knowledge base is a formal or informal mechanism by which an organization captures learning to assist in future risk management. Without some form of knowledge base, an organization may have difficulty adopting a proactive approach to risk management. The risk knowledge base differs from the risk management database, which stores and tracks individual risk items, plans, and status for a specific service.