During the risk tracking step, IT operations gathers information about how risks are changing; this information supports the decisions and actions that will be made in the next step (risk control).
The risk tracking step monitors three main changes:
- Trigger values - If a trigger becomes true, the
contingency plan needs to be executed.
- The risk's condition, consequences, probability, and
impact - If any of these change (or are found to be
inaccurate), they need to be reevaluated.
- The progress of a mitigation plan - If the plan is
behind schedule or is not having the desired effect, it needs to be
This step monitors the above changes on three main time frames:
- Constant - Many risks in operations can be monitored
constantly or at least many times each day. For example, automated
tools can monitor a Web server's bandwidth usage every few
- Periodic - IT operations stakeholders, especially those
in the Service Role Cluster, periodically review the top risks
list, looking for changes in the major elements. This often happens
at staff meetings, change advisory board meetings, OMRs, and so
- As-needed - In some cases, someone simply notices that
part of a risk has changed. This should still be tracked and
Risk Status Reporting
Risk reporting should operate at two levels-internal and external. For IT operations (internal), regular risk status reports should consider four possible risk management situations for each risk:
- Resolution - A risk is resolved, completing the risk
- Consistency - Risk actions are consistent with the risk
management plan, in which case the risk plan actions continue as
- Variance - Some risk actions are at variance with the
risk management plan, in which case corrective measures should be
defined and implemented.
- Changeability - The situation has changed significantly
with respect to one or more risks and will usually involve
re-analyzing the risks or re-planning an activity.
The best practices described below will be beneficial during the risk tracking and reporting step.
Make risk review a part of regular work-for example, making it a permanent agenda item for any recurring meeting. The review can be highly effective without taking very much time. This is the key to managing risks continuously.
Review All Triggers
If the operations staff has highly visible triggers that are automated and constantly monitored, it can be easy to focus on them and overlook triggers that cannot be automated. Forgetting to review such non-monitored triggers means that if one of them has become true, it might not be noticed resulting in further delay of the contingency plan and often compounding the consequences.
Look for trends in risk data. For example, if a particular risk's probability has increased 5 percent every week for the last month, then even though the probability is still low, the trend may justify ranking the risk higher on the top risks list.