Configuring risk assessment
Risk assessment involves computing the total risk of making a change based on risk-related questions and the derived risk. The derived risk can be based on historical performance and the impact or priority of a change or CI. The higher the risk on a change request, the more time you should take to consider the impact of the proposed change and whether to proceed.
The following table displays the numeric values for each risk level:
Aggregate risk value
Minimal (lowest risk)
Extreme (highest risk)
Risk factor questions
As an application administrator, you can create risk factors based on weighted answers to multiple-choice questions. Each question can carry its own risk weight, and each answer can carry its own risk value. The change coordinator's answers to these questions enable you to compute a more detailed risk value based on a set of specific circumstances rather than simply choosing one of the predefined risk levels.
Change managers and virtualization administrators use the risk value to determine how much the change request impacts their company. Armed with this information, they can plan and schedule their changes accordingly.
You can create different sets of questions for different companies. With the Remedy IT Service Management Virtualization Lifecycle Management extension, you can now also create different sets of questions for different operational categorizations. When the change coordinator or virtualization administrator creates a change request, the questions for the applicable company and operational categorization are displayed. If no questions are defined for the company and operational categorization of the change request, the global questions are displayed.
You can choose how to word your questions and responses. A good example of a risk question is, "Will this change impact more than 100 people?" The answer can be Yes or No. You might specify Yes as a risk value of 5, and then specify No as a risk value or 1. You could specify Yes and No to have other risk values, such as 4 and 2.
You could ask this same question in another way: "How many people will this change affect?" The answers could then be 1-25 (risk 1), 26-50 (risk 2), 51-75 (risk 3), 76-100 (risk 4), and more than 100 (risk 5).
Both of these questions provide similar information. It is up to the application administrator to understand how important the specific details are. Yes or No questions are quicker to answer, but they limit the choices.
These questions then appear in the Risk Assessment Questions dialog box that the change coordinator accesses by clicking the Risk Info button (beside the Risk Level field) on the Infrastructure Change form.
The change coordinator's responses are recorded and associated with the change entry in the CHG:ChangeRiskFactors form. This backend form is for reference only, and it not intended to be viewed by the users or administrator.
Derived risk factors
Derived risks factors are based on historical performance data, the impact or priority of the change request, and the impact or priority of the attached CI. When a change is completed, the change manager or coordinator can enter a value in the Performance Rating field, as listed in the following table. If you have configured changes rules, then the performance rating value is set as per the configuration settings. If you have not configured the change rules or have not entered the value manually, the default value is automatically set to 3 once the change request closes or gets complete.
Performance rating level
Lowest (worst rating)
Highest (best rating)
Performance ratings are recorded for each change request. The historical ratings are used to compute an overall performance for each of the derived risk factors. The performance history becomes more meaningful as more changes are accomplished. The performance rating becomes an average of the performance of the assigned manager or the chosen operational categorization. This in turn helps a more accurate risk assessment to be performed on new changes.
Performance ratings for changes are not rolled into the average performance until the change is closed. A completed change does not yet have the performance rating averaged into the overall rating.
This performance rating is used for computational purposes, based on all derived factors related to the change. Derived risk factors are based on the historical performance of different aspects of a change. For all configured derived risks, a cumulative performance rating is stored for that aspect of the change. For example, one derived risk aspect that can be configured allows for tracking of the performance of the change manager. When a change is completed, a performance rating is recorded. This rating is stored on the change, and when the change closes, the status becomes Closed. The performance rating is then averaged into the existing performance rating for the change manager.
You can create a collection of risk factors that are derived from pre-existing data in the Change Management application, such as the priority of related configuration items (CIs), the performance rating of a manager or support group, the CI priority and impact, or the change priority and impact. The risk values for the derived factors are recorded and associated with the change request.
This derived factor is calculated in the Performance Rating field that rates the work done when the change request is completed.
Risk and Performance have an inverse relationship. A high performance rating leads to a lower risk, and a low performance rating means a higher risk, as shown in the following table.
Performance ratings and aggregate risk values
Aggregate risk value
For additional information, you can view the BMC Communities blog post on Risk assessment in BMC Change Management.
Automating risk level computing by using machine learning
The BMC Helix Cognitive Service Automation feature is uses machine learning capabilities to get recommendations for Risk Level in Change Management. For more information, see .