This documentation applies to the 8.1 version of Change Management, which is in "End of Version Support." You will not be able to leave comments.

To view the latest version, select the version from the Product version menu.

Configuring risk assessment

Risk assessment involves computing the total risk of making a change based on risk-related questions and the derived risk. The derived risk can be based on historical performance and the impact or priority of a change or CI. The higher the risk on a change request, the more time you should take to consider the impact of the purposed change and whether to proceed.

The following table displays the numeric values for each risk level:

Risk assessment

Aggregate risk value

Risk level

1

Minimal (lowest risk)

2

Low

3

Medium

4

High

5

Extreme (highest risk)

Risk factor questions

As an application administrator, you can create risk factors based on weighted answers to multiple-choice questions. Each question can carry its own risk weight, and each answer can carry its own risk value. The change coordinator's answers to these questions enable you to compute a more detailed risk value based on a set of specific circumstances rather than simply choosing one of the predefined risk levels.

The change request must be saved after answering the risk factor questions to view the update the risk value.

Change managers and virtualization administrators use the risk value to determine how much the change request impacts their company. Armed with this information, they can plan and schedule their changes accordingly.

You can create different sets of questions for different companies. With the BMC Remedy IT Service Management Virtualization Lifecycle Management extension, you can now also create different sets of questions for different operational categorizations. When the change coordinator or virtualization administrator creates a change request, the questions for the applicable company and operational categorization are displayed. If no questions are defined for the company and operational categorization of the change request, the global questions are displayed.

Example

You might create one set of risk factor questions for provisioning a virtual machine (VM) and another set of risk factor questions for removing a VM. The following table illustrates the two operational categorizations for which you might create the two sets of risk factor questions:

Tier

Operational categorization 1

Operational categorization 2

1

Request

Request

2

Virtual Machine

Virtual Machine

3

Provision

Remove

If you select all three levels of categorization, you can create different questions for provisioning and removing a VM. If you select the first two levels of categorization, you can create a set of risk factor questions for all VM requests, regardless of whether they are for provisioning, removing, or changing a VM.

You can choose how to word your questions and responses. A good example of a risk question is, "Will this change impact more than 100 people?" The answer can be Yes or No. You might specify Yes as a risk value of 5, and then specify No as a risk value or 1. You could specify Yes and No to have other risk values, such as 4 and 2.

You could ask this same question in another way: "How many people will this change affect?" The answers could then be 1-25 (risk 1), 26-50 (risk 2), 51-75 (risk 3), 76-100 (risk 4), and more than 100 (risk 5).

Both of these questions provide similar information. It is up to the application administrator to understand how important the specific details are. Yes or No questions are quicker to answer, but they limit the choices.

These questions then appear in the Risk Assessment Questions dialog box that the change coordinator accesses by clicking the Risk Info button (next to the Risk Level field) on the Infrastructure Change form.

The change coordinator's responses are recorded and associated with the change entry in the CHG:ChangeRiskFactors form. This back-end form is for reference only, and it not intended to be viewed by the users or administrator.

Derived risk factors

Derived risks factors are based on historical performance data, the impact or priority of the change request, and the impact or priority of the attached CI. When a change is completed, the change manager or coordinator must enter a performance rating, as listed in the following table. This performance rating is a combined consideration of all derived factors on a change.

Note

When working in Best Practice View, the change coordinator or change manager does not enter the performance rating. There is a predefined configured default value that is automatically applied.

Performance ratings

Performance rating

Performance rating level

1

Lowest (worst rating)

2

Low

3

Medium

4

High

5

Highest (best rating)

Performance ratings are recorded for each change request. The historical ratings are used to compute an overall performance for each of the derived risk factors. The performance history becomes more meaningful as more changes are accomplished. The performance rating becomes an average of the performance of the assigned manager or the chosen operational categorization. This in turn helps a more accurate risk assessment to be performed on new changes.

Note

Performance ratings for changes are not rolled into the average performance until the change is closed. A completed change does not yet have the performance rating averaged into the overall rating.

When a change is completed, the change manager or change coordinator must enter a performance rating to close the request. This performance rating is used for computational purposes, based on all derived factors related to the change. Derived risk factors are based on the historical performance of different aspects of a change. For all configured derived risks, a cumulative performance rating is stored for that aspect of the change.

For example, one derived risk aspect that can be configured allows for tracking of the performance of the change manager. When a change is completed, a performance rating is recorded. This rating is stored on the change, and when the change closes, the status becomes Closed. The performance rating is then averaged into the existing performance rating for the change manager.

Example

Mary Mann, a change manager, has been involved in only one change as the change manager, so the number of ratings is set to 1. She had a low performance rating on the change in which she was involved, and the performance rating is set to 1. This means that Mary is considered a high risk on the next change where she is the change manager. For the next change in which Mary is involved, she performed better and received a medium rating (3). The average rating for Mary is now 2 (total performance ratings / number of ratings). The more changes that she manages, the better overall performance the system will have when calculating risk.

You can create a collection of risk factors that are derived from pre-existing data in the BMC Change Management application, such as the priority of related configuration items (CIs), the performance rating of a manager or support group, the CI priority and impact, or the change priority and impact. The risk values for the derived factors are recorded and associated with the change request.

This derived factor is calculated in the Performance Rating field on the Classification tab that rates the work done when the change request is completed.

Note

Risk and Performance have an inverse relationship. A high performance rating leads to a lower risk, and a low performance rating means a higher risk, as shown in the following table.

Performance ratings and aggregate risk values

Performance rating

Aggregate risk value

1 (Low)

5

2

4

3

3

4

2

5 (High)

1

For additional information, you can view the BMC Communities blog post on Risk assessment in BMC Change Management.

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Roger Jakobs

    Is there a setting to force the user to fill out the risk assessment?

    Or is it purely optional and the manager has to check it to be filled out?

    Aug 06, 2013 11:11
  2. Peter Schroff

    The field is mandatory but defaults to a value which I am not sure is calculated.

    Though I have not checked this, I would assume that if you can disallow direct write access from the GUI (if is a drop-down box) and at the same time clear the default you should be able to force someone to use the assessment. In order to successfully save the change request you would need to supply a value. The only way would be through the risk assessment.

    So in my view the short answer is: The assessment is not required by default but it could be made required with ease.

    Nov 18, 2013 07:53
  3. David Fisher

    Is there any reference that tells the reader a Change Request must saved BEFORE Risk is calculated? A common misconception is Risk will modify as questions are answered but, since Risk is calculated with filters, users won't see the Risk value calculated until AFTER a CRQ is saved.

    May 23, 2014 02:31
    1. Priya Shetye

      Hi David,

      I've added the note to the Risk Factor questions section. 

      Regards,

      Priya

      Apr 03, 2017 04:35
  4. Robert Page

    In the example given for Derived risk factors it states that Mary was given a performance rating, and below the example it is stated that the Performance Rating is on the Classification tab.  Neither of which are available in the Best Practice View but the documentation does not state this.

    Secondly in services we do not encourage customers to use anything but the Best Practice view because of the additional configuration effort and the threat that it will no longer be supported at some point.

    The derived risk factor documentation needs to be changed to reflect what can be achieved through the Best Practice view, and as footnote items associated to the Classic view can be mentioned.

     

    Dec 24, 2014 05:47
    1. Bruno Muniz

      I agree, Robert.

      I have a customer confused about why a rule should be defined if this will never be used (or, in this case, if used, as the value will be always the same, seems like just a confusing additional risk factor).

      Can someone affirm that performance rating will be discontinued?

      Regards.

      Aug 11, 2015 01:45
  5. Ramasubbu Mk

    Hi Team,

    Can you explain me on how the Change manager/Coordinator enters performance rating in change request, once the Change is moved to Completed/Closed status ?

     

    In the above Example it says "She had a low performance rating on the change in which she was involved, and the performance rating is set to 1"

    How did she get low performance rating, who is doing that? and where and how to do it ?

    Sep 10, 2016 11:16
    1. Sirisha Dabiru

      Hi Ramasubbu Mk,

       

      Will check and get back to you.

       

      Regards,

      Sirisha

      Sep 13, 2016 01:14
  6. Ricky .

    Hi all,

     

    I agree with the other's comment about the derrived factors in the best practice view, it's makes me confused how to explain to the customers about this function because we need to get out the Performance rating field to the best practice view first before we want to use it while there are rules for setting the default performance rating.

     

    I have same question with Ramasubbu Mk.

     

    And does the performance rating overall value of the change manager/change coordinator with also set the average value at first after we choose the change manager/change coordinator when we submitted the change request? if not how we know the performance rating value for the assigned change manager/change coordinator ? is there any reports about the performance for each change manager/change coordinator?

     

    Regards,

    Mar 19, 2017 05:58