Calculating risk weight

The risk weight is specified as a value from 20 percent to 100 percent. 20 percent represents the lowest weight for a risk, and 100 percent represents the highest.

You can set the value in 20 percent increments to 20, 40, 60, 80, or 100. The value of the weight is used as a multiplier for the risk value.

When risk values are used to compute the risk, weights are used to calculate the importance of a risk value. The risk is multiplied by the weight, and then added to the other risks multiplied by their weights. The calculated risk can be produced by the summation of each risk multiplied by its weight, and divided by the total weight of all risks.

Related topics

Risk Assessment in Change Management

Configuring-risk-assessment


 (Risk1 × Weight1 ) + (Risk2 × Weight2) + (Risk3 × Weight3)
------------------------------------------------------------ = Calculated Risk
                Weight1 + Weight2 + Weight3

When the calculation is complete, the Risk Value will be either a whole number or some decimal number. Given that the Risk Value is an integer, the system compares the calculated Risk Level value to a range of Risk Levels defined in the CHG:ChangeRiskRanges form (a backend form) to get the corresponding integer value.

Risk value ranges.jpg

For example, out of the box, one of the ranges is 4.000001 to 5.00000, which gives a Risk Level of 5. So, if the calculated Risk Level value is any number in this range, the system sets the Risk Level to 5. You can customize these ranges if needed, but you need to ensure that there are no gaps between the ranges. For example, if the Risk Level 1 is set from 0.000000 to 1.500000, Risk Level 2 should start at 1.500001.


Rounding the calculated risk number

The calculated risk does not result in a whole number. The results must be rounded to the appropriate whole number.

Instead of rounding to the nearest number, a lookup form is used to determine what the whole number value should be. The lookup table is stored on the Change Risk Ranges (CHG:ChangeRiskRanges) form. By default, the values are set up to move any non-whole number to the next highest number.

  • 2.59 becomes 3
  • 2.00001 becomes 3
  • 3.99 becomes 4

The logic here is that no risk should be downplayed. Any risk greater than the whole number should be shown as the next risk up. So the resulting calculated risk is used to do a lookup against the Change Risk Ranges form, and the whole number value stored on the form is used as the risk.


Example of calculating the aggregate risk value

This example provides an overview of how BMC Helix ITSM: Change Management calculates aggregate risk value and how the weighting works.

This example works through a very simple case with two questions and one derived performance rating.

Question 1 — Can the change be easily rolled back? (Question Weight 20)

  • Yes (Risk 1)
  • No (Risk 5)

Question 2 — How many people does the change impact? (Question Weight 100)

  • 1-20 (Risk 1)
  • 21-40 (Risk 2)
  • 41-60 (Risk 3)
  • 61-80 (Risk 4)
  • 81 or more (Risk 5)

Derived risk — Change manager's performance (Weight 60)

For the change request example, the following data is used:

  • Question 1 — No (Risk 5)
  • Question 2 — 21-40 (Risk 2)
  • Derived Risk — Mary Mann

First, you must determine the risk of Mary Mann. Mary has been involved in 10 changes as CAB Manager. In these changes, Mary has acquired an overall performance rating of 2. You can use the performance rating to determine risk. The relationship between Performance Ratings and Aggregate Risk Value is inverse, so the overall Risk of Mary Mann is 4. The lower the performance, the higher the risk.

You now can perform the calculations on this data.

 (Risk1 × Weight1 ) + (Risk2 × Weight2) + (Risk3 × Weight3)
------------------------------------------------------------ = Calculated Risk
                Weight1 + Weight2 + Weight3
(5 x 20 ) + (2 x 100) + (4 x 60)      540
--------------------------------- = ------ = 3
           20 + 100 + 60              180

Using the formula for calculating risk weight, the aggregate risk value is 3. Each change request has a risk value computed for it as the information about the change is modified. When you first save the change, a risk is initially computed based on the derived factors. Then when you answer, or change the answer to risk questions, and then save the change, the risk is computed again.

You can run a risk report to aid you in understanding what information was used to compute the risk that is shown on the change request. For more information about Risk Reports, see Computing-risk-levels.

Risk level is the anticipated risk for the proposed change. The values are from 5 (highest risk) to 1 (lowest risk). For more information, see the following figure:

RiskLevel.png


Example of risk factor configuration

This example explains the risk factor configuration data for the Calbro Systems company to show how the system sets the risk level for a change request. When you create your own risk factor configuration data, note that the process will likely be iterative for you to get the desired risk levels for your given change use cases.

In this example, we have configured the following questions with the related risk weights and values within the Risk Factors Configuration form. This example explains how the system uses the data to calculate the risk level.

Risk factor

Risk weight

Risk values

Will the change require a scheduled down time?

60%

Yes – Risk Value = 5
No – Risk Value = 1

Will the change affect more than one CI?

100%

Yes – Risk Value = 5
No – Risk Value = 1

Can the change be rolled back easily?

100%

Yes – Risk Value = 1
No – Risk Value = 5

Is this a standard change that has been successfully done before?

60%

Yes – Risk Value = 1
No – Risk Value = 5
Unknown – Risk Value = 3

In addition, we have also configured the following derived risk factors:

Derived risk factor

Field name

Risk weight

Maximum priority of Configuration Items

CI Priority

100%

Performance rating of change coordinator

Change Coordinator

60%

Risk calculation based on change impact

Change Impact

100%

When we create a new change request where the Change Location Company is Calbro Systems, the system selects the above risk factors configuration and applies the risk questions and the derived risk factors to calculate the risk level as shown below.

  1. While creating the change request, set the value of Change Impact to 3-Moderate/Limited as this is used by the Risk Calculation based on Change Impact derived risk factor.

    Example_risk factor_Impact.jpg

  2. Relate the CI that the change request is changing. 
    The following CI Priority value is PRIORITY_4 as defined in CMDB because this value is used by the Maximum Priority of Configuration Items derived risk factor.

    Important

    If there is more than one related CI, the system uses the priority value from the CI with the highest priority value.

     
    Example_risk factor_Relate CI.jpg

  3. Answer the risk factor questions as follows:

    Example_risk factor_answer risk questions.jpg
    After you save the change request, the Risk Level automatically sets to Risk Level 3 as shown below:

    Example_risk factor_risk level.jpg

To see how Risk Level 3 was determined, plug in each risk factor risk value and risk weight into the risk level equation. Note that there are four risk factor questions and three derived risk factors.

Example_risk factor_risk level formula.jpg

Risk factor value

Weight value

Risk factor values come from

Factor value 1.jpg

Weight value 1.jpg

Question: Will the change require a scheduled down time?
Answer: Yes

Factor value 2.jpg

Weight value 2.jpg

Question: Will the change affect more than one CI?
Answer: No

Factor value 3.jpg

Weight value 3.jpg

Question: Can the change be rolled back easily?
Answer: No

Factor value 4.jpg

Weight value 4.jpg

Question: Is this a standard change that has been successfully done before?
Answer: Yes

Factor value 5.jpg

Weight value 5.jpg

Derived Risk Factor: Maximum priority of Configuration Items
CI Priority = PRIORITY_4
The system derives the risk level by taking the equivalent enumerated value for PRIORITY_4, which is 1 as seen from Developer Studio.

Dev studio_5.jpg

The system then runs the CI Priority value through the calculations to get the final Risk Level equivalent. It then sets CI Priority = CI Priority + 1, so CI Priority = 2 and then sets CI Priority = (5 - CI Priority) +1, so CI Priority = (5-2) +1 = 4, which becomes the risk level equivalent.

Factor value 6.jpg

Weight value 6.jpg

Derived Risk Factor: Performance rating of the change coordinator.

The risk value is determined by the data that has been calculated over time within the CHG:Risk Derived Factors form. For the change coordinator. there is only one previous rating.

Derived risk factors_6.jpg

The risk value is the average performance rating over time.

Factor value 7.jpg

Weight value 7.jpg

Derived Risk Factor: Risk calculation based on change impact.
Change Impact = 3-Moderate/Limited

The system derives the risk level by taking the equivalent enumerated value for 3-Moderate/Limited, which is 3000 as seen from Developer Studio.

Selections_7.jpg

The system then runs the Change Impact value through the following calculations to get the final risk level equivalent.

It the sets Change Impact = Change Impact / 1000 = 3 and then sets Change Impact = (4 - Change Impact) +1, so Change Impact = (4-3) +1 = 2 which becomes the risk level equivalent.

The following equation contains the preceding table values:

Example_risk factor_risk level formula_2.jpg

The equation returns the value as 3. When comparing this value to the data in the CHG:ChangeRiskRanges form, the range falls between 2.000001 and 3.000000, which equates to a Risk Level to 3.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*