Multi-Factor risk assessment for Devops changes

The DevOps and IT Change Governance teams need change requests to be approved quickly so that the required updates can be deployed faster to support the business. However, the business should also be protected from bad changes by enforcing risk evaluation. To evaluate the risk level of a change created from a third-party application, BMC Helix Multi-Cloud Broker provides the Risk Calculation service. The service calculates the risk level of a change request when it is brokered from a third-party application to BMC Helix ITSM. The calculated risk level data is automatically added to the BMC Helix ITSM Change record.

Risk management configurations

As an administrator, you can view and update the risk management configurations to define the risk value and weightage for development groups and services used to calculate the risk level of a change request.

The following configurations are available in the Risk Management section:

Configuration name	Purpose
Manage CI Property To Risk Value Mapping	Defines the risk value associated with a CI's priority or any other field on AST:BaseElement form when calculating risk level. Important: This value is not required for integrations developed by using BMC Helix iPaaS, powered by Jitterbit.
Manage Development Groups	Defines the risk value associated with a development group in your third-party application. If the development group used to create a third-party record does not exist in the BMC Helix Multi-Cloud Broker configuration, it is added automatically when the third-party record is created. By default, the risk level for the group is set to 50. You can update this value as per your organization's requirements. Important: Out of the box, the third-party application may not have specific fields for development groups. You can use existing fields or add custom fields for the values of development groups associated with the third-party application record.
Manage Risk Mapping	Defines the mapping of the risk values to low, medium, and high. Out of the box, the following values are defined: Low: 0—10 Medium: 11—60 High: 61—100
Manage Risk Rules	Defines the weightage to be used when calculating the risk level. If you add multiple rules, ensure that the total weightage of all the rules is 100. Important: At least one risk rule must be defined to activate the Risk Calculation service.

For more information about how the risk values are calculated, see How the risk values are calculated.

To activate the risk calculation service

To activate risk calculation, you must complete the following tasks:

Task	Action	Description
1	Update the field mapping for Change to add the Status Reason Code in the Vendor Metadata for Jira.	To update the field mappings, see To update vendor field mappings for ITSM change.
2	Update the status reason code field value to Status Reason.	Perform this step so that the rule to trigger the risk recalculation gets the correct value of status reason code. To perform this step, see To update the Status Reason Code field.
3	Map the Jira fields to be used for risk calculation to the Vendor Group and Service fields in BMC Helix Multi-Cloud Broker.	For integrations developed by using BMC Helix Integration Service, update the Create Change flow. For integrations developed by using BMC Helix iPaaS, powered by Jitterbit, update the transformation in the Vendor Workflow operation.
4	Configure the Sync Change flow to sync the Status reason field with the BMC Helix Multi-Cloud Broker application.	This mapping is required to sync the Status reason field so that the risk value is updated when a change is completed. Important: This configuration is not required not for integrations developed by using BMC Helix iPaaS, powered by Jitterbit.
5	Define a risk rule.	At least one risk rule must be defined for the Risk Calculation service to be activated.

To update vendor field mappings for BMC Helix ITSM change

Log in to BMC Helix Multi-Cloud Broker.
Click Settings .
Select Configure Vendors > Manage Vendor Metadata.
On the Map Vendors page, click .
For the Vendor Field Mapping click .
Under com.bmc.dsm.ticekt-brokering-lib:Change, add the field ID 450000159 for Remedy to Vendor Sync Fields.
Save your changes.

To update the Status Reason Code field

Log in to BMC Helix Innovation Studio.
From the Processes tab, open Change Operations.
On the canvas, click Update Change Values.
In the Properties section, in the Element Properties tab, perform the following steps:
1. In INPUT MAP, click Add/Remove Input Map Fields.
2. Select the checkbox for Status Reason Code and click Apply.
3. Under Status Reason Code, click Click to build an expression.
4. In the Edit Expression dialog box, under Process Variables, expand CHG Infrastructure Change, and add the Status Reason field.
5. Click OK.
Click Save.

To update a field mapping for integration templates developed by using BMC Helix Integration Service

Log in to BMC Helix Integration Studio, and navigate to My Flows.
Open the Create Change flow.
Click the Details tab.
Expand Field Mapping.
Map the following BMC Helix Multi-Cloud Broker fields to the third-party application field used to define the risk calculation factors:
- Vendor Group to the field used to define the development group.
- Service to the field used for defining the service.
Save the flow.

To update field mappings for integration templates developed by using BMC Helix iPaaS, powered by Jitterbit

Log in to BMC Helix iPaaS, and navigate to the Integration Studio.
Open the integration template project.
Important
Risk rules are applicable only for integrations with BMC Helix ITSM change requests.
Select the Components tab, and search for the Prepare Create Change Data From Issue transformation of the Create MCB Change from Jira operation in Vendor Workflow.
Select the transformation, click the Ellipses (...), and select View/Edit.
In the target section, click the script icon for the [ 0, 1 ] Vendor_Group (string) field and add the script to map the field ID of the field associated with a development group in the third-party application in the following format:
<trans>
$jsonObj["issue"]["fields"]["customfield_<fieldId>"]["value"];
</trans>
For example, if you have a custom field Vendor Group with field ID 10155 defined in Jira, add the following script:
<trans>
$jsonObj["issue"]["fields"]["customfield_10155"]["value"];
</trans>
Important
- Out of the box, the third-party application may not have specific fields for development groups or services. You can use existing fields or add custom fields for the values of development groups or services associated with the third-party application record.
- If the [ 0, 1 ] Risk_Level (string) is mapped in the Prepare Create Change Data From Issue transformation, this value takes precedence over the calculated risk value.

To define a risk rule

Log in to BMC Helix Multi-Cloud Broker and click Settings .
Navigate to Risk Management > 4. Risk Rules > Map Risk Rules.
To add a new risk rule, click +Risk Rule.

Add the following values:

Field Name	Description
Source Metrics	Select the value based on the source for which you are defining the metrics: Risk Metric - Development Group—Rule for a development group metric Risk Metric - Technology Service—Rule for a service metric Risk Metric - CI property—Rule for a CI property metric
Weight	The weight percentage to be used for this metric when calculating the risk level.
Technology Provider	Select the name of the third-party application.
Status	Select Enable to activate the rule.
Description	Enter a short description of the rule.
CI Property Field ID	Enter the ID of the CI property field, as defined in the Manage CI Property To Risk Value Mapping. This field is mandatory if you have selected Risk Metric - CI properties option in Source Metrics field.
CI Search Qualification	Use this field to determine additional search qualifications for requests that are sent to the AST:BaseElement form. This is useful when customers have multiple records with the same CI name.

Click Save.

You can define multiple risk rules and add the weight percentage for each rule. The total weightage of all risk rules defined must be 100.

Example of how the risk values are calculated

When an issue is created in Jira, the user selects a service and development group.
In the corresponding BMC Helix Multi-Cloud Broker record that is created, the Risk Calculation service calculates the risk level based on the Development Group, Service metrics, or CI rules defined in BMC Helix Multi-Cloud Broker. These metrics include the risk value and the weightage for the Development Group and Service.
- Weightages are defined in the risk rules
- Risk value of the development group is defined in the Development Groups configuration
- Risk value of a service is defined from the Risk Metrics - Service record of the Risk Management service
  The risk values defined for a specific development group and Service are 5 and 50 respectively, and the risk rule defines the weightage of the development group as 70% and service as 30%, risk level is calculated as follows:
  ((5 * 70) + (50 * 30)) / (70+30) = 18.5
  Since the valid risk level for a Change record has a value ranging from 0-4 (Level 1 - Level 5), the risk value is normalized to match the range of the enum value:
  18.5 / 100 * 4 = 0.74 = 1 (round off) = Risk Level 1
- Risk value of the development group is defined in the Development Groups configuration, and that of a CI is defined in Manage CI Property To Risk Value Mappings configuration.
  The risk values defined for a specific development group and CI are 5 and 50 respectively, and the risk rule defines the weightage of the development group as 70% and CI as 30%, risk level is calculated as follows:
  ((5 * 70) + (50 * 30)) / (70+30) = 18.5
  Since the valid risk level for a Change record has a value ranging from 0-4 (Level 1 - Level 5), the risk value is normalized to match the range of the enum value:
  18.5 / 100 * 4 = 0.74 = 1 (round off) = Risk Level 1
  
  Important
  The Development, Service, or CI rules cannot be applied simultaneously. Either Development and Service or Development and CI rules are applied. CI rule takes precedence over the service rule in risk calculation. If BMC Helix Multi-Cloud Broker cannot find the CI sent by JIRA in BMC Helix Multi-Cloud Broker, it searches for the service in the Risk Management library. The risk is calculated as per the risk weight associated with the applied rule.
The risk level is added to the change record created in BMC Helix ITSM from the BMC Helix Multi-Cloud Broker record.
Important
You can configure auto-approval rules in BMC Helix ITSM so that low risk changes are automatically approved and high risk changes are evaluated before being approved.
When the change request is approved and moves to Planning in Progress, the Jira issue is updated with the approval status providing the DevOps team with the current status of a change request.
The Risk Calculation service tracks the status of the change requests. When the change is completed, based on the success or failure of the change, the risk level of the development team is increased or decreased by 20. However, the range of the risk level is maintained between 0 - 100, which ensures the risk levels are realistic and based on the capability of a development team to deliver a change.
For example, the risk level defined for the development team working on the change request is set to 40. If the change they are implementing is closed successfully, the risk level of the development team is automatically reduced to (40-20)=20.
If the change they are implementing is closed as a failure, the risk level of the development team is automatically increased to (40+20)=60.
Note that if the risk value is 90, it is incremented to 100 for a successful change. Similarly, if the risk value is 10, it is decreased to 0 for an unsuccessful change.