Multi-Factor risk assessment for Devops changes

DevOps and IT Change Governance teams need change requests to be approved quickly so that the required updates can be deployed faster to support the business. However, the business should also be protected from bad changes by enforcing risk evaluation. To evaluate the risk level of a change created from Atlassian JIRA Software,  Excerpt named productname was not found in document xwiki:Service-Management.IT-Service-Management.BMC-Helix-Multi-Cloud-Service-Management.multicloudprevious._InclusionsLibrary.WebHome. provides the Risk Calculation service that calculates the risk level of a change request when it is brokered from JIRA Software to Remedy IT Service Management (ITSM) or BMC Helix IT Service Management (ITSM). The calculated risk level data is automatically added to the Remedy ITSM Change record. 

Risk Management configurations

As an Administrator, you can view and update the risk management configurations to define the risk value and weightage for Jira development groups and services that are used to calculate the risk level of a change request. 

The following configurations are available in Risk Management section:

Activating the Risk Calculation service

To activate risk calculation, you must complete the following tasks:

• Update the Create Change flow to map the Jira fields to be used for risk calculation to the Vendor Group and Service fields in Excerpt named productname was not found in document xwiki:Service-Management.IT-Service-Management.BMC-Helix-Multi-Cloud-Service-Management.multicloudprevious._InclusionsLibrary.WebHome..
• Configure the Sync Change flow to sync the Status reason field with the Excerpt named productname was not found in document xwiki:Service-Management.IT-Service-Management.BMC-Helix-Multi-Cloud-Service-Management.multicloudprevious._InclusionsLibrary.WebHome. application. Failing to do so will not sync the Status reason field and the risk value will not change when a change is completed.
• Define at least one risk rule.

To update the Create Change flow

1. Log in to Excerpt named productname was not found in document xwiki:Service-Management.IT-Service-Management.BMC-Helix-Multi-Cloud-Service-Management.multicloudprevious._InclusionsLibrary.WebHome., and navigate to My Flows.
2. Open the Create Change flow.
3. Click the Details tab.
4. Expand the Field Mapping. Map the following Excerpt named productname was not found in document xwiki:Service-Management.IT-Service-Management.BMC-Helix-Multi-Cloud-Service-Management.multicloudprevious._InclusionsLibrary.WebHome. fields to the Jira field used to define the risk calculation factors. 
   1. Vendor Group to the Jira field that is used for defining the development group.
   2. Service to the Jira field used for defining the service. 
5. Save the flow.

To define a risk rule

• 
  
  1. Log in to BMC Helix Multi-Cloud Service Management and click Settings.
  2. Navigate to Risk Management > 4. Risk Rules > Map Risk Rules.
  3. To add a new risk rule, click +Risk Rule.

  4. Add the following values: 

     Field Name	Description
     Source Metrics	Select the value based on the source for which you are defining the metrics: - Risk Metric - Development Group—Rule for a development group metric - Risk Metric - Technology Service—Rule for a service metric - Risk Metric - CI property—Rule for a CI property metric
     Weight	The weight % to use when using this metric to calculate the risk level.
     Technology Provider	Select JIRA.
     Status	Select Enable to make the rule active.
     Description	Enter a short description for the rule.
     CI Property Field ID	This field is mandatory if you have selected Risk Metric - CI properties option in Source Metrics field.
     CI Search Qualification	Use this field to determine additional search qualification for requests that are sent to AST:BaseElement form. It is useful for cases when customers have multiple records with the same CI name.

  5. Click Save.

How the risk values are calculated

1. When an issue is created in Jira, the user selects a service and development group. 
2. In the corresponding BMC Helix Multi-Cloud Service Management record that is created, the Risk Calculation service calculates the risk level based on the Development Group, Service metrics, or CI rules defined in BMC Helix Multi-Cloud Service Management.  These metrics include the risk value and the weightage for the Development Group and Service. 
   • Weightages are defined in the risk rules. 

   • Risk value of the development group is defined in the Development Groups configuration, and that of a service is defined in from the Risk Metrics - Service record of the Risk Management service. 

     Example

     The risk values defined for a specific development group and Service are 5 and 50 respectively, and the risk rule defines the weightage of the development group as 70% and service as 30%, risk level is calculated as follows:

     ((5 * 70) + (50 * 30)) / (70+30) = 18.5

     Since the valid risk level for a Change record has a value ranging from 0-4 (Level 1 - Level 5), the risk value is normalized to match the range of the enum value:

     18.5 / 100 * 4 = 0.74 = 1 (round off) = Risk Level 1

   • Risk value of the development group is defined in the Development Groups configuration, and that of a CI is defined in Manage CI Property To Risk Value Mappings configuration.

     Example

     The risk values defined for a specific development group and CI are 5 and 50 respectively, and the risk rule defines the weightage of the development group as 70% and CI as 30%, risk level is calculated as follows:

     ((5 * 70) + (50 * 30)) / (70+30) = 18.5

     Since the valid risk level for a Change record has a value ranging from 0-4 (Level 1 - Level 5), the risk value is normalized to match the range of the enum value:

     18.5 / 100 * 4 = 0.74 = 1 (round off) = Risk Level 1

     Note

     The Development, Service, or CI rules cannot be applied simultaneously. Either Development and Service or Development and CI rules are applied. CI rule takes precedence over service rule in risk calculation. If Excerpt named productname was not found in document xwiki:Service-Management.IT-Service-Management.BMC-Helix-Multi-Cloud-Service-Management.multicloudprevious._InclusionsLibrary.WebHome. cannot find the CI sent by JIRA in ITSM, it will search for the service in Risk Management library. The risk is calculated as per the risk weight associated with the applied rule.

3. The risk level is added in the change record created in Smart IT from the BMC Helix Multi-Cloud Service Management record. 

   Note

   You can configure auto approval rules in Remedy ITSM so that low risk changes are automatically approved and high risk changes are evaluated before being approved. 

   When the change request is approved and moves to Planning in Progress, the Jira issue is updated with the approval status providing the DevOps team the current status of a change request.

4. The Risk Calculation services track the status of the change requests. When the change is completed, based on the success or failure of the change, the risk level of the development team is increased or decreased by 20. However, the range of the risk level is maintained between 0 - 100, that ensures the risk levels are realistic and based on the capability of a development team to deliver a change.

   Example

   For example, the risk level defined for the development team working on the change request is set to 40. If the change they are implementing is closed successfully, the risk level of the development team is automatically reduced to (40-20)=20.

   If the change they are implementing is closed as a failure, the risk level of the development team is automatically increased to (40+20)=60.

   Note, if the risk value is 90, it is incremented to 100 for a successful change. Similarly, if the risk value is 10, it is decreased to 0 for an unsuccessful change.