Anyone doing CI-based risk determination for changes?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2018 10:41 AM
My team is re-evaluating how we determine the level of risk to apply to any given change submitted for approval. One of the options raised was to assign a minimum level of risk based on a CI's 'standing' within the organization. For example, some applications are much more critical to the organization than others. That said, changes to these applications would carry a higher minimum risk level.
If your organization is performing CI-based risk determination, I would be interested in:
- the criteria used to determine your minimum levels (# of users, lost revenue, damage to reputation, regulatory violation, etc.)
- level of and number of reviewers who would review the change
- the amount of time allotted for review based on level of risk (e.g. 7 calendar days for a very high risk change)
- are you using the SN provided risk levels or did you customize your own
- types of supporting documents based on risk level
Please feel free to include anything I might have missed.
Thanks in advance for your replies,
Mike Moisan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2018 09:42 AM
Hey Mike!
I'd love to be in on this conversation, as this is a subject we're wrestling with too.
We are creating a customized risk & impact calculator, and one consideration is having SNOW automatically add "Risk Points" to a CI if it has had a P1 or P2 w/in the previous 90 days. I have no idea how to do this, but on the surface it seems to be a good hybrid.
Glad to see you're still at Northern & doing well there. Please say "Hello" to Andrew & Sohail for me.
-Lee
