A framework for risk assessment based on analysis of historical information of workflow execution in IT systems

Services provided by modern organizations are usually designed, deployed, and supported by large-scale IT infrastructures. In order to obtain the best performance out of these services, it is essential that organizations enforce rational practices for the management of the resources that compose their infrastructures. A common point in most guides and libraries of best practices for IT management - such as ITIL or COBIT - is the explicit concern with the risks related to IT activities. Proactively dealing with adverse and favorable events that may arise during everyday operations might prevent, for example: delay on deployment of services, cost overrun in activities, predictable failures of handled resources, and, consequently, waste of money. Although important, risk management in practice usually lacks in automation and standardization in IT environments. Therefore, in this article, we introduce a framework to support the automation of some key steps of risk management. Our goal is to organize risk information related to IT activities providing support for decision making thus turning risk response planning simpler, faster, and more accurate. The proposed framework is targeted to workflow-based IT management systems. The fundamental approach is to learn from problems reported in the history of previously conducted workflows in order to estimate risks for future executions. We evaluated the applicability of the framework in two case studies both in IT related areas, namely: IT change management and IT project management. The results show how the framework is not only useful to speed up the risk assessment process, but also to assist the decision making of project managers and IT operators by organizing risk detailed information in a comprehensive way.

[1]  Claudio Bartolini,et al.  A decision support tool to optimize scheduling of IT changes , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[2]  Lisandro Zambenedetti Granville,et al.  Improving IT Change Management Processes with Automated Risk Assessment , 2009, DSOM.

[3]  Emilia Mendes,et al.  Measurement, prediction and risk analysis for Web applications , 2001, Proceedings Seventh International Software Metrics Symposium.

[4]  David McPhee,et al.  Information Technology Infrastructure Library (ITIL®) , 2011, Encyclopedia of Information Assurance.

[5]  Lisandro Zambenedetti Granville,et al.  Computer-generated comprehensive risk assessment for IT project management , 2010, 2010 IEEE Network Operations and Management Symposium - NOMS 2010.

[6]  A. Boonstra,et al.  Does risk management contribute to IT project success? A meta-analysis of empirical evidence , 2010 .

[7]  Kun-Lung Wu,et al.  The CHAMPS system: change management with planning and scheduling , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[8]  Kenneth A. Froot,et al.  Risk Management: Coordinating Corporate Investment and Financing Policies , 1992 .

[9]  Giuseppe Di Battista,et al.  26 Computer Networks , 2004 .

[10]  Lisandro Zambenedetti Granville,et al.  Enabling rollback support in IT change management systems , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[11]  Lisandro Zambenedetti Granville,et al.  ChangeLedge: Change design and planning in networked systems based on reuse of knowledge and automation , 2009, Comput. Networks.

[12]  Akintola Akintoye,et al.  Project risk management practice: The case of a South African utility company , 2008 .

[13]  M. Marques,et al.  Risk Assessment to Support Decision on Complex Manufacturing and Assembly Lines , 2007, 2007 5th IEEE International Conference on Industrial Informatics.

[14]  Claudia Klüppelberg,et al.  Integrated insurance risk models with exponential Lévy investment , 2008 .

[15]  Stephen O. Ogunlana,et al.  Quantifying schedule risk in construction projects using Bayesian belief networks , 2009 .

[16]  Norman E. Fenton,et al.  A Critique of Software Defect Prediction Models , 1999, IEEE Trans. Software Eng..

[17]  Jacques Philippe Sauvé,et al.  On the Risk Exposure and Priority Determination of Changes in IT Service Management , 2007, DSOM.

[18]  Majid Ezzati,et al.  Causes of cancer in the world: comparative risk assessment of nine behavioural and environmental risk factors , 2005, The Lancet.

[19]  Lisandro Zambenedetti Granville,et al.  A solution to support risk analysis on IT Change Management , 2009, 2009 IFIP/IEEE International Symposium on Integrated Network Management.

[20]  Archana Ganapathi,et al.  Why Do Internet Services Fail, and What Can Be Done About It? , 2002, USENIX Symposium on Internet Technologies and Systems.

[21]  E. Kutsch,et al.  Deliberate ignorance in project risk management , 2010 .

[22]  Akhil Sahai,et al.  A Model-based Simulation Approach to Error Analysis of IT Services , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[23]  Manfred Reichert,et al.  Process-Aware Information Systems , 2012 .

[24]  Glyn A. Holton Value at Risk: Theory and Practice , 2003 .

[25]  Francisco Curbera,et al.  Web Services Business Process Execution Language Version 2.0 , 2007 .

[26]  Norman E. Fenton,et al.  Predicting Project Velocity in XP Using a Learning Dynamic Bayesian Network Model , 2009, IEEE Transactions on Software Engineering.

[27]  Ieee Std,et al.  IEEE Guide Adoption of PMI Standard A Guide to the Project Management Body of Knowledge , 2004 .

[28]  Lisandro Zambenedetti Granville,et al.  A template-based solution to support knowledge reuse in IT change design , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[29]  Kamal Bhattacharya,et al.  Decision support for service transition management Enforce change scheduling by performing change risk and business impact analysis , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[30]  Norman E. Fenton,et al.  Quantitative Analysis of Faults and Failures in a Complex Software System , 2000, IEEE Trans. Software Eng..

[31]  James A. Fulton,et al.  Common Information Model , 2005, Encyclopedia of Database Technologies and Applications.

[32]  Wil M. P. van der Aalst Business Process Execution Language , 2009, Encyclopedia of Database Systems.

[33]  C. Fuller The Philosophy of Risk , 1999 .

[34]  Lisandro Zambenedetti Granville,et al.  Similarity metric for risk assessment in IT change plans , 2010, 2010 International Conference on Network and Service Management.

[35]  S. M. Kinsella Activity-Based Costing: Does it Warrant Inclusion in a Guide to the Project Management Body of Knowledge (PMBOK® Guide)? , 2002 .

[36]  Measurement , 2007 .