Module 39: IT Operations Management

Risk often emerges from operational discipline failures — not technical complexity.

IT Operations Management ensures:

• Systems run reliably
• Changes are controlled
• Assets are tracked
• Incidents are handled properly
• Root causes are addressed

CRISC evaluates how operational processes influence risk exposure.

What the exam is really testing

When IT operations appears, CRISC is asking:

• Is change controlled?
• Are assets properly tracked?
• Are incidents escalated?
• Is root cause addressed?
• Are problems recurring?
• Is governance informed?

Operational breakdowns increase residual risk.

Change management

Change management controls how modifications are made to:

• Infrastructure
• Applications
• Configurations
• Security controls
• Production systems

Strong change management includes:

• Formal approval
• Impact analysis
• Testing
• Rollback planning
• Documentation
• Post-implementation review

CRISC frequently tests change bypass scenarios.

Change management risk traps

Weak change management leads to:

• Service outages
• Security misconfigurations
• Control failure
• Compliance violations
• Unauthorized access
• Incident spikes

If change is implemented without approval or testing, operational risk increases.

Example scenario

A firewall rule change is deployed without review, causing production outage.

Primary governance failure?

A. Weak inherent risk
B. Inadequate change management
C. Poor threat modeling
D. Excessive appetite

Correct answer:

B. Inadequate change management

Uncontrolled change increases operational risk.

IT asset management

Asset management ensures visibility into:

• Hardware
• Software
• Cloud services
• Data assets
• Licenses
• Configurations

Risk implications:

• Unknown assets = unmanaged risk
• Unsupported systems = vulnerability exposure
• Incomplete inventory = monitoring gaps

You cannot manage risk for assets you don’t know exist.

CRISC frequently tests asset visibility gaps.

Configuration management

Closely related to asset management:

• Standardized configurations
• Baseline definitions
• Configuration drift monitoring

Poor configuration management leads to:

• Inconsistent controls
• Patch failures
• Access misconfigurations
• Increased attack surface

Incident management

Incident management focuses on:

• Detecting incidents
• Responding quickly
• Containing damage
• Restoring operations
• Documenting lessons learned

CRISC distinguishes:

Incident — Event that disrupts operations
Problem — Root cause behind recurring incidents

Failure to escalate incidents may increase exposure.

Problem management

Problem management addresses:

• Root cause analysis
• Recurring incident trends
• Structural process weaknesses
• Long-term remediation

Fixing incidents without solving root causes leads to repeat exposure.

CRISC often tests this nuance.

Incident vs problem example

Recurring system outages caused by misconfigured deployment scripts.

Incident response fixes the outage each time.
Problem management redesigns the deployment process.

CRISC favors root cause correction.

Service level management

Operational monitoring includes:

• SLA adherence
• Performance thresholds
• Uptime targets
• Vendor performance metrics

SLA degradation may signal emerging risk.

Example scenario

Incidents are resolved quickly, but recurring root causes remain unaddressed.

What is the primary weakness?

A. Strong governance
B. Weak problem management discipline
C. Excessive mitigation
D. Low inherent risk

Correct answer:

B. Weak problem management discipline

Recurring incidents signal unresolved root causes.

The most common exam mistakes

Candidates often:

• Confuse incident response with problem management.
• Assume fast resolution equals low risk.
• Ignore asset inventory importance.
• Overlook configuration management.
• Forget change approval discipline.
• Focus only on security incidents, not operational ones.

CRISC evaluates operational maturity.

Slightly uncomfortable scenario

An organization has a strong change process on paper, but emergency changes are routinely approved retroactively without review.

What governance principle is MOST compromised?

A. Inherent risk scoring
B. Change control integrity
C. KRI alignment
D. Risk appetite

Correct answer:

B. Change control integrity

Emergency changes must still follow governance controls.

Operational risk & residual risk

Operational weaknesses can:

• Increase inherent risk
• Reduce control effectiveness
• Increase residual risk
• Create monitoring blind spots
• Delay escalation

Operational discipline directly affects risk posture.

Quick knowledge check

1) The primary purpose of change management is to:

A. Increase mitigation
B. Control modifications to reduce unintended risk
C. Improve KPIs
D. Reduce inherent risk only

2) Incident management primarily focuses on:

A. Root cause elimination
B. Immediate containment and recovery
C. Strategic planning
D. Risk aggregation

3) Failure to maintain an accurate asset inventory most directly increases:

A. Risk avoidance
B. Visibility and vulnerability exposure risk
C. Mitigation strength
D. KPI performance

Final takeaway

Strong IT Operations Management requires:

• Controlled change processes
• Accurate asset visibility
• Effective configuration management
• Structured incident response
• Root cause–focused problem management
• SLA monitoring
• Escalation discipline

Operational breakdowns often create more risk than technical flaws.

CRISC rewards candidates who understand operational maturity as a risk driver.