SkarpSkarp

Chapter 5 of 13

Governance, Risk, and Controls in the ITIL 5 Service Management System

Board-level expectations, regulatory pressure, and cyber risk all converge on IT services. This chapter reveals how ITIL 5 positions governance, risk, and control so that teams deliver value without losing oversight or compliance.

10 min readen

1. Setting the Scene: Why Governance, Risk, and Controls Matter

Why This Matters

In 2026, boards, regulators, and customers expect IT services to be secure, reliable, and compliant. Failure brings fines, reputational damage, and even personal liability for executives.

ITIL 5’s Response

ITIL 5 treats service management as a system. Governance, risk, and controls are how the organization directs and controls that system to stay aligned, manage uncertainty, and prove compliance.

What You Will Learn

You will distinguish governance from management, see how risk, policies, and controls guide service management, and recognize exam questions about governance vs operational responsibilities.

Link to Previous Modules

Governance oversees all four dimensions of service management and ensures guiding principles and continual improvement support overall organizational direction, not just local IT optimization.

2. Governance vs Management in ITIL 5

Core Distinction

Governance directs and controls the organization. Management plans, builds, operates, and improves services within that direction and control.

Governance Responsibilities

Governance evaluates the environment and stakeholder needs, directs via policies and strategies, and monitors performance, compliance, and risk through reports and audits.

Management Responsibilities

Management designs value streams and processes, implements controls and tools, runs daily operations, and executes continual improvement within the governance framework.

Memory Aid

Governance: “Are we doing the right things, in the right way, for the right reasons?” Management: “How do we do these things efficiently and effectively?”

3. Example: Governance vs Management in a Cloud Outage

The Scenario

A major outage hits your customer portal hosted in the public cloud. Both governance and management must respond, but in very different ways.

Governance: Evaluate and Direct

Governance reviews business impact, reassesses strategic risk, updates risk appetite, approves resilience policies, and requires quarterly resilience reporting.

Governance: Monitor

Governance monitors uptime KPIs, supplier SLA breaches, and may commission independent audits of cloud resilience to verify management’s actions.

Management Response

Management redesigns the architecture, updates incident and change workflows, implements technical controls like failover, and runs post-incident reviews for continual improvement.

Key Insight

Governance does not design systems or run incidents. It sets expectations and boundaries, then checks if management’s actions meet them.

4. Risk Management in the ITIL 5 Service Management System

What Is Risk Here?

Risk is uncertainty that affects value. It includes threats like cyberattacks and outages, but also missed opportunities such as failing to adopt beneficial technologies.

Governance and Risk Appetite

Governance defines risk appetite and tolerance, such as acceptable downtime or data loss, which guide all service management decisions.

Risk in the SMS

Risk practices are embedded into value streams: change enablement, supplier management, information security, and service design use risk registers and treatment plans.

Risk-Based Decisions

Decisions on new services, suppliers, and technologies are evaluated against risk appetite and strategy, including new AI, privacy, and cyber regulations introduced since 2024.

Continuous Re-evaluation

Risk is not assessed once. It is continually re-evaluated as threats, technologies, and regulations evolve, and the SMS must adapt accordingly.

5. Thought Exercise: Classifying Governance vs Management Actions

Goal for this step: Practice distinguishing governance responsibilities from management responsibilities.

Read each action and decide if it is Governance (G) or Management (M). Think before you scroll down to reveal the suggested answers.

  1. Approving a statement that the organization will not store customer data outside specific legal jurisdictions.
  2. Choosing a specific cloud region in a provider’s console to comply with that statement.
  3. Requiring that all high-risk changes must include a documented security risk assessment.
  4. Running a security risk assessment for a planned database migration.
  5. Requesting a quarterly dashboard summarizing major incidents, root causes, and open risks.
  6. Building the dashboard and collecting the data from tools like ITSM and SIEM.

Suggested answers (check yourself):

  1. G – This is a policy decision aligned with regulatory and strategic concerns.
  2. M – This is an implementation choice within the policy.
  3. G – This sets rules for how risk is handled in the SMS.
  4. M – This is doing the operational work required by the rule.
  5. G – This is monitoring performance and risk at a high level.
  6. M – This is producing the information governance needs.

If you misclassified any, revisit Step 2 and the cloud outage example and look for the pattern: governance sets direction and oversight; management implements and operates.

6. Policies, Controls, and Decision-Making Structures

Policies: Intent into Rules

Policies are formal, governance-approved statements of intent and rules. Examples: information security, change and release, supplier, and data protection policies.

Controls: Enforcing Policies

Controls are measures that ensure policies are followed and risks managed. They can be preventive, detective, or corrective, often mapped to frameworks like NIST CSF or ISO 27002.

Structures: Who Decides What

Decision-making structures define who decides what and how: boards, risk committees, CABs, and architecture review boards all play roles in directing and controlling the SMS.

Why This Matters

Policies express governance intent. Controls and structures operationalize that intent, creating traceable, auditable decisions across the service management system.

7. Example: Aligning Services with Strategy and Compliance

The Exam Platform Scenario

A university launches an online exam platform. It must align with digital strategy, data protection law, and academic integrity expectations.

Governance: Evaluate and Direct

Governance weighs strategic benefits and risks, sets policies on data residency and authentication, defines risk appetite, and requires compliance mapping.

Governance: Monitor

Governance monitors uptime, incidents, and audits, and may commission independent penetration tests to verify that controls remain effective.

Management: Implement and Operate

Management chooses the platform and region, configures MFA and proctoring, sets up monitoring and runbooks, and maintains a control matrix for regulations.

Alignment in Practice

Strategy and compliance shape policies and risk appetite. Management’s technical and operational work must fit inside that governance framework.

8. Quick Check: Governance vs Management

Test your ability to separate governance responsibilities from management responsibilities in the ITIL 5 SMS.

Which of the following is MOST clearly a governance responsibility in the ITIL 5 Service Management System?

  1. Configuring automated failover between two data centers for a critical service.
  2. Approving the organization’s risk appetite statement for service availability and information security.
  3. Investigating a specific incident where a server went down during peak hours.
  4. Writing a script to automatically collect uptime metrics from monitoring tools.
Show Answer

Answer: B) Approving the organization’s risk appetite statement for service availability and information security.

Approving the organization’s risk appetite statement is a governance activity: it sets direction and boundaries for the SMS. The other options are management or operational tasks (designing, investigating, or implementing technical solutions).

9. Flashcards: Key Terms for Exams and Practice

Use these flashcards to reinforce the most important terms about governance, risk, and controls in ITIL 5.

Governance (in ITIL 5)
The means by which an organization is directed and controlled. At SMS level, it evaluates, directs, and monitors service management to ensure alignment with strategy, risk appetite, and stakeholder expectations.
Management (in ITIL 5)
The coordinated activities to plan, build, operate, and improve services within the boundaries set by governance, focusing on efficiency and effectiveness.
Risk (service management context)
Uncertainty that can positively or negatively affect value from services. Includes threats (outages, attacks) and missed opportunities (failure to adopt beneficial innovations).
Risk appetite
The amount and type of risk that an organization is willing to pursue or retain in pursuit of its objectives. Defined at governance level and used to guide decisions.
Policy
A formal, governance-approved statement of intent and rules that directs decisions and behaviors in the Service Management System (for example, information security policy).
Control
A measure (preventive, detective, or corrective) implemented to ensure that policies are followed and risks are managed within acceptable limits.
Decision-making structure
The defined forums and roles (board, risk committee, CAB, architecture board) that make and document specific types of decisions in the SMS.
Evaluate–Direct–Monitor
A governance cycle: evaluate the current and future state, direct via policies and strategies, and monitor performance, risk, and compliance.

10. Apply It: Interpreting Exam-Style Questions

Goal for this step: Practice spotting what exam questions are really asking about.

For each stem, decide if the exam is mainly testing governance or management/operations.

  1. “A board-level committee is concerned that recent major incidents were not escalated quickly enough. Which action is MOST appropriate?”
  • Are they testing governance or management? What kind of answer would fit?
  1. “A service manager needs to reduce the risk of unauthorized changes causing outages. Which practice should they improve first?”
  • Governance or management? What area of ITIL 5 is likely in focus?
  1. “An organization wants to ensure that all cloud suppliers meet regulatory requirements for data protection. Which governance mechanism is MOST appropriate?”
  • Governance or management? Which terms should you look for in the options?

Suggested thinking approach (do this mentally before checking):

  • If the question mentions board, executive, risk committee, policy, risk appetite, oversight, or assurance, it is probably about governance.
  • If it mentions service manager, process owner, tools, configuration, workflows, implementation, it is usually about management/operations.

Try to rephrase the question in your own words as either:

  • “Who should set direction or rules here?” (governance), or
  • “Who should design, run, or improve something?” (management).

This simple filter will help you avoid common exam traps where answers mix governance and management actions.

Key Terms

Risk
Uncertainty that can positively or negatively affect objectives and value from services, including both threats and missed opportunities.
Policy
A formal, governance-approved statement of intent and mandatory rules that guide decisions and behaviors in the SMS.
Control
A preventive, detective, or corrective measure implemented to ensure policies are followed and risks are kept within acceptable limits.
Compliance
The ability to demonstrate that laws, regulations, standards, and internal policies are being followed, often evidenced through controls, audits, and documentation.
Governance
The system by which an organization is directed and controlled. In ITIL 5, governance evaluates, directs, and monitors the Service Management System to ensure alignment with strategy, risk appetite, and stakeholder expectations.
Management
Coordinated activities to plan, build, operate, and improve services within the boundaries set by governance, focusing on efficiency and effectiveness.
Risk appetite
The amount and type of risk an organization is willing to pursue or retain in pursuit of its objectives, set at governance level.
Decision-making structure
The defined set of roles, forums, and committees (for example, board, risk committee, CAB) that make and document decisions affecting the SMS.
Evaluate–Direct–Monitor
A governance cycle: evaluate the current and projected state, direct via policies and strategies, and monitor performance, risk, and compliance.
Service Management System (SMS)
A management system that establishes policies, objectives, processes, and controls for managing services throughout their lifecycle, aligned with standards such as ISO/IEC 20000-1.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself