Problem Management as an IT Service Optimization Process

*By Larissa Carvalho

The constant problems in the Information Technology (IT) environment and services, whether of lesser or greater severity, can generate significant financial and image impacts for the organization and that can last in the short, medium or long term. These problems must be evaluated accurately and in the shortest time so that the impacts generated are smaller and so that it is possible to circumvent them.

What is issue management?

The Problem Management process is responsible for managing the entire life cycle of problems that erupt to the areas involved in dealing with them. At some point, it may be necessary to schedule or activate external teams to carry out or support the resolution of a problem, for example: providers of specific solutions. Problem management aims to prevent recurring problems from happening and minimize their impact, as they cannot be completely avoided. The process not only seeks to address and correct problems, but seeks to identify and understand associated causes, as well as discern the best method to eliminate the root cause.

Types of Problem Management

Reactive Problem Management: IT applies a workaround to minimize impacts and then seeks to investigate the issue after the event has occurred. Such a workaround is an action applied on a temporary and not definitive basis, whose purpose is to restore the affected service. The following activities are carried out: Identification, recording, classification, prioritization, investigation and diagnosis, evaluation of workarounds, identification of known errors, resolution, conclusion and review of serious problems.

Proactive Problem Management: The IT area manages to prevent problems through the analysis of events in order to identify trends and possible weaknesses in the IT environment, that is, with this available information it is possible to make continuous improvements.

Benefits of Problem Management

More Proactivity, Less Reactivity: It is common that the IT area does not have a workaround or definitive solution in a timely manner to deal with the problem and, when it does, it only seeks to restore the service without identifying the root cause. After a while, the problems reoccur. It is advantageous that the area designated to handle the event spends considerable time to find the root cause to prevent them from happening again, leaving time to dedicate to continuous improvement in the IT environment.

Better quality in the Delivery of IT Services: Events dealt with without definitive solutions can become recurrent and generate increasingly greater and unnecessary impacts, including significant financial loss and low internal and external customers' confidence in the delivery of the services provided. Using a known error database (BDEC) can speed up event diagnosis and prevent the same problem from happening. Such databases are known as information repository with workarounds and complete solutions to known problems identified and addressed.

The proactive and fast handling of the IT area shows the competence to deal with the situation and this generates satisfaction and increased confidence of internal and external customers.

Improved Organizational Learning: The organization that is engaged and practices problem management in an assertive way leaves the environment both prone to the exchange of experiences and open to discussions about the events, which can be shared between the members responsible for dealing with the problems. Discussions and sharing of information about the problems identified do not seek to find culprits and punish them, but solutions. The organization needs to support the acculturation of learning and knowledge sharing among members of the IT area so that they can carry out continuous investigations and optimize event resolution time.

Problem Monitoring and Tracking: It is crucial that all traceability of events is recorded in an approved tool, where only authorized users can update the information and that progress is fully monitored. The information on these events are considered records and may be requested by an auditor when performing an Internal and External Audit.

Problem Management vs Incident Management

While the incident is the unplanned interruption or reduction of an IT service, the problem is the root cause of one or more incidents. As an analogy, it can be said that incidents are the “symptoms” that indicate a more serious “disease”, called a problem.

The incident management process is responsible for restoring service faster so impacts are less and the ticket can be handled and closed, but the root cause of the incident will still be investigated and addressed in the Problem Management process. Problem management is responsible for eliminating the source of the problem and ensuring that one or more incidents do not recur.

In this way, it is possible to identify that the actions carried out in the problem and incident management process are increasingly intertwined and centralized. Depending on the size and segment of the organization, different teams can be appointed to deal with each of the processes, for example: while one area or members of this area concentrate efforts to resolve the incident, the other seeks to investigate the root cause of the incident. In view of this, effective communication is necessary to deal with the incident and restore the impaired services.


Performing problem management is complex and requires teams to centralize efforts to respond to incident and problem calls so that they do not reoccur. The purpose of this article is precisely to bring a brief view and the importance of this process in organizations to offer improvements in the quality of service deliveries to external and internal customers and, at the same time, optimize the cost and time to deal with incidents.

The problem management process is a mandatory requirement established in the NBR ISO/IEC 20000:2018 standard. This standard has good practices, standardization and recommendations used worldwide, and organizations that obtain certification gain many advantages, including: customer confidence, competitive advantage in the market and reaching new customers.

The acquisition of an outsourced ISO 20000 implementation service is the first step that the organization needs to take to establish a Service Management System to restructure and adapt existing processes and introduce new processes to meet the requirements established in the standard.

— Larissa Carvalho is GRC and Information Security Consultant at [SAFEWAY]

How can we help?

THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.

today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.

In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law SuitPeople and Technology.

through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!