Abstract
Following calls to advance the integration of risk and business process modeling paradigms, this paper formalizes the process of incorporating risk into business process models through the principles of Value-Focused Process Engineering (VFPE). In doing so, the paper aims to extend the existing VFPE modeling notation to reflect a set of necessary constructs required to adequately represent risk in goal-oriented business-process models. The extended set of constructs is proposed to support a formal systems view of process-based risk. Process-based risk is formalized on the one hand, as a product of complex interactions between activity-based elements, and on the other hand, as a natural component of the value creation mechanism of an elementary function or a complex process. The proposed risk-aware VFPE formalism also formulates rules for decomposing risk in process models according to the organizational values, thereby enabling better risk visibility, reducing process complexity, and ensuring continuity of business processes.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Note that one obvious example of an appropriate evaluation scale may include a suitably chosen combination of probability and impact ratings of an adverse event. Detailed discussion of scale development for risk objectives evaluation is addressed in the VFT component (Keeney 1992) of VFPE methodology and is beyond the scope of this paper.
References
Association of Insurance and Risk Managers (AIRMIC), National Forum for Risk Management in the Public Sector (ALARM), Institute of Risk Management (IRM) (2002) A risk management standard. AIRMIC, ALARM, IRM, London
Bai X, Krishnan R, Padman R (2007) Design of risk management strategies in business process information flow. In: Rivard S, Webster J (eds) Proceedings of the international conference on information systems (ICIS 2007) Montral, December 9–12, 2007, AIS, CD-Rom
Boehm B, Bose P (1994) A collaborative spiral software process model based on theory W. In: Proceedings of 3rd international conference on the software processes, IEEE, 11 Aug 1994, pp 59–68
Carr M, Kondra S, Monarch I et al (1993) Taxonomy-based risk identification. Technical report CMU/SEI-93-TR-006. The Software Engineering Institute, Carnegie Mellon University, pp 1–90
Chapman RJ (2006) Simple tools and techniques for enterprise risk management. Wiley, Chichester
Chittister C, Haimes YY (1993) Risk associated with software development: a holistic framework for assessment and management. IEEE Trans Syst Man Cybern B Cybern 23(3):710–723
Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004) Enterprise risk management—integrated framework. Executive summary framework. American Institute of Certified Public Accountants, New York
Currie CV (2004) Basel II and operational risk—an overview. In: Cruz M (ed) Operational risk modelling and analysis: theory and practice. Risk Books, London, pp 59–104
Daellenbach HG (1994) Systems and decision making: a management science approach. Wiley, Chichester
Davis R (2001) Business process modelling with ARIS: a practical guide. Springer, London
Dumas M, van der Aalst WMP, ter Hofstede HAM (eds) (2005) Process-aware information systems: bridging people and software through process technology. Wiley, Hoboken
Eicher J, Ruder D (2007) Business process analytics: a new approach to risk. J Altern Invest 10(2):76–84
Fettke P, Loos P (2007) Framework and meta-model for specifying business components. Bus Process Manag J 13(5):628–643
Gaudenzi B, Borghesi A (2006) Managing risks in the supply chain using the AHP method. Int J Logist Manag 17(1):114–136
Grey W, Shi D (2005) Enterprise risk management: a value chain perspective. In: Labbi A (ed) Handbook for integrated risk management for e-business: measuring, modelling and managing risk. J Ross Publishing, New York, pp 1–33
Haimes YY (2004) Risk modeling, assessment, and management, 2nd edn. Wiley, New York
Hatfield AJ, Hipel KW (2002) Risk and systems theory. Risk Anal 22(6):1043–1057
Haubenstock M (2003) The operational risk management framework. In: Alexander C (ed) Operational risk: regulation, analysis and management. Prentice Hall, Upper Saddle River
Hevner AR, March S, Park J, Ram S (2004) Design science in information systems research. MIS Q 28(1):75–105
Holmes A (2002) Risk management: ExpressExec module 5.1 finance. Capstone Publishing, Oxford
Jallow AK, Majeed B, Vergidis K et al (2007) Operational risk analysis in business processes. BT Technol J 25(1):168–177
Keeney RL (1992) Value-focused thinking: a path to creative decision making. Harvard University Press, Cambridge
Keller G, Teufel T (1998) SAP R/3 process—oriented implementation: iterative process prototyping. Addison Wesley Longman, Harlow
King JL (2001) Operational risk: measurement and modelling. Wiley, Chichester
Klinke A, Renn O (2002) A new approach to risk evaluation and management: risk-based, precaution-based, and discourse-based strategies. Risk Anal 22(6):1071–1094
Lambert JH, Jennings RK, Joshi NN (2006) Integration of risk identification with business process models. Syst Eng 9(3):187–198
Loos P (1997) Capture more data semantic through the expanded entity-relationship model (PERM) Arbeitsbericht des Instituts für Wirtschaftsinformatik Münster, p. 53
Marais K (2005) A new approach to risk analysis with a focus on organizational risk factors. Ph.D. thesis, Department of Aeronautical and Astronautical Engineering, Massachusetts Institute of Technology
March S, Smith G (1995) Design and natural science research on information technology. Decis Support Syst 15:251–266
Mock R, Corvo M (2005) Risk analysis of information systems by event process chains. Int J Crit Infrastruct 1(2/3):247–257
Neiger D, Churilov L (2003) Structuring business objectives: a business process modelling perspective. In: van der Aalst W, ter Hofstede A, Weske M (eds) Proceedings of the 1st international conference on business process management (BPM 2003) LNCS 2678. Springer, Berlin, pp 72–87
Neiger D, Churilov L (2004) Goal-oriented and business process modelling with EPCs and value-focused thinking. In: Desel J, Pernici B, Weske M (eds) Proceedings of the 2nd international conference on business process management (BPM 2004) LNCS 3080. Springer, Berlin, pp 98–115
Neiger D, Churilov L (2006) Intelligent decision support through synchronized decomposition of process and objectives structures. In: Proceedings of the thirty-ninth annual Hawaii international conference on system sciences (HICSS 2006), IEEE Computer Society
Neiger D, Churilov L, zur Muehlen M et al (2006) Integrating risks in business process models with value focused process engineering. In: Proceedings of the 14th European conference on information systems (ECIS 2006). Göteborg, Sweden, AIS
Neiger D, Rotaru K, Churilov L (2009) Supply chain risk identification with value-focused process engineering. J Oper Manag 27(2):154–168
Sarbanes-Oxley Act (2002) http://www.news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf Accessed 27 Apr 2008
Scandizzo S (2005) Risk mapping and key risk indicators in operational risk management. Econ Notes 34(2):231–256
Scheer A-W (1994) Business process engineering: reference models for industrial enterprises, 2nd edn. Springer, Berlin
Scheer A-W (1999) ARIS—business process frameworks, 3rd edn. Springer, Berlin
Scheer A-W (2000) ARIS—business process modeling, 3rd edn. Springer, Berlin
Slovic P (1999) Trust, emotion, sex, politics, and science: surveying the risk-assessment battlefield. Risk Anal 19(4):689–701
Takeda H, Nishida T (1994) Integration of aspects in design process. In: Gero JS, Sudweeks F (eds) Artificial intelligence in design. Kluwer Academic Publishers, The Netherlands, pp 309–326
Takeda H, Veerkamp P, Tomiyama T et al (1990) Modeling design processes. AI Mag 11(4):37–48
Turner JV, Hunsucker JL (1999) Effective risk management: a goal based approach. Int J Tech Manag 17(4):438–458
vom Brocke J, Buddendick C (2006) Reusable conceptual models—requirements based on the design science research paradigm. In: Hevner AR (ed) Proceedings of the first international conference on design science research in information systems and technology (DESRIST 2006), 24–25 Feb 2006, Claremont, pp 576–604
Wand Y, Weber R (2002) Research commentary: information systems and conceptual modeling—a research agenda. Inform Syst Res 13(4):363–376
White D (1995) Applications of systems thinking to risk management: a review of the literature. Manag Decis 33(10):35–45
Wolf E (2005) IS risks and operational risk management in banks. Joseph Eul Verlag, Lohmar-Koln
Young PC, Tippens SC (2001) Managing business risk: an organization-wide approach to risk management. AMACOM, American Management Association, New York
zur Muehlen M, Ho DT-Y (2006) Risk management in the BPM lifecycle. In: Bussler C, Haller A (eds) Business process management workshops (BPM 2005). Workshop on business process design: past, present, future. LNCS 3812, Springer, Berlin, pp 454–466
zur Muehlen M, Rosemann M (2005) Integrating risks in business process models. In: Proceedings of the 16th Australasian conference on information systems (ACIS 2005), Sydney, Australia, 30 Nov–2 Dec 2005, CD-Rom
Author information
Authors and Affiliations
Corresponding author
Additional information
This paper is an extended version of the paper entitled “Formalizing Risk with Value-focused Process Engineering” accepted for inclusion in the 16th European Conference on Information Systems, Galway, Ireland, 9–11 June 2008.
Rights and permissions
About this article
Cite this article
Rotaru, K., Wilkin, C., Churilov, L. et al. Formalizing process-based risk with Value-Focused Process Engineering. Inf Syst E-Bus Manage 9, 447–474 (2011). https://doi.org/10.1007/s10257-009-0125-5
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10257-009-0125-5