Operational Risk Management and Bpm

May 22-24, 2007 Washington Dulles Hilton

The Business Transformation Conference

Michael zur Muehlen, Ph.D.Asst. Professor of Information SystemsStevens Institute of TechnologySessionTitle:Operational Risk Management and BPM

WelcomeWelcometo Transformation and Innovation 2007 The Business Transformation Conference

44May 22-24, 2007 Washington Dulles Hilton


What this Talk is AboutRisk: Driving Process ManagementWhat are operational risks in the context of BPM?How to identify operational risksHow to prioritize operational risksHow to make better decisions based on risk information

4



MotivationDrivers for

Business Process Management (BPM)

Performance

Business Process ImprovementEngineering of Process-aware IS

ComplianceMandated compliance (e.g. SOX)

Desired compliance (e.g. ISO, ITIL)



You’re Hired

Process: New Hire IntegrationBackground CheckAllocation of office spaceReservation of phone, pagerCreation of access rights in operational systems

Problem: Lost productivity due to late provisioning of work infrastructureAutomating the process coordination reduced cycle time from 2 week average to 2 daysBPM Goal: Performance



You’re Fired

Process: Employee TerminationRemoval of computer access rightsCollection of company-issued phone, pager, access cardRemoval from employee directoryProblem: Not all equipment is collected, access

rights remain after an employee leavesAutomating the process coordination ensures that

no step is forgottenBPM Goal: Compliance


The Business Transformation Conference 8

Operational Process RiskOperational Risk:

Probability that a process will either fail to meet its objectives or make excessive use of resources to meet them

A degradation in process output or process consistencyCan be valued financially

Risk is an inherent property of any business process

Quantifying operational risk exposure is difficult



Process and Risk Management

ProcessProcess RiskRisk

Process-orientedRisk Management

Risk-orientedProcess Management

1010



0

Process-Risk Management

How can we systematically identify operational process risk?How can we represent risk in popular process modeling methods?How can we quantify the risk exposure of processes and portfolios?How can we determine the cost effectiveness of process controls?How can we support risk-aware process design?

11



Risk Management Lifecycle

12



Potential BenefitsSystematic measurement of Process Risk enables us to:

Provide risk-adjusted process configurationsManage the risk of process portfoliosDetermine the capital reserve necessary to cover

operational risk contingenciesDesign fault-tolerant processes

13



Risk Management and BPM

Risk Management BPMFocused on ensuring value for stakeholders

Focus on providing value for stakeholders

Risk is an inherent property of business processes

Performance depends on effectiveness of business processes

Risk is mitigated by process design Performance is influenced by process design

Feedback is obtained through Risk Indicators assigned to systems and processes

Feedback is obtained through Performance Indicators assigned to systems and processes

Risk is mitigated through optimized processes

Performance objectives are achieved through optimized processes

Frew (2006)

Compare Frew (2006)

1414



Case Study: Where’s the Money?

14

15



Case StudyPayroll process at Australian university

Failed in June 20052000+ employees not paid in timeExpensive mediation procedure

ReasonsData entry mistakeEstablished mitigation procedure (double sign-off) failedLack of risk awareness

16

Payroll Process

17



Process without Control Activities

18



Common Risk Modeling

1919



9

Risk PropertiesRisk ownerRisk category (e.g. Financial, Operational, Market, Strategic)Last risk evaluationReview periodRisk occurrence historyQuantitative & Qualitative evaluation:

Amount of damagesOccurrence frequency

2020



0

Control Activity PropertiesKey Control Activity (Yes/No)Control type, e.g. preventive, reactiveControl category, e.g. audit, passwordDesign effectivenessOperating effectivenessManual / Automated

21



Closer Look At The Process

22



Component Risk

2323



A Closer Look: Faults, Errors, Failures

23

2424



4

Risk = Faults, Errors, and Failures

FaultVulnerability of a process that may lead to process failureError-enabling contextCan be active or dormantExample: Unavailability of a database server

ErrorAction that may lead to failureExample: Attempt to retrieve data from the unavailable DB

FailureEvent, when process output deviates from correct outputExample: Process aborts due to lack of necessary data

2525



5

Chain of ThreatsFaults enable Errors

But errors might not happen for a long timeProcess design should strive to minimize faultsIf faults cannot be avoided we need error detection

2626



6

Chain of ThreatsErrors may lead to Failures

Options: prevention, detection, or mitigationIf faults are known, we can minimize errors: poka-yokeCost, effort play a role

2727



7

Chain of ThreatsFailures become visible at Interfaces

Noticeable once the process result leaves your handsService interfaces can be described in a hierarchical fashionInterfaces are unsuitable for error mitigation:Point of No Return = time of hand-over – recovery time

29



Fault Latency

FaultFault

Inexperienced Inexperienced Staff Member on Staff Member on

DutyDuty

ErrorError

FailureFailure

Data Entry MistakeData Entry Mistake

Faulty Payroll Run Faulty Payroll Run ApprovedApproved

Complacent StaffComplacent Staff

Faulty Payroll Run TransmittedFaulty Payroll Run Transmitted

3030



Where to Look First: Priorities30

31



Prioritize: Not All Failures are Equal

Likelihood

EffectUnlikely Seldom Occasion

al Likely Frequent

Loss of Process

CapabilityLoss of Process Instance

Compromise of Process

Instance Goal

Minor effect or

obstruction

32



Process Objectives

33



Risk/Goal Matrix

34



Understand Risks – Then Manage Them

Source: zur Muehlen, Rosemann (2005)

Matching Mitigation?

35



Evaluation of Process Design Alternatives

AlternativeEntry cost

Approval cost

Probability

Rectific. cost Utility

Incorrect data entry

Error missed during

approval process Comb. risk

1. single entry, single approval $1,000 $500 0.05 0.3 0.015 $250,000 -$5,2502. double entry, single approval $2,000 $500 0.0025 0.3 0.00075 $250,000 -$2,688

3. single entry, double approval $1,000 $1,000 0.05 0.09 0.0045 $250,000 -$3,1254. double entry, double approval $2,000 $1,000 0.0025 0.09 0.000225 $250,000 -$3,056

36



Sensitivity Analysis

Alternative with the best utility

Probability of error being missed during the approval process

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

Probability of data entry

error

0.01 alt 1 alt 1 alt 3 alt 3 alt 2 alt 2 alt 2 alt 2 alt 20.05 alt 3 alt 3 alt 2 alt 2 alt 2 alt 2 alt 2 alt 2 alt 2





0.5 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 40.7 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 40.9 alt 3 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4

3737



7

From Control Activities to Control Patterns

3838



Managing Risks38

3939



9

Risk Management Strategies

Risk Mgmt. Strategy Description Examples

Mitigation

Reduces the probability of a risk and/or the impact that results from the occurrence of a risk. Aims at the implementation of controls that dampen the effects of risk occurrences, while not completely alleviating them.

Standardized process routingFormalized exception

handling Complete kit processingCollaboration, checks &

balances

AvoidanceEliminates the probability of a specific risk before it materializes. Normally realized by trading the risk for other risks that are less threatening or easier to deal with.

Process redesign

TransferShifts risk or the consequences caused by risk from one party to another. Also called “risk sharing”. May involve the purchase of an insurance policy, or the outsourcing of risky project parts.

Process OutsourcingPurchase of Insurance

PoliciesAcceptance/Assumption

Adapts to the unavoidability of the risk. A risk contingency plan is required in this strategy.

Adaptation to regulatory requirements

40



ComplianceCompliance means adherence to rules and regulationsProcess models provide execution rules

Control flow: What happens when?Task allocation: Who is involved?Role models: Who may do what?

But what about context?Business object dependencies: Value/Customer TypeEnvironmental dependecies: Season/Off-season processingRegulatory compliance: Documentation/AuditCorrelation of multiple processes

42



Managing Risk with BPMSUse formal Process Models to limit process non-compliance

Process Models can be scripts or mapsIf Scripts: Use BPMS to automate control flow, task allocation, application/service invocationIf Maps: Use collaborative tools to allow execution flexibility

BPMS provide risk management servicesAuthorizations / Access ControlEnforcement of routings, reviewsAudit capability to document compliance

4343



Managing Risk with BRMSUse Business Rules to limit contextual non-compliance

Document process objectives to prevent business rules from turning into process rules

Performance Objectives combine BAM with BRMSDecision rules allow context-dependent enforcement of oversight

Use Business Rules Management System to enforce compliance

Document rules limit the state changes on documentsExample: Can’t go from draft to approved without reviewCustomer rules configure case handling

43

4444



4

TakeawaysMap Risks from different angles

Faults (can’t eliminate all)Errors (prevent, detect, mitigate)Failure (where is the point-of-no-return?)

Use Process Objectives to determine critical risk factorsUse Scenario Techniques to test different risk management strategiesCompliance refers to Process Rules and Business Rules

Don’t confuse the twoBPMS can help document and audit process rulesBRMS can help enforce contextual rules

4545



Crisis = Risk + Opportunity

45



Thank YouThank YouMichael zur Muehlen, Ph.D.Center of Excellence in Business Process InnovationHowe School of Technology ManagementStevens Institute of TechnologyCastle Point on the HudsonHoboken, NJ 07030Phone: +1 (201) 216-8293Fax: +1 (201) 216-5385E-mail: [email protected]: http://www.cebpi.org

5th International Conference on Business Process Management

Brisbane, Australia25-27 September 2007

http://bpm07.fit.qut.edu.au/

mailto:[email protected]

4747



7

PublicationsNeiger, Dina; Churilov, Leonid; zur Muehlen, Michael; Rosemann, Michael: Integrating Risks in Business Process Models with Value Focused Process Engineering. In: Proceedings of the 2006 European Conference on Information Systems (ECIS 2006), Goteborg, Sweden, June 12-14, 2006.zur Muehlen, Michael; Rosemann, Michael: Integrating Risks in Business Process Models. In: Proceedings of the 2005 Australasian Conference on Information Systems (ACIS 2005), Manly, Sydney, Australia, November 30-December 2, 2005. (Winner of Best Paper Award).zur Muehlen, Michael; Ho, Danny Ting-Yi: Risk Management in the BPM Lifecycle. In: Bussler, Christoph; Haller, Armin (Eds.): Business Process Management Workshops: BPM 2005 International Workshops, BPI, BPD, ENEI, BPRM, WSCOBPM, BPS, Nancy, France, September 5, 2005. Revised Selected Papers, Springer LNCS 3812, Berlin 2006, pp. 454-466.PDFs available at: http://www.cebpi.org

Operational Risk Management and Bpm

Business

2007washington

risk management

business process

michael zur

business rules

zur muehlen

risk management

process rules