May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Michael zur Muehlen, Ph.D. Asst. Professor of Information Systems Stevens Institute of Technology SessionTitle: Operational Risk Management and BPM Welcom Welcom e e to Transformation and Innovation 2007 The Business Transformation Conference
Business Process Managers are faced with two different tasks: Improve organizational performance by streamlining and automating workfl ows while ensuring compliance with regulatory and audit requirements. Both tasks involve the notion of process risk, and introduce a series of questions: Does the risk exposure of a given process match the risk appetite of the enterprise? Are there better ways to mitigate certain risk factors by redesigning our processes? And how can we measure the level of compliance during the execution of a given process? Contemporary process modeling languages offer little help in identifying and mapping process risk. This session addresses a multiperspective approach to capturing and understanding process risk, and illustrates ways to use this newfound information to create innovative process designs that address risk factors in a cost effective way.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Michael zur Muehlen, Ph.D.Asst. Professor of Information SystemsStevens Institute of TechnologySessionTitle:Operational Risk Management and BPM
WelcomeWelcometo Transformation and Innovation 2007 The Business Transformation Conference
44May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
What this Talk is AboutRisk: Driving Process ManagementWhat are operational risks in the context of BPM?How to identify operational risksHow to prioritize operational risksHow to make better decisions based on risk information
4
5May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
MotivationDrivers for
Business Process Management (BPM)
Performance
Business Process ImprovementEngineering of Process-aware IS
ComplianceMandated compliance (e.g. SOX)
Desired compliance (e.g. ISO, ITIL)
6May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
You’re Hired
Process: New Hire IntegrationBackground CheckAllocation of office spaceReservation of phone, pagerCreation of access rights in operational systems
Problem: Lost productivity due to late provisioning of work infrastructureAutomating the process coordination reduced cycle time from 2 week average to 2 daysBPM Goal: Performance
7May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
You’re Fired
Process: Employee TerminationRemoval of computer access rightsCollection of company-issued phone, pager, access cardRemoval from employee directoryProblem: Not all equipment is collected, access
rights remain after an employee leavesAutomating the process coordination ensures that
no step is forgottenBPM Goal: Compliance
88May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 8
Operational Process RiskOperational Risk:
Probability that a process will either fail to meet its objectives or make excessive use of resources to meet them
A degradation in process output or process consistencyCan be valued financially
Risk is an inherent property of any business process
Quantifying operational risk exposure is difficult
99May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 9
Process and Risk Management
ProcessProcess RiskRisk
Process-orientedRisk Management
Risk-orientedProcess Management
1010
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 1
0
Process-Risk Management
How can we systematically identify operational process risk?How can we represent risk in popular process modeling methods?How can we quantify the risk exposure of processes and portfolios?How can we determine the cost effectiveness of process controls?How can we support risk-aware process design?
11
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Risk Management Lifecycle
12
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Potential BenefitsSystematic measurement of Process Risk enables us to:
Provide risk-adjusted process configurationsManage the risk of process portfoliosDetermine the capital reserve necessary to cover
Control Activity PropertiesKey Control Activity (Yes/No)Control type, e.g. preventive, reactiveControl category, e.g. audit, passwordDesign effectivenessOperating effectivenessManual / Automated
21
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Closer Look At The Process
22
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Component Risk
2323
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
A Closer Look: Faults, Errors, Failures
23
2424
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 2
4
Risk = Faults, Errors, and Failures
FaultVulnerability of a process that may lead to process failureError-enabling contextCan be active or dormantExample: Unavailability of a database server
ErrorAction that may lead to failureExample: Attempt to retrieve data from the unavailable DB
FailureEvent, when process output deviates from correct outputExample: Process aborts due to lack of necessary data
2525
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 2
5
Chain of ThreatsFaults enable Errors
But errors might not happen for a long timeProcess design should strive to minimize faultsIf faults cannot be avoided we need error detection
2626
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 2
6
Chain of ThreatsErrors may lead to Failures
Options: prevention, detection, or mitigationIf faults are known, we can minimize errors: poka-yokeCost, effort play a role
2727
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 2
7
Chain of ThreatsFailures become visible at Interfaces
Noticeable once the process result leaves your handsService interfaces can be described in a hierarchical fashionInterfaces are unsuitable for error mitigation:Point of No Return = time of hand-over – recovery time
29
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Fault Latency
FaultFault
Inexperienced Inexperienced Staff Member on Staff Member on
DutyDuty
ErrorError
FailureFailure
Data Entry MistakeData Entry Mistake
Faulty Payroll Run Faulty Payroll Run ApprovedApproved
Complacent StaffComplacent Staff
Faulty Payroll Run TransmittedFaulty Payroll Run Transmitted
3030
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Where to Look First: Priorities30
31
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Prioritize: Not All Failures are Equal
Likelihood
EffectUnlikely Seldom Occasion
al Likely Frequent
Loss of Process
CapabilityLoss of Process Instance
Compromise of Process
Instance Goal
Minor effect or
obstruction
32
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Process Objectives
33
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Risk/Goal Matrix
34
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Understand Risks – Then Manage Them
Source: zur Muehlen, Rosemann (2005)
Matching Mitigation?
35
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Evaluation of Process Design Alternatives
AlternativeEntry cost
Approval cost
Probability
Rectific. cost Utility
Incorrect data entry
Error missed during
approval process Comb. risk
1. single entry, single approval $1,000 $500 0.05 0.3 0.015 $250,000 -$5,2502. double entry, single approval $2,000 $500 0.0025 0.3 0.00075 $250,000 -$2,688
Probability of error being missed during the approval process
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
Probability of data entry
error
0.01 alt 1 alt 1 alt 3 alt 3 alt 2 alt 2 alt 2 alt 2 alt 20.05 alt 3 alt 3 alt 2 alt 2 alt 2 alt 2 alt 2 alt 2 alt 2
0.1 alt 3 alt 2 alt 4 alt 4 alt 4 alt 4 alt 4 alt 2 alt 20.15 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4
0.2 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 40.25 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4
0.3 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 40.35 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4
0.4 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 40.45 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4
0.5 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 40.7 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 40.9 alt 3 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4
3737
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 3
7
From Control Activities to Control Patterns
3838
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Managing Risks38
3939
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 3
9
Risk Management Strategies
Risk Mgmt. Strategy Description Examples
Mitigation
Reduces the probability of a risk and/or the impact that results from the occurrence of a risk. Aims at the implementation of controls that dampen the effects of risk occurrences, while not completely alleviating them.
AvoidanceEliminates the probability of a specific risk before it materializes. Normally realized by trading the risk for other risks that are less threatening or easier to deal with.
Process redesign
TransferShifts risk or the consequences caused by risk from one party to another. Also called “risk sharing”. May involve the purchase of an insurance policy, or the outsourcing of risky project parts.
Process OutsourcingPurchase of Insurance
PoliciesAcceptance/Assumption
Adapts to the unavoidability of the risk. A risk contingency plan is required in this strategy.
Adaptation to regulatory requirements
40
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
ComplianceCompliance means adherence to rules and regulationsProcess models provide execution rules
Control flow: What happens when?Task allocation: Who is involved?Role models: Who may do what?
But what about context?Business object dependencies: Value/Customer TypeEnvironmental dependecies: Season/Off-season processingRegulatory compliance: Documentation/AuditCorrelation of multiple processes
42
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Managing Risk with BPMSUse formal Process Models to limit process non-compliance
Process Models can be scripts or mapsIf Scripts: Use BPMS to automate control flow, task allocation, application/service invocationIf Maps: Use collaborative tools to allow execution flexibility
BPMS provide risk management servicesAuthorizations / Access ControlEnforcement of routings, reviewsAudit capability to document compliance
4343
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Managing Risk with BRMSUse Business Rules to limit contextual non-compliance
Document process objectives to prevent business rules from turning into process rules
Performance Objectives combine BAM with BRMSDecision rules allow context-dependent enforcement of oversight
Use Business Rules Management System to enforce compliance
Document rules limit the state changes on documentsExample: Can’t go from draft to approved without reviewCustomer rules configure case handling
43
4444
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 4
4
TakeawaysMap Risks from different angles
Faults (can’t eliminate all)Errors (prevent, detect, mitigate)Failure (where is the point-of-no-return?)
Use Process Objectives to determine critical risk factorsUse Scenario Techniques to test different risk management strategiesCompliance refers to Process Rules and Business Rules
Don’t confuse the twoBPMS can help document and audit process rulesBRMS can help enforce contextual rules
4545
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Crisis = Risk + Opportunity
45
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Thank YouThank YouMichael zur Muehlen, Ph.D.Center of Excellence in Business Process InnovationHowe School of Technology ManagementStevens Institute of TechnologyCastle Point on the HudsonHoboken, NJ 07030Phone: +1 (201) 216-8293Fax: +1 (201) 216-5385E-mail: [email protected]: http://www.cebpi.org
5th International Conference on Business Process Management
PublicationsNeiger, Dina; Churilov, Leonid; zur Muehlen, Michael; Rosemann, Michael: Integrating Risks in Business Process Models with Value Focused Process Engineering. In: Proceedings of the 2006 European Conference on Information Systems (ECIS 2006), Goteborg, Sweden, June 12-14, 2006.zur Muehlen, Michael; Rosemann, Michael: Integrating Risks in Business Process Models. In: Proceedings of the 2005 Australasian Conference on Information Systems (ACIS 2005), Manly, Sydney, Australia, November 30-December 2, 2005. (Winner of Best Paper Award).zur Muehlen, Michael; Ho, Danny Ting-Yi: Risk Management in the BPM Lifecycle. In: Bussler, Christoph; Haller, Armin (Eds.): Business Process Management Workshops: BPM 2005 International Workshops, BPI, BPD, ENEI, BPRM, WSCOBPM, BPS, Nancy, France, September 5, 2005. Revised Selected Papers, Springer LNCS 3812, Berlin 2006, pp. 454-466.PDFs available at: http://www.cebpi.org