Risk management and is a very important topic in the world after the financial crisis and dozens of recent natural hazards. I see risk management as a broad concept that does not only apply to the financial domain, but to any process of any organization. Two years ago, I worked briefly on the topic of integrating risk management into information systems. More particularly, on combining risk management and business process management/workflow systems. The goal of this blog entry is to revisit this topic and see the progress by others.
What is risk management?
In order to answer the question what risk management is, we need to define what risk is. There are a variety of definitions related to risks from a business, public safety, military, medical or personal perspective. We are interested here in business risks. ISO 31000 defines risk as the “effect of uncertainty on objectives”. It can be positive or negative.
Although business risks are not only related to risk associated with financial investment products, we assume that the impact of risk can somehow be calculated as well as quantitative probabilities for risks can be given. Most project managers and others know that impact and probability cannot always be provided as numbers. For instance, they may define that the impact of losing customer X because of product feature Y is high with a low probability. Supporting these kinds of scenarios is another problem not addressed in this blog.
Risk can be calculated by the following basic equation:
Impact * Probability = Risk
One example would be that the impact of losing customer X because of product feature Y is 100.000 Euro with a probability of 10%. The risk can be calculated as follows:
100.000 Euro * 10% = 10.000 Euro
Obviously, we can do more sophisticated calculations by using more advanced statistical methods.
Risk management is about identifying, assessing, monitoring and mitigating risks. In order to identify and assess risks you need to talk with stakeholders of business processes (suppliers, customers, employees etc.). Monitoring risks can be done on an automated or manual basis. Mitigating risks is about reducing the impact and/or probability of a negative risks as well as increasing the impact and/or probability of positive risks. Various measures can be used, such as transferring the risk by insuring against it. It is important that risks have owners that ensure that proper risk management is in place for a given risk. Otherwise we may manage risks that do not exist anymore or we may not address current risks.
We should not only consider big risks that are very unlikely, but we should also think about small risks (e.g. wrong data entries). We face many small risks in an enterprise and summing them all up will probably lead to larger risks than a single big one.
What are Business Process Management/Workflow systems?
Business Process Management Systems (BPMS), also known as workflow systems, allow modeling a process composed of (alternative) sequences of (human or automated) activities, their resource needs (mostly human resources) and the data that is processed. Furthermore, they can coordinate the process by keeping track of its execution state, starting new activities/applications, assigning resources to them and providing the required data.
Most of the business applications you use today contain implicitly a business process or business logic. However, if the process is described in a workflow system then it is made explicit and transparent. In addition, it is much easier to monitor, improve or change it.
Why combining them?
Our initial motivation for combining risk management and business process management system was the following:
- Each business process has risks associated with it
- Managing these risks more effectively will reduce the impact or probability of negative risks or can increase the impact or probability of positive risks. Thus, more business value is created
- A workflow system makes a process explicit and this allows (1) easier identification and assessment of risks (2) monitoring and initiating mitigation processes related to risks
Our early approach
A longer description of our approach can be found here. At the time we did research on this topic, not many approaches were known aiming at the integration of risk management and workflow systems. Only few fragmented ones existed addressing mainly modeling of risks in business processes without further functionality such as monitoring and managing risks during process execution controlled by a workflow system. Our approach can thus be seen as one of the first attempts to address this problem.
The blog entry containing our approach raised a lot of questions. Some were related with the integration of existing (SAP) technologies where risks are described and identified. In fact, this is an important topic, because we do not want to have several independent risk databases, possibly with different impact and probabilities for the same risks. Others raised concerns about defining the probabilities, because we sketched several possibilities, but without any answers how to select the correct method for calculating probabilities and impact. This also depends on your enterprise, the methods you use and risk culture. Clearly, normative or well-tested methods by experts would be helpful. I think the area of reference models for various industries could help to address this problem.
Furthermore, the lack of interest by industry research groups, such as Gartner or Forrester has been criticized. This has not changed so much, but at least Gartner sees a need in their report on “Hype Cycle for Business Process Management 2011”, where they describe the integration of meta data repositories for compliance, risk and governance. Nevertheless, integrating risk management and business process management systems is not yet on the radar of the BPM hype cycle by Gartner.
Finally, others criticized that models in general are not always perfect and may be wrong. This is true, but I believe with continuous review and open exchanges between risk experts in various departments of the company this problem can be addressed.
Unfortunately, in the last months the situation has not changed much. We could not continue to work on the topic due to new priorities. However, recently, Conforti et al. proposed their approach for integrating risk management and workflow systems. In fact, they describe many ideas we provided in more detail. Interestingly, they were looking for Pareto-optimal solutions, i.e. solutions where no party can increasing its outcome without reducing the outcome of another one. This may not always be beneficial for the goals of the companies, because it only considers individual goals of the stakeholders.
Nevertheless, they describe in another paper how the risk probabilities can be calculated by using real-time sensor information. This seems to address partly some criticism of our approach, namely that models can change based on changes in the real world and this needs to be taken into account in the information systems reasoning on the models.
I believe that the topic is still important and should be explored in more detail. This is why I decided to create this blog. Luckily, there has been at least some progress. I see also further extensions to new approaches for managing dynamic less predictable business processes. For example, the case management process modeling standard by the OMG could address the problem of risk management in this context. Furthermore, we need to think about how we can integrate qualitative risk assessment into the solution and how we keep the important stakeholders as well as risk owners informed.
I am looking forward to your comments!