• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Operational Risk Management and Bpm
 

Operational Risk Management and Bpm

on

  • 11,572 views

Business Process Managers are faced with two different tasks: Improve organizational performance by streamlining and automating workfl ows while ensuring compliance with regulatory and audit ...

Business Process Managers are faced with two different tasks: Improve organizational performance by streamlining and automating workfl ows while ensuring compliance with regulatory and audit requirements. Both tasks involve the notion of process risk, and introduce a series of questions: Does the risk exposure of a
given process match the risk appetite of the enterprise? Are there better ways to mitigate certain risk factors by redesigning our processes? And how can we measure the level of compliance during the execution of a given process? Contemporary process modeling languages offer little help in identifying and mapping process risk. This session addresses a multiperspective approach to capturing and understanding process risk,
and illustrates ways to use this newfound information to create innovative process designs that address risk factors in a cost effective way.

Statistics

Views

Total Views
11,572
Views on SlideShare
11,522
Embed Views
50

Actions

Likes
17
Downloads
1,612
Comments
1

6 Embeds 50

http://www.slideshare.net 23
http://www.businessprocessincubator.com 22
http://translate.googleusercontent.com 2
http://bpmrecursos.blogspot.com 1
http://justlikethatadi.blogspot.com 1
http://pc040.trisotech.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Operational Risk Management and Bpm Operational Risk Management and Bpm Presentation Transcript

      • Michael zur Muehlen, Ph.D.
      • Asst. Professor of Information Systems
      • Stevens Institute of Technology
      • SessionTitle:
      • Operational Risk Management and BPM
      Welcome to Transformation and Innovation 2007 The Business Transformation Conference The Business Transformation Conference
    • Stevens Institute of Technology
      • Private university, founded 1870
          • 1800 undergraduate, 2600 graduate students
          • Located in Hoboken, NJ (across the Hudson from Manhattan)
      • Three Schools
          • Technology Management
          • Engineering
          • Arts & Sciences
      • Rankings:
          • Top 5 technology management program, on par with Stanford, MIT, CMU, Babson (Optimize Magazine)
          • #1 for best distance learning program (Princeton Review)
        • Top 25 for most connected Campus (Sloan Foundation)
      • http://www.stevens.edu
    • Howe School of Technology Management
      • Offers MBA in Technology Management, Master of Science (IS, Telecom Mgmt, Mgmt, EMTM), Bachelor’s Degree (Business & Technology)
      • Programs taught on campus and off-site in corporate locations
      • Clients: ADP, Avaya, BASF, Bristol-Myers Squibb, Chubb, Citigroup, Deutsche Bank, J&J, Lockheed, Merrill Lynch, PaineWebber, Pearson, Prudential, PSE&G, UBS, UPS, Verizon and others
      • Research centers with focus on
          • Process Management
          • Project Management
          • Product Innovation
      • http://howe.stevens.edu
    • What this Talk is About
      • Risk: Driving Process Management
      • What are operational risks in the context of BPM?
      • How to identify operational risks
      • How to prioritize operational risks
      • How to make better decisions based on risk information
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Motivation Drivers for Business Process Management (BPM) May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Performance Business Process Improvement Engineering of Process-aware IS Compliance Mandated compliance (e.g. SOX) Desired compliance (e.g. ISO, ITIL)
    • You’re Hired
      • Process: New Hire Integration
              • Background Check
              • Allocation of office space
              • Reservation of phone, pager
              • Creation of access rights in operational systems
      • Problem: Lost productivity due to late provisioning of work infrastructure
      • Automating the process coordination reduced cycle time from 2 week average to 2 days
      • BPM Goal: Performance
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • You’re Fired
      • Process: Employee Termination
      • Removal of computer access rights
      • Collection of company-issued phone, pager, access card
      • Removal from employee directory
      • Problem: Not all equipment is collected, access rights remain after an employee leaves
      • Automating the process coordination ensures that no step is forgotten
      • BPM Goal: Compliance
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Operational Process Risk
      • Operational Risk:
          • Probability that a process will either
              • fail to meet its objectives or
              • make excessive use of resources to meet them
          • A degradation in process output or process consistency
          • Can be valued financially
      • Risk is an inherent property of any business process
      • Quantifying operational risk exposure is difficult
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Process and Risk Management Process Risk Process-oriented Risk Management Risk-oriented Process Management May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Process-Risk Management
      • How can we systematically identify operational process risk ?
      • How can we represent risk in popular process modeling methods?
      • How can we quantify the risk exposure of processes and portfolios?
      • How can we determine the cost effectiveness of process controls ?
      • How can we support risk-aware process design ?
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Risk Management Lifecycle May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Potential Benefits
      • Systematic measurement of Process Risk enables us to:
      • Provide risk-adjusted process configurations
      • Manage the risk of process portfolios
      • Determine the capital reserve necessary to cover operational risk contingencies
      • Design fault-tolerant processes
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Risk Management and BPM Frew (2006) Compare Frew (2006) May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Risk Management BPM Focused on ensuring value for stakeholders Focus on providing value for stakeholders Risk is an inherent property of business processes Performance depends on effectiveness of business processes Risk is mitigated by process design Performance is influenced by process design Feedback is obtained through Risk Indicators assigned to systems and processes Feedback is obtained through Performance Indicators assigned to systems and processes Risk is mitigated through optimized processes Performance objectives are achieved through optimized processes
    • Case Study: Where’s the Money? May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Case Study
      • Payroll process at Australian university
        • Failed in June 2005
        • 2000+ employees not paid in time
        • Expensive mediation procedure
      • Reasons
        • Data entry mistake
        • Established mitigation procedure (double sign-off) failed
        • Lack of risk awareness
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Payroll Process
    • Process without Control Activities May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Common Risk Modeling May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Risk Properties
      • Risk owner
      • Risk category (e.g. Financial, Operational, Market, Strategic)
      • Last risk evaluation
      • Review period
      • Risk occurrence history
      • Quantitative & Qualitative evaluation:
        • Amount of damages
        • Occurrence frequency
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Control Activity Properties
      • Key Control Activity (Yes/No)
      • Control type, e.g. preventive, reactive
      • Control category, e.g. audit, password
      • Design effectiveness
      • Operating effectiveness
      • Manual / Automated
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Closer Look At The Process May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Component Risk May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • A Closer Look: Faults, Errors, Failures May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Risk = Faults, Errors, and Failures
      • Fault
            • Vulnerability of a process that may lead to process failure
            • Error-enabling context
            • Can be active or dormant
            • Example: Unavailability of a database server
      • Error
            • Action that may lead to failure
            • Example: Attempt to retrieve data from the unavailable DB
      • Failure
            • Event, when process output deviates from correct output
            • Example: Process aborts due to lack of necessary data
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Chain of Threats
      • Faults enable Errors
          • But errors might not happen for a long time
          • Process design should strive to minimize faults
          • If faults cannot be avoided we need error detection
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Chain of Threats
      • Errors may lead to Failures
          • Options: prevention, detection, or mitigation
          • If faults are known, we can minimize errors: poka-yoke
          • Cost, effort play a role
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Chain of Threats
      • Failures become visible at Interfaces
          • Noticeable once the process result leaves your hands
          • Service interfaces can be described in a hierarchical fashion
          • Interfaces are unsuitable for error mitigation: Point of No Return = time of hand-over – recovery time
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Fault/Error/Failure in Context May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Fault Latency Fault Inexperienced Staff Member on Duty Error Failure Data Entry Mistake Faulty Payroll Run Approved Complacent Staff Faulty Payroll Run Transmitted May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Where to Look First: Priorities May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Prioritize: Not All Failures are Equal May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Likelihood Effect Unlikely Seldom Occasional Likely Frequent Loss of Process Capability Loss of Process Instance Compromise of Process Instance Goal Minor effect or obstruction
    • Process Objectives May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Risk/Goal Matrix May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Understand Risks – Then Manage Them Source: zur Muehlen, Rosemann (2005) May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Matching Mitigation?
    • Evaluation of Process Design Alternatives May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Alternative Entry cost Approval cost Probability Rectific. cost Utility Incorrect data entry Error missed during approval process Comb. risk 1. single entry, single approval $1,000 $500 0.05 0.3 0.015 $250,000 -$5,250 2. double entry, single approval $2,000 $500 0.0025 0.3 0.00075 $250,000 -$2,688 3. single entry, double approval $1,000 $1,000 0.05 0.09 0.0045 $250,000 -$3,125 4. double entry, double approval $2,000 $1,000 0.0025 0.09 0.000225 $250,000 -$3,056
    • Sensitivity Analysis May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Alternative with the best utility Probability of error being missed during the approval process 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 Probability of data entry error 0.01 alt 1 alt 1 alt 3 alt 3 alt 2 alt 2 alt 2 alt 2 alt 2 0.05 alt 3 alt 3 alt 2 alt 2 alt 2 alt 2 alt 2 alt 2 alt 2 0.1 alt 3 alt 2 alt 4 alt 4 alt 4 alt 4 alt 4 alt 2 alt 2 0.15 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.2 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.25 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.3 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.35 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.4 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.45 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.5 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.7 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.9 alt 3 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4
    • From Control Activities to Control Patterns to Control Patterns May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Managing Risks May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Risk Management Strategies May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Risk Mgmt. Strategy Description Examples Mitigation Reduces the probability of a risk and/or the impact that results from the occurrence of a risk. Aims at the implementation of controls that dampen the effects of risk occurrences, while not completely alleviating them.
      • Standardized process routing
      • Formalized exception handling
      • Complete kit processing
      • Collaboration, checks & balances
      Avoidance Eliminates the probability of a specific risk before it materializes. Normally realized by trading the risk for other risks that are less threatening or easier to deal with.
      • Process redesign
      Transfer Shifts risk or the consequences caused by risk from one party to another. Also called “risk sharing”. May involve the purchase of an insurance policy, or the outsourcing of risky project parts.
      • Process Outsourcing
      • Purchase of Insurance Policies
      Acceptance/ Assumption Adapts to the unavoidability of the risk. A risk contingency plan is required in this strategy.
      • Adaptation to regulatory requirements
    • Compliance
      • Compliance means adherence to rules and regulations
      • Process models provide execution rules
          • Control flow: What happens when?
          • Task allocation: Who is involved?
          • Role models: Who may do what?
      • But what about context?
          • Business object dependencies: Value/Customer Type
          • Environmental dependecies: Season/Off-season processing
          • Regulatory compliance: Documentation/Audit
          • Correlation of multiple processes
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Distinguish between Soft and Hard Constraints
      • Hard Constraints: Process Rules
          • Data dependencies
          • Resource dependencies
          • Must not be violated
          • Failure can lead to process breakage
      • Soft Constraints: Business Rules
          • Risk mitigation activities
          • Documentation
          • Checks and Balances
          • Can be worked around
          • Failure can lead to non-compliance
    • Managing Risk with BPMS
      • Use formal Process Models to limit process non-compliance
          • Process Models can be scripts or maps
              • If Scripts : Use BPMS to automate control flow, task allocation, application/service invocation
              • If Maps : Use collaborative tools to allow execution flexibility
          • BPMS provide risk management services
              • Authorizations / Access Control
              • Enforcement of routings, reviews
              • Audit capability to document compliance
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Managing Risk with BRMS
      • Use Business Rules to limit contextual non-compliance
          • Document process objectives to prevent business rules from turning into process rules
              • Performance Objectives combine BAM with BRMS
              • Decision rules allow context-dependent enforcement of oversight
          • Use Business Rules Management System to enforce compliance
              • Document rules limit the state changes on documents
              • Example: Can’t go from draft to approved without review
              • Customer rules configure case handling
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Takeaways
      • Map Risks from different angles
          • Faults (can’t eliminate all)
          • Errors (prevent, detect, mitigate)
          • Failure (where is the point-of-no-return?)
      • Use Process Objectives to determine critical risk factors
      • Use Scenario Techniques to test different risk management strategies
      • Compliance refers to Process Rules and Business Rules
          • Don’t confuse the two
          • BPMS can help document and audit process rules
          • BRMS can help enforce contextual rules
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Crisis = Risk + Opportunity May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference
    • Thank You Thank You Michael zur Muehlen, Ph.D. Center of Excellence in Business Process Innovation Howe School of Technology Management Stevens Institute of Technology Castle Point on the Hudson Hoboken, NJ 07030 Phone: +1 (201) 216-8293 Fax: +1 (201) 216-5385 E-mail: [email_address] Web: http://www.cebpi.org 5th International Conference on Business Process Management Brisbane, Australia 25-27 September 2007 http://bpm07.fit.qut.edu.au/
    • Publications
      • Neiger, Dina; Churilov, Leonid; zur Muehlen, Michael; Rosemann, Michael: Integrating Risks in Business Process Models with Value Focused Process Engineering. In: Proceedings of the 2006 European Conference on Information Systems (ECIS 2006), Goteborg, Sweden, June 12-14, 2006.
      • zur Muehlen, Michael; Rosemann, Michael: Integrating Risks in Business Process Models. In: Proceedings of the 2005 Australasian Conference on Information Systems (ACIS 2005), Manly, Sydney, Australia, November 30-December 2, 2005. (Winner of Best Paper Award).
      • zur Muehlen, Michael; Ho, Danny Ting-Yi: Risk Management in the BPM Lifecycle. In: Bussler, Christoph; Haller, Armin (Eds.): Business Process Management Workshops: BPM 2005 International Workshops, BPI, BPD, ENEI, BPRM, WSCOBPM, BPS, Nancy, France, September 5, 2005. Revised Selected Papers, Springer LNCS 3812, Berlin 2006, pp. 454-466.
      • PDFs available at: http://www.cebpi.org
      May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference