Michael zur Muehlen, Ph.D. Asst. Professor of Information Systems Stevens Institute of Technology SessionTitle: Operational Risk Management and BPM Welcome to Transformation and Innovation 2007 The Business Transformation Conference The Business Transformation Conference

Michael zur Muehlen, Ph.D.

Asst. Professor of Information Systems

Stevens Institute of Technology

SessionTitle:

Operational Risk Management and BPM

Stevens Institute of Technology Private university, founded 1870 1800 undergraduate, 2600 graduate students Located in Hoboken, NJ (across the Hudson from Manhattan) Three Schools Technology Management Engineering Arts & Sciences Rankings: Top 5 technology management program, on par with Stanford, MIT, CMU, Babson (Optimize Magazine) #1 for best distance learning program (Princeton Review) Top 25 for most connected Campus (Sloan Foundation) http://www.stevens.edu

Private university, founded 1870

1800 undergraduate, 2600 graduate students

Located in Hoboken, NJ (across the Hudson from Manhattan)

Three Schools

Technology Management

Engineering

Arts & Sciences

Rankings:

Top 5 technology management program, on par with Stanford, MIT, CMU, Babson (Optimize Magazine)

#1 for best distance learning program (Princeton Review)

Top 25 for most connected Campus (Sloan Foundation)

http://www.stevens.edu

Howe School of Technology Management Offers MBA in Technology Management, Master of Science (IS, Telecom Mgmt, Mgmt, EMTM), Bachelor’s Degree (Business & Technology) Programs taught on campus and off-site in corporate locations Clients: ADP, Avaya, BASF, Bristol-Myers Squibb, Chubb, Citigroup, Deutsche Bank, J&J, Lockheed, Merrill Lynch, PaineWebber, Pearson, Prudential, PSE&G, UBS, UPS, Verizon and others Research centers with focus on Process Management Project Management Product Innovation http://howe.stevens.edu

Offers MBA in Technology Management, Master of Science (IS, Telecom Mgmt, Mgmt, EMTM), Bachelor’s Degree (Business & Technology)

Programs taught on campus and off-site in corporate locations

Clients: ADP, Avaya, BASF, Bristol-Myers Squibb, Chubb, Citigroup, Deutsche Bank, J&J, Lockheed, Merrill Lynch, PaineWebber, Pearson, Prudential, PSE&G, UBS, UPS, Verizon and others

Research centers with focus on

Process Management

Project Management

Product Innovation

http://howe.stevens.edu

What this Talk is About Risk: Driving Process Management What are operational risks in the context of BPM? How to identify operational risks How to prioritize operational risks How to make better decisions based on risk information May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Risk: Driving Process Management

What are operational risks in the context of BPM?

How to identify operational risks

How to prioritize operational risks

How to make better decisions based on risk information

Motivation Drivers for Business Process Management (BPM) May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Performance Business Process Improvement Engineering of Process-aware IS Compliance Mandated compliance (e.g. SOX) Desired compliance (e.g. ISO, ITIL)

You’re Hired Process: New Hire Integration Background Check Allocation of office space Reservation of phone, pager Creation of access rights in operational systems Problem: Lost productivity due to late provisioning of work infrastructure Automating the process coordination reduced cycle time from 2 week average to 2 days BPM Goal: Performance May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Process: New Hire Integration

Background Check

Allocation of office space

Reservation of phone, pager

Creation of access rights in operational systems

Problem: Lost productivity due to late provisioning of work infrastructure

Automating the process coordination reduced cycle time from 2 week average to 2 days

BPM Goal: Performance

You’re Fired Process: Employee Termination Removal of computer access rights Collection of company-issued phone, pager, access card Removal from employee directory Problem: Not all equipment is collected, access rights remain after an employee leaves Automating the process coordination ensures that no step is forgotten BPM Goal: Compliance May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Process: Employee Termination

Removal of computer access rights

Collection of company-issued phone, pager, access card

Removal from employee directory

Problem: Not all equipment is collected, access rights remain after an employee leaves

Automating the process coordination ensures that no step is forgotten

BPM Goal: Compliance

Operational Process Risk Operational Risk: Probability that a process will either fail to meet its objectives or make excessive use of resources to meet them A degradation in process output or process consistency Can be valued financially Risk is an inherent property of any business process Quantifying operational risk exposure is difficult May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Operational Risk:

Probability that a process will either

fail to meet its objectives or

make excessive use of resources to meet them

A degradation in process output or process consistency

Can be valued financially

Risk is an inherent property of any business process

Quantifying operational risk exposure is difficult

Process and Risk Management Process Risk Process-oriented Risk Management Risk-oriented Process Management May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Process-Risk Management How can we systematically identify operational process risk ? How can we represent risk in popular process modeling methods? How can we quantify the risk exposure of processes and portfolios? How can we determine the cost effectiveness of process controls ? How can we support risk-aware process design ? May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

How can we systematically identify operational process risk ?

How can we represent risk in popular process modeling methods?

How can we quantify the risk exposure of processes and portfolios?

How can we determine the cost effectiveness of process controls ?

How can we support risk-aware process design ?

Risk Management Lifecycle May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Potential Benefits Systematic measurement of Process Risk enables us to: Provide risk-adjusted process configurations Manage the risk of process portfolios Determine the capital reserve necessary to cover operational risk contingencies Design fault-tolerant processes May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Systematic measurement of Process Risk enables us to:

Provide risk-adjusted process configurations

Manage the risk of process portfolios

Determine the capital reserve necessary to cover operational risk contingencies

Design fault-tolerant processes

Risk Management and BPM Frew (2006) Compare Frew (2006) May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Risk Management BPM Focused on ensuring value for stakeholders Focus on providing value for stakeholders Risk is an inherent property of business processes Performance depends on effectiveness of business processes Risk is mitigated by process design Performance is influenced by process design Feedback is obtained through Risk Indicators assigned to systems and processes Feedback is obtained through Performance Indicators assigned to systems and processes Risk is mitigated through optimized processes Performance objectives are achieved through optimized processes

Case Study: Where’s the Money? May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Case Study Payroll process at Australian university Failed in June 2005 2000+ employees not paid in time Expensive mediation procedure Reasons Data entry mistake Established mitigation procedure (double sign-off) failed Lack of risk awareness May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Payroll process at Australian university

Failed in June 2005

2000+ employees not paid in time

Expensive mediation procedure

Reasons

Data entry mistake

Established mitigation procedure (double sign-off) failed

Lack of risk awareness

Payroll Process

Process without Control Activities May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Common Risk Modeling May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Risk Properties Risk owner Risk category (e.g. Financial, Operational, Market, Strategic) Last risk evaluation Review period Risk occurrence history Quantitative & Qualitative evaluation: Amount of damages Occurrence frequency May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Risk owner

Risk category (e.g. Financial, Operational, Market, Strategic)

Last risk evaluation

Review period

Risk occurrence history

Quantitative & Qualitative evaluation:

Amount of damages

Occurrence frequency

Control Activity Properties Key Control Activity (Yes/No) Control type, e.g. preventive, reactive Control category, e.g. audit, password Design effectiveness Operating effectiveness Manual / Automated May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Key Control Activity (Yes/No)

Control type, e.g. preventive, reactive

Control category, e.g. audit, password

Design effectiveness

Operating effectiveness

Manual / Automated

Closer Look At The Process May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Component Risk May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

A Closer Look: Faults, Errors, Failures May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Risk = Faults, Errors, and Failures Fault Vulnerability of a process that may lead to process failure Error-enabling context Can be active or dormant Example: Unavailability of a database server Error Action that may lead to failure Example: Attempt to retrieve data from the unavailable DB Failure Event, when process output deviates from correct output Example: Process aborts due to lack of necessary data May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Fault

Vulnerability of a process that may lead to process failure

Error-enabling context

Can be active or dormant

Example: Unavailability of a database server

Error

Action that may lead to failure

Example: Attempt to retrieve data from the unavailable DB

Failure

Event, when process output deviates from correct output

Example: Process aborts due to lack of necessary data

Chain of Threats Faults enable Errors But errors might not happen for a long time Process design should strive to minimize faults If faults cannot be avoided we need error detection May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Faults enable Errors

But errors might not happen for a long time

Process design should strive to minimize faults

If faults cannot be avoided we need error detection

Chain of Threats Errors may lead to Failures Options: prevention, detection, or mitigation If faults are known, we can minimize errors: poka-yoke Cost, effort play a role May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Errors may lead to Failures

Options: prevention, detection, or mitigation

If faults are known, we can minimize errors: poka-yoke

Cost, effort play a role

Chain of Threats Failures become visible at Interfaces Noticeable once the process result leaves your hands Service interfaces can be described in a hierarchical fashion Interfaces are unsuitable for error mitigation: Point of No Return = time of hand-over – recovery time May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Failures become visible at Interfaces

Noticeable once the process result leaves your hands

Service interfaces can be described in a hierarchical fashion

Interfaces are unsuitable for error mitigation: Point of No Return = time of hand-over – recovery time

Fault/Error/Failure in Context May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Fault Latency Fault Inexperienced Staff Member on Duty Error Failure Data Entry Mistake Faulty Payroll Run Approved Complacent Staff Faulty Payroll Run Transmitted May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Where to Look First: Priorities May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Prioritize: Not All Failures are Equal May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Likelihood Effect Unlikely Seldom Occasional Likely Frequent Loss of Process Capability Loss of Process Instance Compromise of Process Instance Goal Minor effect or obstruction

Process Objectives May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Risk/Goal Matrix May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Understand Risks – Then Manage Them Source: zur Muehlen, Rosemann (2005) May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Matching Mitigation?

Evaluation of Process Design Alternatives May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Alternative Entry cost Approval cost Probability Rectific. cost Utility Incorrect data entry Error missed during approval process Comb. risk 1. single entry, single approval $1,000 $500 0.05 0.3 0.015 $250,000 -$5,250 2. double entry, single approval $2,000 $500 0.0025 0.3 0.00075 $250,000 -$2,688 3. single entry, double approval $1,000 $1,000 0.05 0.09 0.0045 $250,000 -$3,125 4. double entry, double approval $2,000 $1,000 0.0025 0.09 0.000225 $250,000 -$3,056

Sensitivity Analysis May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Alternative with the best utility Probability of error being missed during the approval process 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 Probability of data entry error 0.01 alt 1 alt 1 alt 3 alt 3 alt 2 alt 2 alt 2 alt 2 alt 2 0.05 alt 3 alt 3 alt 2 alt 2 alt 2 alt 2 alt 2 alt 2 alt 2 0.1 alt 3 alt 2 alt 4 alt 4 alt 4 alt 4 alt 4 alt 2 alt 2 0.15 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.2 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.25 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.3 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.35 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.4 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.45 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.5 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.7 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.9 alt 3 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4

From Control Activities to Control Patterns to Control Patterns May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Managing Risks May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Risk Management Strategies May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference Risk Mgmt. Strategy Description Examples Mitigation Reduces the probability of a risk and/or the impact that results from the occurrence of a risk. Aims at the implementation of controls that dampen the effects of risk occurrences, while not completely alleviating them. Standardized process routing Formalized exception handling Complete kit processing Collaboration, checks & balances Avoidance Eliminates the probability of a specific risk before it materializes. Normally realized by trading the risk for other risks that are less threatening or easier to deal with. Process redesign Transfer Shifts risk or the consequences caused by risk from one party to another. Also called “risk sharing”. May involve the purchase of an insurance policy, or the outsourcing of risky project parts. Process Outsourcing Purchase of Insurance Policies Acceptance/ Assumption Adapts to the unavoidability of the risk. A risk contingency plan is required in this strategy. Adaptation to regulatory requirements

Standardized process routing

Formalized exception handling

Complete kit processing

Collaboration, checks & balances

Process redesign

Process Outsourcing

Purchase of Insurance Policies

Adaptation to regulatory requirements

Compliance Compliance means adherence to rules and regulations Process models provide execution rules Control flow: What happens when? Task allocation: Who is involved? Role models: Who may do what? But what about context? Business object dependencies: Value/Customer Type Environmental dependecies: Season/Off-season processing Regulatory compliance: Documentation/Audit Correlation of multiple processes May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Compliance means adherence to rules and regulations

Process models provide execution rules

Control flow: What happens when?

Task allocation: Who is involved?

Role models: Who may do what?

But what about context?

Business object dependencies: Value/Customer Type

Environmental dependecies: Season/Off-season processing

Regulatory compliance: Documentation/Audit

Correlation of multiple processes

Distinguish between Soft and Hard Constraints Hard Constraints: Process Rules Data dependencies Resource dependencies Must not be violated Failure can lead to process breakage Soft Constraints: Business Rules Risk mitigation activities Documentation Checks and Balances Can be worked around Failure can lead to non-compliance

Hard Constraints: Process Rules

Data dependencies

Resource dependencies

Must not be violated

Failure can lead to process breakage

Soft Constraints: Business Rules

Risk mitigation activities

Documentation

Checks and Balances

Can be worked around

Failure can lead to non-compliance

Managing Risk with BPMS Use formal Process Models to limit process non-compliance Process Models can be scripts or maps If Scripts : Use BPMS to automate control flow, task allocation, application/service invocation If Maps : Use collaborative tools to allow execution flexibility BPMS provide risk management services Authorizations / Access Control Enforcement of routings, reviews Audit capability to document compliance May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Use formal Process Models to limit process non-compliance

Process Models can be scripts or maps

If Scripts : Use BPMS to automate control flow, task allocation, application/service invocation

If Maps : Use collaborative tools to allow execution flexibility

BPMS provide risk management services

Authorizations / Access Control

Enforcement of routings, reviews

Audit capability to document compliance

Managing Risk with BRMS Use Business Rules to limit contextual non-compliance Document process objectives to prevent business rules from turning into process rules Performance Objectives combine BAM with BRMS Decision rules allow context-dependent enforcement of oversight Use Business Rules Management System to enforce compliance Document rules limit the state changes on documents Example: Can’t go from draft to approved without review Customer rules configure case handling May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Use Business Rules to limit contextual non-compliance

Document process objectives to prevent business rules from turning into process rules

Performance Objectives combine BAM with BRMS

Decision rules allow context-dependent enforcement of oversight

Use Business Rules Management System to enforce compliance

Document rules limit the state changes on documents

Example: Can’t go from draft to approved without review

Customer rules configure case handling

Takeaways Map Risks from different angles Faults (can’t eliminate all) Errors (prevent, detect, mitigate) Failure (where is the point-of-no-return?) Use Process Objectives to determine critical risk factors Use Scenario Techniques to test different risk management strategies Compliance refers to Process Rules and Business Rules Don’t confuse the two BPMS can help document and audit process rules BRMS can help enforce contextual rules May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Map Risks from different angles

Faults (can’t eliminate all)

Errors (prevent, detect, mitigate)

Failure (where is the point-of-no-return?)

Use Process Objectives to determine critical risk factors

Use Scenario Techniques to test different risk management strategies

Compliance refers to Process Rules and Business Rules

Don’t confuse the two

BPMS can help document and audit process rules

BRMS can help enforce contextual rules

Crisis = Risk + Opportunity May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Thank You Thank You Michael zur Muehlen, Ph.D. Center of Excellence in Business Process Innovation Howe School of Technology Management Stevens Institute of Technology Castle Point on the Hudson Hoboken, NJ 07030 Phone: +1 (201) 216-8293 Fax: +1 (201) 216-5385 E-mail: [email_address] Web: http://www.cebpi.org 5th International Conference on Business Process Management Brisbane, Australia 25-27 September 2007 http://bpm07.fit.qut.edu.au/

Publications Neiger, Dina; Churilov, Leonid; zur Muehlen, Michael; Rosemann, Michael: Integrating Risks in Business Process Models with Value Focused Process Engineering. In: Proceedings of the 2006 European Conference on Information Systems (ECIS 2006), Goteborg, Sweden, June 12-14, 2006. zur Muehlen, Michael; Rosemann, Michael: Integrating Risks in Business Process Models. In: Proceedings of the 2005 Australasian Conference on Information Systems (ACIS 2005), Manly, Sydney, Australia, November 30-December 2, 2005. (Winner of Best Paper Award). zur Muehlen, Michael; Ho, Danny Ting-Yi: Risk Management in the BPM Lifecycle. In: Bussler, Christoph; Haller, Armin (Eds.): Business Process Management Workshops: BPM 2005 International Workshops, BPI, BPD, ENEI, BPRM, WSCOBPM, BPS, Nancy, France, September 5, 2005. Revised Selected Papers, Springer LNCS 3812, Berlin 2006, pp. 454-466. PDFs available at: http://www.cebpi.org May 22-24, 2007 Washington Dulles Hilton The Business Transformation Conference

Neiger, Dina; Churilov, Leonid; zur Muehlen, Michael; Rosemann, Michael: Integrating Risks in Business Process Models with Value Focused Process Engineering. In: Proceedings of the 2006 European Conference on Information Systems (ECIS 2006), Goteborg, Sweden, June 12-14, 2006.

zur Muehlen, Michael; Rosemann, Michael: Integrating Risks in Business Process Models. In: Proceedings of the 2005 Australasian Conference on Information Systems (ACIS 2005), Manly, Sydney, Australia, November 30-December 2, 2005. (Winner of Best Paper Award).

zur Muehlen, Michael; Ho, Danny Ting-Yi: Risk Management in the BPM Lifecycle. In: Bussler, Christoph; Haller, Armin (Eds.): Business Process Management Workshops: BPM 2005 International Workshops, BPI, BPD, ENEI, BPRM, WSCOBPM, BPS, Nancy, France, September 5, 2005. Revised Selected Papers, Springer LNCS 3812, Berlin 2006, pp. 454-466.

PDFs available at: http://www.cebpi.org