Quick Upload

Loading...
Flash Player 9 (or above) is needed to view slideshows. We have detected that you do not have it on your computer.To install it, go here
Post to Twitter Post to Twitter
Share on Facebook
Myspace Hi5 Friendster Xanga LiveJournal Facebook Blogger Tagged Typepad Freewebs BlackPlanet gigya icons

Operational Risk Management and Bpm

from TransformationInnovation, 2 years ago Add as contact

4427 views | 0 comments | 8 favorites | 1 embeds (Stats)

Desc: Business Process Managers are faced with two different tasks: Improve organizational performance by streamlining and automating workfl ows while ensuring compliance with regulatory and audit requirements. Both tasks involve the notion of process risk, and introduce a series of questions: Does the risk exposure of a
given process match the risk appetite of the enterprise? Are there better ways to mitigate certain risk factors by redesigning our processes? And how can we measure the level of compliance during the execution of a given process? Contemporary process modeling languages offer little help in identifying and mapping process risk. This session addresses a multiperspective approach to capturing and understanding process risk,
and illustrates ways to use this newfound information to create innovative process designs that address risk factors in a cost effective way.

Embed customize close
 

Categories

Business & Mgmt

Tags

Groups/Events

More Info

This slideshow is Public

Views: 4427 Comments: 0 Favorites: 8 Downloads: 713

View Details: 4426 on Slideshare 1 from embeds
Most viewed embeds (Top 5): More
All Embeds: Less
Flagged as inappropriate Flag as inappropriate

Flag as inappropriate

Select your reason for flagging this slideshow as inappropriate.

If needed, use the feedback form to let us know more details.

Slideshow Transcript

  1. Slide 1: Welcome to Transformation and Innovation 2007 The Business Transformation Conference The Business Transformation Conference Michael zur Muehlen, Ph.D. Asst. Professor of Information Systems Stevens Institute of Technology SessionTitle: Operational Risk Management and BPM The Business Transformation Conference May 22-24, 2007 Washington Dulles Hilton
  2. Slide 2: Stevens Institute of Technology • Private university, founded 1870 1800 undergraduate, 2600 graduate students • Located in Hoboken, NJ (across the Hudson from Manhattan) Three Schools • Technology Management • Engineering Arts & Sciences • Rankings: • Top 5 technology management program, on par with Stanford, MIT, CMU, Babson (Optimize Magazine) #1 for best distance learning program (Princeton Review) • Top 25 for most connected Campus (Sloan Foundation) http://www.stevens.edu 2
  3. Slide 3: Howe School of Technology Management • Offers MBA in Technology Management, Master of Science (IS, Telecom Mgmt, Mgmt, EMTM), Bachelor’s Degree (Business & Technology) Programs taught on campus and off-site in corporate locations • Clients: ADP, Avaya, BASF, Bristol-Myers Squibb, Chubb, Citigroup, Deutsche Bank, J&J, Lockheed, Merrill Lynch, PaineWebber, Pearson, Prudential, PSE&G, UBS, UPS, Verizon and others • Research centers with focus on Process Management • Project Management • Product Innovation http://howe.stevens.edu 3
  4. Slide 4: What this Talk is About • Risk: Driving Process Management What are operational risks in the context of BPM? • How to identify operational risks • How to prioritize operational risks • How to make better decisions based on risk information The Business Transformation Conference May 22-24, 2007 4 Washington Dulles Hilton
  5. Slide 5: Motivation Drivers for Business Process Management (BPM) Compliance Performance Mandated compliance (e.g. SOX) Business Process Improvement Desired compliance (e.g. ISO, ITIL) Engineering of Process-aware IS The Business Transformation Conference May 22-24, 2007 5 Washington Dulles Hilton
  6. Slide 6: • Process: New Hire Integration Background Check • Allocation of office space • Reservation of phone, pager Creation of access rights in operational systems • Problem: Lost productivity due to late provisioning of work infrastructure • Automating the process coordination reduced cycle time from 2 week average to 2 days • BPM Goal: Performance You’re Hired The Business Transformation Conference May 22-24, 2007 6 Washington Dulles Hilton
  7. Slide 7: Process: Employee Termination •Removal of computer access rights •Collection of company-issued phone, pager, access card •Removal from employee directory Problem: Not all equipment is collected, access rights remain after an employee leaves Automating the process coordination ensures that no step is forgotten BPM Goal: Compliance You’re Fired The Business Transformation Conference May 22-24, 2007 7 Washington Dulles Hilton
  8. Slide 8: Operational Process Risk • Operational Risk: Probability that a process will either • fail to meet its objectives or • make excessive use of resources to meet them A degradation in process output or process consistency Can be valued financially • Risk is an inherent property of any business process Quantifying operational risk exposure is difficult The Business Transformation Conference May 22-24, 2007 8 Washington Dulles Hilton
  9. Slide 9: Process and Risk Management Process-oriented Risk Management Process Risk Risk-oriented Process Management The Business Transformation Conference May 22-24, 2007 9 Washington Dulles Hilton
  10. Slide 10: Process-Risk Management How can we systematically identify operational process risk? • How can we represent risk in popular process modeling methods? • How can we quantify the risk exposure of processes and portfolios? How can we determine the cost effectiveness of process controls? How can we support risk-aware process design? The Business Transformation Conference May 22-24, 2007 10 Washington Dulles Hilton
  11. Slide 11: Risk Management Lifecycle The Business Transformation Conference May 22-24, 2007 11 Washington Dulles Hilton
  12. Slide 12: Potential Benefits Systematic measurement of Process Risk enables us to: Provide risk-adjusted process configurations •Manage the risk of process portfolios •Determine the capital reserve necessary to cover operational risk contingencies •Design fault-tolerant processes The Business Transformation Conference May 22-24, 2007 12 Washington Dulles Hilton
  13. Slide 13: Risk Management BPM Focused on ensuring value for Focus on providing value for stakeholders stakeholders Risk is an inherent property of business Performance depends on effectiveness of processes business processes Performance is influenced by process Risk is mitigated by process design design Feedback is obtained through Risk Feedback is obtained through Performance Indicators assigned to systems and Indicators assigned to systems and processes processes Risk is mitigated through optimized Performance objectives are achieved processes through optimized processes Compare Frew (2006) Risk Management and BPM The Business Transformation Conference May 22-24, 2007 13 Washington Dulles Hilton Frew (2006)
  14. Slide 14: Case Study: Where’s the Money? The Business Transformation Conference May 22-24, 2007 14 Washington Dulles Hilton
  15. Slide 15: Case Study • Payroll process at Australian university Failed in June 2005 • 2000+ employees not paid in time • Expensive mediation procedure • Reasons Data entry mistake • Established mitigation procedure (double sign-off) failed Lack of risk awareness The Business Transformation Conference May 22-24, 2007 15 Washington Dulles Hilton
  16. Slide 16: Payroll Process 16
  17. Slide 17: Process without Control Activities The Business Transformation Conference May 22-24, 2007 17 Washington Dulles Hilton
  18. Slide 18: Common Risk Modeling The Business Transformation Conference May 22-24, 2007 18 Washington Dulles Hilton
  19. Slide 19: Risk Properties • Risk owner • Risk category (e.g. Financial, Operational, Market, Strategic) • Last risk evaluation • Review period • Risk occurrence history • Quantitative & Qualitative evaluation: • Amount of damages • Occurrence frequency The Business Transformation Conference May 22-24, 2007 19 Washington Dulles Hilton
  20. Slide 20: Control Activity Properties • Key Control Activity (Yes/No) • Control type, e.g. preventive, reactive • Control category, e.g. audit, password • Design effectiveness • Operating effectiveness • Manual / Automated The Business Transformation Conference May 22-24, 2007 20 Washington Dulles Hilton
  21. Slide 21: Closer Look At The Process The Business Transformation Conference May 22-24, 2007 21 Washington Dulles Hilton
  22. Slide 22: Component Risk The Business Transformation Conference May 22-24, 2007 22 Washington Dulles Hilton
  23. Slide 23: A Closer Look: Faults, Errors, Failures The Business Transformation Conference May 22-24, 2007 23 Washington Dulles Hilton
  24. Slide 24: Risk = Faults, Errors, and Failures • Fault • Vulnerability of a process that may lead to process failure • Error-enabling context • Can be active or dormant • Example: Unavailability of a database server • Error • Action that may lead to failure • Example: Attempt to retrieve data from the unavailable DB • Failure • Event, when process output deviates from correct output • Example: Process aborts due to lack of necessary data The Business Transformation Conference May 22-24, 2007 24 Washington Dulles Hilton
  25. Slide 25: Chain of Threats • Faults enable Errors • But errors might not happen for a long time • Process design should strive to minimize faults • If faults cannot be avoided we need error detection The Business Transformation Conference May 22-24, 2007 25 Washington Dulles Hilton
  26. Slide 26: Chain of Threats • Errors may lead to Failures • Options: prevention, detection, or mitigation • If faults are known, we can minimize errors: poka-yoke • Cost, effort play a role The Business Transformation Conference May 22-24, 2007 26 Washington Dulles Hilton
  27. Slide 27: Chain of Threats • Failures become visible at Interfaces • Noticeable once the process result leaves your hands • Service interfaces can be described in a hierarchical fashion • Interfaces are unsuitable for error mitigation: Point of No Return = time of hand-over – recovery time The Business Transformation Conference May 22-24, 2007 27 Washington Dulles Hilton
  28. Slide 28: Fault/Error/Failure in Context The Business Transformation Conference May 22-24, 2007 28 Washington Dulles Hilton
  29. Slide 29: Fault Latency Inexperienced Staff Member on Duty Data Entry Mistake Fault Complacent Staff Error Faulty Payroll Run Approved Failure Faulty Payroll Run Transmitted The Business Transformation Conference May 22-24, 2007 29 Washington Dulles Hilton
  30. Slide 30: Where to Look First: Priorities The Business Transformation Conference May 22-24, 2007 30 Washington Dulles Hilton
  31. Slide 31: Likelihood Unlikely Seldom Occasional Likely Frequent Effect Loss of Process Capability Loss of Process Instance Compromise of Process Instance Goal Minor effect or obstruction Prioritize: Not All Failures are Equal The Business Transformation Conference May 22-24, 2007 31 Washington Dulles Hilton
  32. Slide 32: Process Objectives The Business Transformation Conference May 22-24, 2007 32 Washington Dulles Hilton
  33. Slide 33: Risk/Goal Matrix The Business Transformation Conference May 22-24, 2007 33 Washington Dulles Hilton
  34. Slide 34: Matching Mitigation? Understand Risks – Then Manage Them The Business Transformation Conference May 22-24, 2007 34 Washington Dulles Hilton Source: zur Muehlen, Rosemann (2005)
  35. Slide 35: Probability Error missed during Entry Approval Incorrect approval Rectific. Alternative cost cost data entry process Comb. risk cost Utility 1. single entry, single approval $1,000 $500 0.05 0.3 0.015 $250,000 -$5,250 2. double entry, single approval $2,000 $500 0.0025 0.3 0.00075 $250,000 -$2,688 3. single entry, double approval $1,000 $1,000 0.05 0.09 0.0045 $250,000 -$3,125 4. double entry, double approval $2,000 $1,000 0.0025 0.09 0.000225 $250,000 -$3,056 Evaluation of Process Design Alternatives The Business Transformation Conference May 22-24, 2007 35 Washington Dulles Hilton
  36. Slide 36: Probability of error being missed during the approval process Alternative with the best utility 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 alt 1 alt 1 alt 3 alt 3 alt 2 alt 2 alt 2 alt 2 alt 2 0.01 alt 3 alt 3 alt 2 alt 2 alt 2 alt 2 alt 2 alt 2 alt 2 0.05 alt 3 alt 2 alt 4 alt 4 alt 4 alt 4 alt 4 alt 2 alt 2 0.1 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.15 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.2 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.25 Probability of alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 data entry 0.3 error alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.35 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.4 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.45 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.5 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.7 alt 3 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 0.9 Sensitivity Analysis The Business Transformation Conference May 22-24, 2007 36 Washington Dulles Hilton
  37. Slide 37: From Control Activities to Control Patterns to Control Patterns The Business Transformation Conference May 22-24, 2007 37 Washington Dulles Hilton
  38. Slide 38: Managing Risks The Business Transformation Conference May 22-24, 2007 38 Washington Dulles Hilton
  39. Slide 39: Risk Management Strategies Risk Mgmt. Description Examples Strategy Reduces the probability of a risk and/or the impact that Standardized process routing results from the occurrence of a risk. Formalized exception handling Mitigation Aims at the implementation of controls that dampen the Complete kit processing effects of risk occurrences, while not completely alleviating Collaboration, checks & them. balances Eliminates the probability of a specific risk before it materializes. Avoidance Process redesign Normally realized by trading the risk for other risks that are less threatening or easier to deal with. Shifts risk or the consequences caused by risk from one party to another. Also called “risk sharing”. Process Outsourcing Transfer May involve the purchase of an insurance policy, or the Purchase of Insurance Policies outsourcing of risky project parts. Acceptance/ Adapts to the unavoidability of the risk. Adaptation to regulatory Assumption A risk contingency plan is required in this strategy. requirements The Business Transformation Conference May 22-24, 2007 39 Washington Dulles Hilton
  40. Slide 40: Compliance • Compliance means adherence to rules and regulations • Process models provide execution rules • Control flow: What happens when? • Task allocation: Who is involved? • Role models: Who may do what? • But what about context? • Business object dependencies: Value/Customer Type • Environmental dependecies: Season/Off-season processing • Regulatory compliance: Documentation/Audit • Correlation of multiple processes The Business Transformation Conference May 22-24, 2007 40 Washington Dulles Hilton
  41. Slide 41: Distinguish between Soft and Hard Constraints • Hard Constraints: Process Rules • Data dependencies • Resource dependencies • Must not be violated • Failure can lead to process breakage • Soft Constraints: Business Rules • Risk mitigation activities • Documentation • Checks and Balances • Can be worked around 41 • Failure can lead to non-compliance
  42. Slide 42: Managing Risk with BPMS • Use formal Process Models to limit process non-compliance • Process Models can be scripts or maps If Scripts: Use BPMS to automate control flow, task allocation, application/service invocation • If Maps: Use collaborative tools to allow execution flexibility • BPMS provide risk management services Authorizations / Access Control • Enforcement of routings, reviews Audit capability to document compliance The Business Transformation Conference May 22-24, 2007 42 Washington Dulles Hilton
  43. Slide 43: Managing Risk with BRMS • Use Business Rules to limit contextual non-compliance Document process objectives to prevent business rules from turning into process rules • Performance Objectives combine BAM with BRMS • Decision rules allow context-dependent enforcement of oversight • Use Business Rules Management System to enforce compliance Document rules limit the state changes on documents • Example: Can’t go from draft to approved without review Customer rules configure case handling The Business Transformation Conference May 22-24, 2007 43 Washington Dulles Hilton
  44. Slide 44: Takeaways Map Risks from different angles • Faults (can’t eliminate all) • Errors (prevent, detect, mitigate) Failure (where is the point-of-no-return?) • Use Process Objectives to determine critical risk factors • Use Scenario Techniques to test different risk management strategies • Compliance refers to Process Rules and Business Rules • Don’t confuse the two BPMS can help document and audit process rules • BRMS can help enforce contextual rules The Business Transformation Conference May 22-24, 2007 44 Washington Dulles Hilton
  45. Slide 45: Crisis = Risk + Opportunity The Business Transformation Conference May 22-24, 2007 45 Washington Dulles Hilton
  46. Slide 46: Thank You Thank You Michael zur Muehlen, Ph.D. Center of Excellence in Business Process Innovation Howe School of Technology Management Stevens Institute of Technology Castle Point on the Hudson Hoboken, NJ 07030 Phone: +1 (201) 216-8293 Fax: +1 (201) 216-5385 E-mail: mzurmuehlen@stevens.edu Web: http://www.cebpi.org 5th International Conference on Business Process Management Brisbane, Australia 25-27 September 2007 http://bpm07.fit.qut.edu.au/ The Business Transformation Conference May 22-24, 2007 Washington Dulles Hilton
  47. Slide 47: Publications • Neiger, Dina; Churilov, Leonid; zur Muehlen, Michael; Rosemann, Michael: Integrating Risks in Business Process Models with Value Focused Process Engineering. In: Proceedings of the 2006 European Conference on Information Systems (ECIS 2006), Goteborg, Sweden, June 12-14, 2006. zur Muehlen, Michael; Rosemann, Michael: Integrating Risks in Business Process Models. In: Proceedings of the 2005 Australasian Conference on Information Systems (ACIS 2005), Manly, Sydney, Australia, November 30- December 2, 2005. (Winner of Best Paper Award). • zur Muehlen, Michael; Ho, Danny Ting-Yi: Risk Management in the BPM Lifecycle. In: Bussler, Christoph; Haller, Armin (Eds.): Business Process Management Workshops: BPM 2005 International Workshops, BPI, BPD, ENEI, BPRM, WSCOBPM, BPS, Nancy, France, September 5, 2005. Revised Selected Papers, Springer LNCS 3812, Berlin 2006, pp. 454-466. • PDFs available at: http://www.cebpi.org The Business Transformation Conference May 22-24, 2007 47 Washington Dulles Hilton

Feed RSS

What's new?

© 2008 SlideShare Inc. All Rights Reserved