Developing a Process-Oriented Notation for Modeling Operational Risks - A Conceptual Metamodel Approach to Operational Risk Management in Knowledge Intensive Business Processes within the Financial Industry

According to the Basel II committee operational risks are the least understood and manageable risks in banks. Operational risks in banks are closely linked to the underlying business process landscape. Recently, researchers have suggested to model this process landscape in banks with new semantic business process modeling approaches. These enable banks not only to model their business processes more efficiently, but also analyze them in a (semi-)automatic way for multiple purposes (e.g. process weakness identification, IT investment decisions etc.). In this paper we extend such a semantic business process modeling language (SBPML) for banks by a risk view for modeling and analyzing operational risks in business process models from a conceptual modeling perspective. As a result of a case study at a bank, seeking to combine business process management and risk management in an integrated approach, we present an enhanced metamodel of the SBPML, which enables banks to model and analyze their processes and operational risks in a holistic way.

[1]  J. Hallikas,et al.  Risk management processes in supplier networks , 2004 .

[2]  Uday R. Kulkarni,et al.  Knowledge Intensive Business Processes: A Process-Technology Fit Perspective , 2010, ICISTM.

[3]  Carla Wilkin,et al.  Formalizing process-based risk with Value-Focused Process Engineering , 2011, Inf. Syst. E Bus. Manag..

[4]  Norbert Gronau,et al.  Defining an infrastructure for knowledge intensive business processes , 2004 .

[5]  Dennis I. Dickstein,et al.  No Excuses: A Business Process Approach to Managing Operational Risk , 2008 .

[6]  Axel Winkelmann,et al.  A Metamodel Based Perspective on the Adaptation of a Process Modeling Language to the Financial Sector , 2011, HICSS 2011.

[7]  Jörg Becker,et al.  Transferring a Domain-Specific Semantic Process Modeling Language: Findings from Action Research in the Banking Sector , 2010, ECIS.

[8]  Rajkumar Roy,et al.  Operational risk analysis in business processes , 2007 .

[9]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[10]  Jörg Becker,et al.  Constructing a Semantic Business Process Modelling Language for the Banking Sector - An Evolutionary Dyadic Design Science Approach , 2010, Enterp. Model. Inf. Syst. Archit. Int. J. Concept. Model..

[11]  Anthony Tarantino,et al.  Operational risk management with process control and business process modeling , 2009 .

[12]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[13]  Ning Yang,et al.  Greater Than the Sum of Its Parts , 2010, IEEE Microwave Magazine.

[14]  Jörg Becker,et al.  Reflections On the Design of Domain Specific Semantic Business Process Modeling Languages – An Evolutionary Approach , 2010 .

[15]  Jörg Becker,et al.  Developing a Business Process Modeling Language for the Banking Sector - A Design Science Approach , 2009, AMCIS.

[16]  Kevin McCormack,et al.  Supply Chain Risk in Turbulent Environments – A Conceptual Model for Managing Supply Chain Network Risk , 2009 .

[17]  Michael Rosemann,et al.  Business Process Risk Management, Compliance and Internal Control: A Research Agenda , 2006 .

[18]  Jeffrey A. Hecht,et al.  Business Continuity Management , 2002, Commun. Assoc. Inf. Syst..

[19]  Douglas W. Hubbard,et al.  The Failure of Risk Management: Why It's Broken and How to Fix It , 2009 .

[20]  J. L. King,et al.  Operational Risk: Measurement and Modelling , 2001 .

[21]  Jörg Becker,et al.  Utility vs. Efforts of Business Process Modeling – An Exploratory Survey in the Financial Sector , 2010, MKWI 2010.

[22]  A. Rifaut,et al.  Operational risk management in financial institutions: Process assessment in concordance with Basel II , 2007 .

[23]  Walter Farkas,et al.  Operational Risk Quantification Using Extreme Value Theory and Copulas: From Theory to Practice , 2008 .

[24]  Anne P. Massey,et al.  Performance-Centered Design of Knowledge-Intensive Processes , 2002, J. Manag. Inf. Syst..

[25]  Judy E. Scott,et al.  Managing risks in enterprise systems implementations , 2002, CACM.

[26]  Ali Jaafari,et al.  Management of risks, uncertainties and opportunities on projects: time for a fundamental shift , 2001 .

[27]  Shazia Wasim Sadiq,et al.  Modeling Control Objectives for Business Process Compliance , 2007, BPM.

[28]  Martin J. Eppler,et al.  Improving knowledge intensive processes through an enterprise knowledge medium , 1999, SIGCPR '99.

[29]  Hannu Salmela,et al.  Analysing business losses caused by information systems risk: a business process analysis approach , 2008, J. Inf. Technol..

[30]  Julian Bahrs,et al.  Modelling and Analysis of Knowledge Intensive Business Processes , 2005, Wissensmanagement.

[31]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[32]  Axel Winkelmann,et al.  Modellierung und Management von Risiken. Ein prozessorientierter Risikomanagement-Ansatz zur Identifikation und Behandlung von Risiken in Geschäftsprozessen , 2008, Wirtschaftsinf..

[33]  Michael Rosemann,et al.  Integrating risks in business process models with value focused process engineering , 2006, ECIS.

[34]  Sanjay Goel,et al.  Can business process reengineering lead to security vulnerabilities: Analyzing the reengineered process , 2008 .

[35]  M. Rosemann,et al.  Integrating Risks in Business Process Models , 2005 .

[36]  Brahim Herbane,et al.  Greater than the Sum of its Parts: Business Continuity Management in the UK Finance Sector , 2003 .