Embedding governance risk and compliance (GRC) elements in business process modeling

An understanding of an entity's business processes preconditions the assessment of process-level's risks and control. Despite the importance, there has been little work in the integration of governance, risk and compliance issues with how the business process models are designed and deployed. This paper intends to look at and elaborate the available business process modeling grammars showcasing the integration between risks and controls aspects with business process models. Given that process models were among the artifacts generally found in many system developments, integrating risk and control consideration onto business process models is believed to help analysts and designers to better accommodate the governance dimensions of system development. Selected studies were discussed from a viewpoint of approach of integrating risk elements with business process models. Two streams of approach were identified: those that embed the risks and control elements as part of formal design, and those that embed the elements as part of user analytical purpose.

[1]  D. Miers,et al.  Magic Quadrant for Intelligent Business Process Management Suites , 2012 .

[2]  August-Wilhelm Scheer,et al.  ARIS - Business Process Modeling , 1998 .

[3]  Michael Rosemann,et al.  Business Process Risk Management and Internal Control: A proposed Research Agenda in the context of Compliance and ERP systems , 2006 .

[4]  Marianne Bradford,et al.  System Diagramming Techniques: An Analysis of Methods Used in Accounting Education and Practice , 2007, J. Inf. Syst..

[5]  Herbert A. Simon,et al.  Why a Diagram is (Sometimes) Worth Ten Thousand Words , 1987, Cogn. Sci..

[6]  Donald R. Deis,et al.  Auditors' Training and Proficiency in Information Systems: A Research Synthesis , 2009, J. Inf. Syst..

[7]  Ed O'Donnell,et al.  The Influence of Business‐Process‐Focused Audit Support Software on Analytical Procedures Judgments , 2003 .

[8]  Merle P. Martin,et al.  Mapping Internal Controls Using System Documentation Tools , 2011, BIS 2011.

[9]  Edgar R. Weippl,et al.  A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC) , 2010, Communications and Multimedia Security.

[10]  William F. Messier,et al.  Linkages Between Auditors'risk Assessments in a Risk-Based Audit , 2006 .

[11]  Bharat Maheshwari,et al.  Challenges in enhancing enterprise resource planning systems for compliance with Sarbanes‐Oxley Act and analogous Canadian legislation , 2008 .

[12]  Stefan Strecker,et al.  RiskM: A multi-perspective modeling method for IT risk assessment , 2011, Inf. Syst. Frontiers.

[13]  Kenneth A. Griggs,et al.  An Empirical Investigation Of The Cognitive Fit Of Selected Process Model Diagramming Techniques , 2011, BIS 2011.

[14]  A. Faye Borthick,et al.  The Effect of Business Process Representation Type on Assessment of Business and Control Risks: Diagrams versus Narratives , 2012 .

[15]  Stefan Strecker,et al.  ControlML: A domain-specific modeling language in support of assessing internal controls and the internal control system , 2014, Int. J. Account. Inf. Syst..

[16]  Frank Leymann,et al.  Business Process Management Standards , 2015, Handbook on Business Process Management.

[17]  Gary P. Schneider,et al.  Preparing Graphical Representations of Business Processes and Making Inferences from Them , 2010 .

[18]  Cheryl L. Dunn,et al.  An Investigation of Localization as an Element of Cognitive Fit in Accounting Model Representations , 2001, Decis. Sci..

[19]  J. Efrim Boritz,et al.  NARRATIVES VERSUS DIAGRAMS : THE IMPACT OF ALTERNATIVE BUSINESS PROCESS REPRESENTATIONS ON AUDITOR RISK AND CONTROL ASSESSMENTS , 2010 .

[20]  강문설 [서평]「The Unified Modeling Language User Guide」 , 1999 .

[21]  Shazia Wasim Sadiq,et al.  A Survey of Comparative Business Process Modeling Approaches , 2007, BIS.

[22]  Elinor M. Madigan,et al.  The cost of non-compliance: when policies fail , 2004, SIGUCCS '04.

[23]  Cheryl L. Dunn,et al.  Auditor efficiency and effectiveness with diagrammatic and linguistic conceptual model representations , 2001, Int. J. Account. Inf. Syst..

[24]  Guido Governatori,et al.  The Journey to Business Process Compliance , 2009, Handbook of Research on Business Process Modeling.

[25]  Marta Indulska,et al.  Business Process Modeling: Perceived Benefits , 2009, ER.

[26]  Georges Selim,et al.  Risk Management and Internal Auditing: What are the Essential Building Blocks for a Successful Paradigm Change? , 1999 .

[27]  William F. Messier,et al.  Auditor Business Process Analysis and Linkages Among Auditor Risk Judgements , 2013 .

[28]  A. Faye Borthick,et al.  Using Graphical Representations of Business Processes in Evaluating Internal Control , 2012 .

[29]  Marta Indulska,et al.  Emerging Challenges in Information Systems Research for Regulatory Compliance Management , 2010, CAiSE.

[30]  Tom DeMarco,et al.  Structured Analysis and System Specification , 1978 .

[31]  Nenad Stojanovic,et al.  Using Control Patterns in Business Processes Compliance , 2007, WISE Workshops.

[32]  Guido Governatori,et al.  Compliance aware business process design , 2008 .

[33]  Mark von Rosing,et al.  Business Process Model and Notation - BPMN , 2015, The Complete Business Process Handbook, Vol. I.

[34]  Moe Thandar Wynn,et al.  Current Research in Risk-aware Business Process Management - Overview, Comparison, and Gap Analysis , 2014, Commun. Assoc. Inf. Syst..

[35]  Marwane El Kharbili,et al.  Business Process Compliance Checking: Current State and Future Challenges , 2008, MobIS.

[36]  Mark Strembeck,et al.  Towards a Usability Assessment of Process Modeling Languages , 2009 .

[37]  Shazia Wasim Sadiq,et al.  Compliance checking between business processes and business contracts , 2006, 2006 10th IEEE International Enterprise Distributed Object Computing Conference (EDOC'06).

[38]  Shazia Wasim Sadiq,et al.  Modeling Control Objectives for Business Process Compliance , 2007, BPM.

[39]  M. Durigon,et al.  Business Process Modeling Approaches in the Context of Process Level Audit Risk-Assessment: An Analysis and Comparison , 2006, Int. J. Account. Inf. Syst..

[40]  Frank Leymann,et al.  Business Process Compliance through Reusable Units of Compliant Processes , 2010, ICWE Workshops.

[41]  Jan Mendling,et al.  Metrics for Process Models: Empirical Foundations of Verification, Error Prediction, and Guidelines for Correctness , 2008, Lecture Notes in Business Information Processing.

[42]  Alberto Trombetta,et al.  BPMN: An introduction to the standard , 2012, Comput. Stand. Interfaces.

[43]  Markus Nüttgens,et al.  Key Information Requirements for Process Audits - an Expert Perspective , 2012, EMISA.

[44]  Stefan Strecker,et al.  Toward Modeling Constructs for Audit Risk Assessment: Reflections on Internal Controls Modeling , 2010, MobIS.

[45]  Marta Indulska,et al.  Business Process Modeling- A Comparative Analysis , 2009, J. Assoc. Inf. Syst..

[46]  John Mylopoulos,et al.  Business Process-Based Regulation Compliance: The Case of the Sarbanes-Oxley Act , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[47]  Lori S. Kopp,et al.  The influence of a business-process focus on category knowledge and internal control evaluation , 2005 .

[48]  Wil M.P. van der Aalst,et al.  Getting rid of OR-joins and multiple start events in business process models , 2008, Enterp. Inf. Syst..

[49]  Richard J. Mayer,et al.  Information Integration for Concurrent Engineering (IICE) IDEF3 Process Description Capture Method Report , 1992 .

[50]  Daniel Amyot,et al.  A systematic review of goal-oriented requirements management frameworks for business process compliance , 2011, 2011 Fourth International Workshop on Requirements Engineering and Law.

[51]  C. A. Petri Fundamentals of a Theory of Asynchronous Information Flow , 1962, IFIP Congress.

[52]  G. Sarens,et al.  Internal auditors' perception about their role in risk management : A comparison between US and Belgian companies , 2006 .

[53]  Anthony Tarantino,et al.  Governance, Risk, and Compliance Handbook: Technology, Finance, Environmental, and International Guidance and Best Practices , 2008 .

[54]  Uday S. Murthy,et al.  Consideration of Risks and Internal Controls in Business Process Modeling , 2007, ECIS.

[55]  P. Wallage,et al.  Application of the Business Risk Audit Model: A Field Study , 2001 .

[56]  Beate List,et al.  An evaluation of conceptual business process modelling languages , 2006, SAC.

[57]  M. Rosemann,et al.  Integrating Risks in Business Process Models , 2005 .