Automated Risk Mitigation in Business Processes

This paper proposes a concrete approach for the automatic mitigation of risks that are detected during process enactment. Given a process model exposed to risks, e.g. a financial process exposed to the risk of approval fraud, we enact this process and as soon as the likelihood of the associated risk(s) is no longer tolerable, we generate a set of possible mitigation actions to reduce the risks’ likelihood, ideally annulling the risks altogether. A mitigation action is a sequence of controlled changes applied to the running process instance, taking into account a snapshot of the process resources and data, and the current status of the system in which the process is executed. These actions are proposed as recommendations to help process administrators mitigate process-related risks as soon as they arise. The approach has been implemented in the YAWL environment and its performance evaluated. The results show that it is possible to mitigate process-related risks within a few minutes.

[1]  Wil M. P. van der Aalst,et al.  Time prediction based on process mining , 2011, Inf. Syst..

[2]  Chris Murphy,et al.  Dominance-Based Multiobjective Simulated Annealing , 2008, IEEE Transactions on Evolutionary Computation.

[3]  Gerald Quirchmayr,et al.  Extension of a Methodology for Risk-Aware Business Process Modeling and Simulation Enabling Process-Oriented Incident Handling Support , 2008, 22nd International Conference on Advanced Information Networking and Applications (aina 2008).

[4]  Wil M. P. van der Aalst,et al.  Workflow Exception Patterns , 2006, CAiSE.

[5]  Amadou Sienou,et al.  Risk driven process engineering in digital ecosystems: Modelling risk , 2010, 4th IEEE International Conference on Digital Ecosystems and Technologies.

[6]  Jason Crampton,et al.  The consistency of task-based authorization constraints in workflow , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[7]  Mira Mezini,et al.  AO4BPEL: An Aspect-oriented Extension to BPEL , 2007, World Wide Web.

[8]  Barry Smyth,et al.  Advances in Case-Based Reasoning , 1996, Lecture Notes in Computer Science.

[9]  Michael Rosemann,et al.  Integrating risks in business process models with value focused process engineering , 2006, ECIS.

[10]  Zahir Tari,et al.  On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS, OTM Confederated International Conferences CoopIS, DOA, ODBASE, GADA, and IS 2007, Vilamoura, Portugal, November 25-30, 2007, Proceedings, Part II , 2007, OTM Conferences.

[11]  Giancarlo Fortino,et al.  History-Aware, Real-Time Risk Detection in Business Processes , 2011, OTM Conferences.

[12]  Vijayalakshmi Atluri,et al.  Inter-instance authorization constraints for secure workflow management , 2006, SACMAT '06.

[13]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[14]  M. La Rosa,et al.  Automated Risk Mitigation in Business Processes ( extended version ) , 2012 .

[15]  Rajkumar Roy,et al.  Operational risk analysis in business processes , 2007 .

[16]  Stefanie Betz,et al.  Risk-Aware Business Process Modeling and Simulation Using XML Nets , 2011, 2011 IEEE 13th Conference on Commerce and Enterprise Computing.

[17]  Steven L. Alter A work system view of DSS in its fourth decade , 2004, Decis. Support Syst..

[18]  Laurence Duchien,et al.  Using Complex Event Processing for Dynamic Business Process Adaptation , 2010, 2010 IEEE International Conference on Services Computing.

[19]  Moe Thandar Wynn,et al.  Current Research in Risk-aware Business Process Management - Overview, Comparison, and Gap Analysis , 2014, Commun. Assoc. Inf. Syst..

[20]  Tharam S. Dillon,et al.  On the Move to Meaningful Internet Systems, OTM 2010 , 2010, Lecture Notes in Computer Science.

[21]  Moe Thandar Wynn,et al.  Workflow support for scheduling in surgical care processes , 2011, ECIS.

[22]  Marlon Dumas,et al.  Towards Web-Scale Workflows for Film Production , 2008 .

[23]  Ketil Stølen,et al.  Risk Analysis of Changing and Evolving Systems Using CORAS , 2011, FOSAD.

[24]  Erhard Rahm,et al.  AGENTWORK: a workflow system supporting rule-based workflow adaptation , 2004, Data Knowl. Eng..

[25]  W. G. Johnson,et al.  MORT: The Management Oversight and Risk Tree , 1975 .

[26]  Hongyan Ma,et al.  Process-aware information systems: Bridging people and software through process technology , 2007, J. Assoc. Inf. Sci. Technol..

[27]  Arthur H. M. ter Hofstede,et al.  Automated Error Correction of Business Process Models , 2011, BPM.

[28]  Ruth Breu,et al.  CBRFlow: Enabling Adaptive Workflow Management Through Conversational Case-Based Reasoning , 2004, ECCBR.

[29]  Johann Eder,et al.  Personal Schedules for Workflow Systems , 2003, Business Process Management.

[30]  Wil M. P. van der Aalst,et al.  Dynamic, Extensible and Context-Aware Exception Handling for Workflows , 2007, OTM Conferences.

[31]  H. S. Osborne,et al.  The international electrotechnical commission , 1953, Electrical Engineering.

[32]  Ryan T. Wright,et al.  Validating Work System Principles for Use in Systems Analysis and Design , 2010, ICIS.

[33]  Léa A. Deleris,et al.  Incorporating risk into business process models , 2010, IBM J. Res. Dev..

[34]  Wil M. P. van der Aalst,et al.  Process Mining - Discovery, Conformance and Enhancement of Business Processes , 2011 .

[35]  Carlo Combi,et al.  Controllability in Temporal Conceptual Workflow Schemata , 2009, BPM.

[36]  Manfred Reichert,et al.  The ADEPT project: a decade of research and development for robust and flexible process support , 2009, Computer Science - Research and Development.

[37]  E. Balas,et al.  Improving clinical practice using clinical decision support systems: a systematic review of trials to identify features critical to success , 2005, BMJ : British Medical Journal.

[38]  Christopher J. Alberts,et al.  OCTAVEsm Criteria, Version 2.0 , 2001 .

[39]  Gerald Quirchmayr,et al.  Deriving Resource Requirements Applying Risk-Aware Business Process Modeling and Simulation , 2008, ECIS.

[40]  Stefan Strecker,et al.  RiskM: A multi-perspective modeling method for IT risk assessment , 2011, Inf. Syst. Frontiers.

[41]  Gerald Quirchmayr,et al.  A Formal Approach Enabling Risk-Aware Business Process Modeling and Simulation , 2011, IEEE Transactions on Services Computing.