BPRIM: An integrated framework for business process management and risk management

Abstract Enterprise engineering deals with the design of processes which aim to improve the structure and efficiency of business organizations. It develops approaches based on modeling techniques, particularly on business process modeling, to ensure the quality and the global consistency of enterprise strategies and expectations. Nowadays, risk consideration in enterprise engineering is a growing concern since the business environment is becoming more and more competitive, complex, and unpredictable. To face this concern, a paradigm named risk-aware business process management (R-BPM) has recently emerged. It seeks to integrate the two traditionally isolated fields of risk management and business process management. Despite the significant benefits that can arise from the use of R-BPM, it suffers from a lack of solid scientific foundations and dedicated tooling. This present research work contributes to bridging that gap in a twofold way: (i) by establishing the BPRIM Business Process-Risk Integrated Method framework, and (ii) by designing a dedicated tool, named ado BPRIM which supports the efficient application of the BPRIM framework. This paper first comprehensively presents the foundation of BPRIM which is based on three main components and, secondly, its dedicated tool ado BPRIM which was designed using the ADOxx meta-modeling platform. An evaluation with a real case study in the health care domain shows the relevance of the methodological framework.

[1]  Sotiris P. Gayialis,et al.  Risk Assessment in Virtual Enterprise Networks: A Process-Driven Internal Audit Approach , 2010 .

[2]  Hervé Pingaud,et al.  Aspects of the BPRIM Language for Risk Driven Process Engineering , 2009, OTM Workshops.

[3]  Ramayya Krishnan,et al.  On Risk Management with Information Flows in Business Processes , 2013, Inf. Syst. Res..

[4]  Wil M. P. van der Aalst,et al.  Supporting Risk-Informed Decisions during Business Process Execution , 2013, CAiSE.

[5]  Juha-Pekka Tolvanen,et al.  MetaEdit+: defining and using domain-specific modeling languages and code generators , 2003, OOPSLA '03.

[6]  Hervé Pingaud,et al.  Conceptual Model of Risk: Towards a Risk Modelling Language , 2007, WISE Workshops.

[7]  Dominik Bork,et al.  An Open Platform for Modeling Method Conceptualization: The OMiLAB Digital Ecosystem , 2019, Commun. Assoc. Inf. Syst..

[8]  Michael Blyth Business Continuity Management: Building an Effective Incident Management Plan , 2009 .

[9]  Rob Davis,et al.  ARIS Design Platform: Getting Started with BPM , 2007 .

[10]  D. Hewett,et al.  How to investigate and analyse clinical incidents: Clinical Risk Unit and Association of Litigation and Risk Management protocol , 2000, BMJ : British Medical Journal.

[11]  Raimundas Matulevicius,et al.  An Extension of Business Process Model and Notation for Security Risk Management , 2013, Int. J. Inf. Syst. Model. Des..

[12]  Stephen F Eckel,et al.  Practice-enhancing publications about the medication use process in 2017. , 2019, American journal of health-system pharmacy : AJHP : official journal of the American Society of Health-System Pharmacists.

[13]  M. Rosemann,et al.  Integrating Risks in Business Process Models , 2005 .

[14]  N. Dickey,et al.  Systems analysis of adverse drug events. , 1996, JAMA.

[15]  Raffaele Conforti,et al.  PRISM - A Predictive Risk Monitoring Approach for Business Processes , 2016, BPM.

[16]  M. Rosa Risk-Aware Business Process Management , 2011 .

[17]  S. Tjoa,et al.  Risk-Aware Business Process Management—Establishing the Link Between Business and Security , 2010 .

[18]  Mathias Weske,et al.  Oryx - An Open Modeling Platform for the BPM Community , 2008, BPM.

[19]  Dominik Bork,et al.  A survey of modeling language specification techniques , 2020, Inf. Syst..

[20]  J. Zhao,et al.  Business Process Management Common Body Of Knowledge , 2009 .

[21]  Rafael M. Gasca,et al.  OPBUS: Risk-aware framework for the conformance of security-quality requirements in business processes , 2011, Proceedings of the International Conference on Security and Cryptography.

[22]  Bartosz Marcinkowski,et al.  A Business Process Modeling Notation Extension for Risk Handling , 2012, CISIM.

[23]  Marc M. Lankhorst Enterprise Architecture at Work - Modelling, Communication and Analysis, 3rd Edition , 2005, The Enterprise Engineering Series.

[24]  Mark von Rosing,et al.  Phase 2: Process Concept Evolution , 2015, The Complete Business Process Handbook, Vol. I.

[25]  Peri Loucopoulos,et al.  Conceptual Modeling, Databases, and Case: An Integrated View of Information Systems Development , 1992 .

[26]  Dimitris Karagiannis,et al.  Metamodelling Platforms , 2002, EC-Web.

[27]  Stefan Strecker,et al.  RiskM: A multi-perspective modeling method for IT risk assessment , 2011, Inf. Syst. Frontiers.

[28]  Stefanie Betz,et al.  Risk-Aware Business Process Modeling and Simulation Using XML Nets , 2011, 2011 IEEE 13th Conference on Commerce and Enterprise Computing.

[29]  Gerald Quirchmayr,et al.  A Formal Approach Enabling Risk-Aware Business Process Modeling and Simulation , 2011, IEEE Transactions on Services Computing.

[30]  Léa A. Deleris,et al.  Incorporating risk into business process models , 2010, IBM J. Res. Dev..

[31]  Carla Wilkin,et al.  Formalizing process-based risk with Value-Focused Process Engineering , 2011, Inf. Syst. E Bus. Manag..

[32]  Thomas Neubauer,et al.  A roadmap to risk-aware business process management , 2009, 2009 IEEE Asia-Pacific Services Computing Conference (APSCC).

[33]  Abdelkamel Tari,et al.  Business process outsourcing to the cloud: Balancing costs with security risks , 2019, Comput. Ind..

[34]  Hervé Pingaud,et al.  Business Process and Risk Models Enrichment: Considerations for Business Intelligence , 2008, 2008 IEEE International Conference on e-Business Engineering.

[35]  Stefan Fenz From the Resource to the Business Process Risk Level , 2010, SAISMC.

[36]  Peter Bernus,et al.  Enterprise engineering and management at the crossroads , 2016, Comput. Ind..

[37]  Michael Huth,et al.  Future Developments in Cyber Risk Assessment for the Internet of Things , 2018, Comput. Ind..

[38]  Dennis I. Dickstein,et al.  No Excuses: A Business Process Approach to Managing Operational Risk , 2008 .

[39]  Michael F. Dallas,et al.  Value and Risk Management: A Guide to Best Practice , 2008 .

[40]  Moe Thandar Wynn,et al.  Evaluating and predicting overall process risk using event logs , 2016, Inf. Sci..

[41]  Jinwoo Kim,et al.  An Integrated Process‐Related Risk Management Approach to Proactive Threat and Opportunity Handling: A Framework and Rule Language , 2017 .

[42]  Gerald Quirchmayr,et al.  Rope: A Methodology for Enabling the Risk-Aware Modelling and Simulation of Business Processes , 2007, ECIS.

[43]  E. Lamine,et al.  Towards a semi-formal modeling language supporting collaboration between risk and process manager , 2008, 2008 2nd IEEE International Conference on Digital Ecosystems and Technologies.

[44]  Dominik Bork,et al.  Formal Aspects of Enterprise Modeling Methods: A Comparison Framework , 2014, 2014 47th Hawaii International Conference on System Sciences.

[45]  David W. Bates,et al.  Systems Analysis of Adverse Drug Events , 2008 .

[46]  Koen Vanhoof,et al.  A business process mining application for internal transaction fraud mitigation , 2011, Expert Syst. Appl..

[47]  Steve Cook,et al.  Domain-Specific Development with Visual Studio DSL Tools , 2007 .

[48]  Andreas Metzger,et al.  Risk-Based Proactive Process Adaptation , 2017, ICSOC.

[49]  Hanane Lhannaoui,et al.  Analyzing risks in business process models using a deviational technique , 2014, 2014 9th International Conference on Software Engineering and Applications (ICSOFT-EA).

[50]  Moe Thandar Wynn,et al.  Current Research in Risk-aware Business Process Management - Overview, Comparison, and Gap Analysis , 2014, Commun. Assoc. Inf. Syst..

[51]  Angel Jesus Varela-Vaca,et al.  OPBUS: A framework for improving the dependability of risk-aware business processes , 2014, AI Commun..

[52]  Axel Winkelmann,et al.  Developing a Process-Oriented Notation for Modeling Operational Risks - A Conceptual Metamodel Approach to Operational Risk Management in Knowledge Intensive Business Processes within the Financial Industry , 2011, 2011 44th Hawaii International Conference on System Sciences.

[53]  Mathias Weske,et al.  Prediction of business process durations using non-Markovian stochastic Petri nets , 2015, Inf. Syst..

[54]  Robert Woitsch,et al.  A new paradigm for the continuous alignment of business and IT: Combining enterprise architecture modelling and enterprise ontology , 2016, Comput. Ind..

[55]  Bashar Nuseibeh,et al.  A framework for security requirements engineering , 2006, SESS '06.

[56]  Enid Mumford,et al.  Reengineering the Corporation: A Manifesto for Business Revolution , 1995 .

[57]  Stephen N. Luko,et al.  Risk Management Principles and Guidelines , 2013 .

[58]  Stefan Jakoubi,et al.  A Formal Approach Towards Risk-Aware Service Level Analysis and Planning , 2010, 2010 International Conference on Availability, Reliability and Security.

[59]  Branko Perisic,et al.  Sirius: A rapid development of DSM graphical editor , 2014, IEEE 18th International Conference on Intelligent Engineering Systems INES 2014.

[60]  Magali Bosch-Mauchand Modélisation pour la simulation de chaînes de production de valeur en entreprise industrielle comme outil d'aide à la décision en phase de conception / industrialisation , 2007 .

[61]  Rémi Bastide,et al.  A model driven engineering approach for business continuity management in e-Health systems , 2012, 2012 6th IEEE International Conference on Digital Ecosystems and Technologies (DEST).

[62]  Amadou Sienou Proposition d'un cadre méthodologique pour le management intégré des risques et des processus d'entreprise , 2009 .

[63]  R. Chapman Simple Tools and Techniques for Enterprise Risk Management , 2006 .

[64]  Ali Siadat,et al.  Process-oriented risk assessment methodology for manufacturing process evaluation , 2017, Int. J. Prod. Res..

[65]  D. Bates,et al.  Systems analysis of adverse drug events. ADE Prevention Study Group. , 1995, JAMA.

[66]  H. Pingaud,et al.  TOWARDS A FRAMEWORK FOR INTEGRATING RISK AND BUSINESS PROCESS MANAGEMENT , 2006 .

[67]  Lisandro Zambenedetti Granville,et al.  A framework for risk assessment based on analysis of historical information of workflow execution in IT systems , 2011, Comput. Networks.

[68]  Hans-Georg Fill,et al.  Enabling Risk-Aware Enterprise Modeling using Semantic Annotations and Visual Rules , 2017, ECIS.

[69]  Marc M. Lankhorst,et al.  Enterprise Architecture at Work - Modelling, Communication and Analysis, 2nd Edition , 2005, The Enterprise Engineering Series.

[70]  M. Bevilacqua,et al.  Fuzzy cognitive maps for adverse drug event risk management , 2018 .

[71]  Aneesh Krishna,et al.  Risk Measure Propagation through Organisational Network , 2014, 2014 IEEE 38th International Computer Software and Applications Conference Workshops.

[72]  Ulrich Frank,et al.  The MEMO Meta Modelling Language (MML) and Language Architecture: 2nd Edition , 2018 .

[73]  M. A. Barcelona,et al.  CBG-Framework: A bottom-up model-based approach for Collaborative Business Process Management , 2018, Comput. Ind..