Risk Management and Business Process Management have long been acknowledged as distinct disciplines. They seem to be getting more comfortable with one another. Business Process Model & Notation (BPMN) has emerged in the past decade as a powerful tool for visualizing and even operationalizing business processes. In an effort to further enhance the value of BPMN, we experimented with ways to integrate elements of traditional risk management directly into business process models, thus improving the quality of those processes and increasing the percentage of positive business outcomes those processes achieve. In this first of a two-part series, we explore the context and precedents for our research; Part 2 will describe an innovative approach to incorporating risk management directly into business process models using the open source BPMN 2.0 tool.
The traditional risk management approach, often considered a subset of project management, does little to actually improve the quality of business processes. It rather focuses on disjoint analysis and recovery plans that are separate from the process that produced the risk event. By integrating risks and their potential outcomes directly into business process models, we see a clearer connection between our operational workflows and the myriad risks inherent to each process. Let’s review some of the milestones along the path to where we are in the interest of getting to where we want to be, that is, to a place where Business Process and Risk Management can be seamlessly integrated.
Originally developed in the early 1990s, KNOWVA (Knowledge Value-Added) is an innovative framework for identifying and targeting “soft” environmental factors that can influence the effectiveness of business processes. While not comprehensive in its approach to enhancing the value of business process models, the KNOWVA Framework does succeed in identifying the contextual factors that influence the perception of risk within business processes and addresses how these risks can be systematically identified and modeled.
Introduced in the early 2000s and refined over the past decade, Risk-Aware Process Modeling builds on KNOWVA and other developments to achieve a link between a risk taxonomy and a business process taxonomy. Risk-Aware Process Modeling refines these previous methods by subdividing the task into a set of four different model types: the Risk Structure model, the Risk Goal model, the Risk State model, and Event-driven Process Chain (EPC)s that have been extended to include risks. This modeling notation, put forth by the research team of zur Muehlen and Rosemann, is based upon the Architecture of Integrated Information Systems (ARIS) and Event-driven Process Chain (EPC) extensions, though the concept is translatable to other notations, including the Universal Modeling Language (UML) and BPMN.
Another team of researchers, Neiger, Rotaru, and Caulfield, has developed a unique method of modeling risk minimization objectives in parallel with business processes and then combining the two models into a unified structure. The technique borrows heavily from a prior process methodology developed in the 1990s, value-focused process engineering (VFPE), and augments it by applying classic risk analysis techniques and linking the findings to the risk-prone activities in the process. This approach provides a procedural method for identifying process-related risk and associating those risks with the business process model.
The model proposed by Neiger, Rotaru, and Caulfield is related to zur Muehlen and Rosemann ’s Risk Goal Model. While both of these methods attempt to correlate risk events identified using a classical hierarchical approach with a separately-defined business process model, neither go as far as to actually represent the alternative process paths that these risks events would trigger.
This leaves us with a need to assimilate the best features of what’s been done to date and take this integration one step further so that the risk events themselves and their recovery plans are both built directly into the business process model from the start. To reinforce our integrated approach, we’ve found that the best place to start is to use BPMN 2.0 as the notation standard.
There are several elements of BPMN, some newly-introduced in the BPMN 2.0 specification, that facilitate the modeling of risk in line with a business process model. These include swimlane constructs, data objects, event-based gateways (new to BPMN 2.0), intermediate message events, and message flows. Since occurrences of risk in a business process will be represented as events, it is important that we understand the way in which BPMN 2.0 supports the representation of event-driven process models in general, before we explore how this type of approach can be used to reflect risk.
Previous process modeling notations (including BPMN itself, prior to 2.0) had notable limitations. One of these, a particular challenge that arose when modeling processes for execution, was the tight coupling between swimlanes (roles) and sub-processes. Historically, it was very difficult to divide a complex process into deployable, short-running sub-processes, without also defining some overarching construct that served as a “manager” for the various pieces. In reality, rather than creating loosely coupled microflows, we were simply changing what the pieces were coupled to. Event-driven processes provide the solution to this dilemma by allowing the process modeler to define the independent microflows that will be used to respond to the many business events that can occur within an organization. With BPMN 2.0, the Event-based Gateway can be used to represent the point where one role (lane) within the process ceases activity and waits for the next business event to occur.
The introduction of the Event-based Gateway construct in BPMN 2.0 was really the key enabler that allows modeling of event-driven processes using this standard notation. An Event-based gateway can essentially be viewed as a “hold” in the process, more specifically, within one lane of the process. Regardless of the specific process being modeled, the activity immediately preceding the gateway basically amounts to “Wait for something to happen.” The various somethings that could happen are then modeled as intermediate message receive events flowing out of the gateway. The semantics of this combination of elements indicate that any of the modeled events could occur at this point in the process, and whichever one happens first will be responded to. Parallel and Exclusive (instantiate) permutations of the Event-based Gateway exist as well, but the semantics of these elements are not relevant to the topic at hand.
By using these powerful features of BPMN in conjunction with classic Risk Management techniques, we are able to establish a much more robust model of our enterprise. The value of incorporating risk into business process models should not be underestimated. Not only does an integrated model such as this provide a better understanding of risks that threaten an organization’s success, it can also bring to light the points in a process when it may be advantageous to explore an opportunity. Part 2 of this series will describe a unique approach for accomplishing this goal.