Value at Risk Within Business Processes: An Automated IT Risk Governance Approach
Business processes are core operational assets to control firms’ efficiency in value generation. However, the execution and control of business processes is increasingly dependent on Information Technology (IT). Therefore, the risks that arise from relying on IT in business processes must be quantified. This paper proposes the adaptation of the Value at Risk (VaR) financial technique to measure the level of risk within a process portfolio. This is done by quantifying the impact resulting from changes in the performance of IT services. The probability of IT risks is measured daily in order to model the volatility of IT services, especially when they are flexible and changeable. The proposed method enables predicting and estimating the losses of IT risks and their effect on dependent business processes over a time horizon. The incorporation of risk management mechanisms enriches business processes with organizational management capabilities.
KeywordsRisk analysis Process portfolio IT assets Value at risk
The authors would like to thank Fabian Arias who collaborated in the validation of this work.
- 5.Fill, H.G.: An approach for analyzing the effects of risks on business processes using semantic annotations. In: ECIS 2012 Proceedings, p. Paper 111. ESADE/AIS, Barcelona (2012)Google Scholar
- 7.González-Rojas, O., Ochoa-Venegas, L., Molina-León, G.: Information security governance: valuation of dependencies between IT solution architectures. In: Repa, V., Bruckner, T. (eds.) BIR 2016. LNBIP, vol. 261. Springer, Heidelberg (2016, in Press)Google Scholar
- 8.Han, W., Ni, Q., Chen, H.: Apply measurable risk to strengthen security of a role-based delegation supporting workflow system. In: IEEE International Symposium on POLICY 2009, pp. 45–52. IEEE, London (2009)Google Scholar
- 9.IEEE Architecture Working Group: Std 1471-2000. Recommended practice for architectural description of software-intensive systems. Technical report, IEEE (2000)Google Scholar
- 10.J.P. Morgan and Reuters: RiskMetrics - technical document. Technical report, 4th edn. JP Morgan and Reuters, New York, December 1996Google Scholar
- 11.Kang, B., Cho, N.W., Kang, S.H.: Real-time risk measurement for business activity monitoring (BAM). Int. J. Innov. Comput. I 5(11), 3647–3657 (2009)Google Scholar
- 14.Sackmann, S., Syring, A.: Adapted loss database - a new approach to assess IT risk in automated business processes. In: Santana, M., Luftman, J.N., Vinze, A.S. (eds.) AMCIS 2010 Proceedings, p. Paper 374. AIS, Lima (2010)Google Scholar
- 17.Suriadi, S., Wei, B., Winkelmann, A., ter Hofstede, A., Adams, M., Conforti, R., Fidge, C., La Rosa, M., Ouyang, C., Pika, A., Rosemann, M., Wynn, M.: Current research in risk-aware business process management-overview, comparison, and gap analysis. Commun. ACM 34(1), 933–984 (2014)Google Scholar
- 19.Weill, P., Ross, J.: IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business School Press, Boston (2004)Google Scholar