Value at Risk Within Business Processes: An Automated IT Risk Governance Approach

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9850)


Business processes are core operational assets to control firms’ efficiency in value generation. However, the execution and control of business processes is increasingly dependent on Information Technology (IT). Therefore, the risks that arise from relying on IT in business processes must be quantified. This paper proposes the adaptation of the Value at Risk (VaR) financial technique to measure the level of risk within a process portfolio. This is done by quantifying the impact resulting from changes in the performance of IT services. The probability of IT risks is measured daily in order to model the volatility of IT services, especially when they are flexible and changeable. The proposed method enables predicting and estimating the losses of IT risks and their effect on dependent business processes over a time horizon. The incorporation of risk management mechanisms enriches business processes with organizational management capabilities.


Risk analysis Process portfolio IT assets Value at risk 



The authors would like to thank Fabian Arias who collaborated in the validation of this work.


  1. 1.
    Bai, X., Krishnan, R., Padman, R., Wang, H.J.: On risk management with information flows in business processes. Inform. Syst. Res. 24, 731–749 (2013)CrossRefGoogle Scholar
  2. 2.
    Caron, F., Vanthienen, J., Baesens, B.: Comprehensive rule-based compliance checking and risk management with process mining. Decis. Support Syst. 54(3), 1357–1369 (2013)CrossRefGoogle Scholar
  3. 3.
    Conforti, R., Fortino, G., La Rosa, M., ter Hofstede, A.H.M.: History-aware, real-time risk detection in business processes. In: Meersman, R. (ed.) OTM 2011, Part I. LNCS, vol. 7044, pp. 100–118. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Conforti, R., de Leoni, M., Rosa, M.L., van der Aalst, W.M., ter Hofstede, A.H.: A recommendation system for predicting risks across multiple business process instances. Decis. Support Syst. 69, 1–19 (2015)CrossRefGoogle Scholar
  5. 5.
    Fill, H.G.: An approach for analyzing the effects of risks on business processes using semantic annotations. In: ECIS 2012 Proceedings, p. Paper 111. ESADE/AIS, Barcelona (2012)Google Scholar
  6. 6.
    González Rojas, O.: Governing IT services for quantifying business impact. In: Matulevičius, R., Dumas, M. (eds.) BIR 2015. LNBIP, vol. 229, pp. 97–112. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  7. 7.
    González-Rojas, O., Ochoa-Venegas, L., Molina-León, G.: Information security governance: valuation of dependencies between IT solution architectures. In: Repa, V., Bruckner, T. (eds.) BIR 2016. LNBIP, vol. 261. Springer, Heidelberg (2016, in Press)Google Scholar
  8. 8.
    Han, W., Ni, Q., Chen, H.: Apply measurable risk to strengthen security of a role-based delegation supporting workflow system. In: IEEE International Symposium on POLICY 2009, pp. 45–52. IEEE, London (2009)Google Scholar
  9. 9.
    IEEE Architecture Working Group: Std 1471-2000. Recommended practice for architectural description of software-intensive systems. Technical report, IEEE (2000)Google Scholar
  10. 10.
    J.P. Morgan and Reuters: RiskMetrics - technical document. Technical report, 4th edn. JP Morgan and Reuters, New York, December 1996Google Scholar
  11. 11.
    Kang, B., Cho, N.W., Kang, S.H.: Real-time risk measurement for business activity monitoring (BAM). Int. J. Innov. Comput. I 5(11), 3647–3657 (2009)Google Scholar
  12. 12.
    Parent, M., Reich, B.H.: Governing information technology risk. Calif. Manag. Rev. 51(3), 134–152 (2009)CrossRefGoogle Scholar
  13. 13.
    Rainer Jr., R.K., Snyder, C.A., Carr, H.H.: Risk analysis for information technology. J. Manag. Inform. Syst. 8(1), 129–147 (1991)CrossRefGoogle Scholar
  14. 14.
    Sackmann, S., Syring, A.: Adapted loss database - a new approach to assess IT risk in automated business processes. In: Santana, M., Luftman, J.N., Vinze, A.S. (eds.) AMCIS 2010 Proceedings, p. Paper 374. AIS, Lima (2010)Google Scholar
  15. 15.
    Seddon, P.B., Graeser, V., Willcocks, L.P.: Measuring organizational IS effectiveness: an overview and update of senior management perspectives. SIGMIS Database 33(2), 11–28 (2002)CrossRefGoogle Scholar
  16. 16.
    Suh, B., Han, I.: The IS risk analysis based on a business model. Inf. Manag. 41(2), 149–158 (2003)CrossRefGoogle Scholar
  17. 17.
    Suriadi, S., Wei, B., Winkelmann, A., ter Hofstede, A., Adams, M., Conforti, R., Fidge, C., La Rosa, M., Ouyang, C., Pika, A., Rosemann, M., Wynn, M.: Current research in risk-aware business process management-overview, comparison, and gap analysis. Commun. ACM 34(1), 933–984 (2014)Google Scholar
  18. 18.
    Tallon, P.P.: Value chain linkages and the spillover effects of strategic information technology alignment: a process-level view. J. Manag. Inf. Syst. 28(3), 9–44 (2011)CrossRefGoogle Scholar
  19. 19.
    Weill, P., Ross, J.: IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business School Press, Boston (2004)Google Scholar
  20. 20.
    Wickboldt, J.A., Bianchin, L.A., Lunardi, R.C., Granville, L.Z., Gaspary, L.P., Bartolini, C.: A framework for risk assessment based on analysis of historical information of workflow execution in IT systems. Comput. Netw. 55(13), 2954–2975 (2011)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Systems and Computing Engineering Department, School of EngineeringUniversidad de los AndesBogotáColombia

Personalised recommendations