Integration of Risk Aspects into Business Process Modeling

  • Tobias AntonEmail author
  • Richard Lackes
  • Markus Siepermann
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 245)


Regulatory rules force most enterprises to implement a risk management system with a detailed documentation of their risk situation. In parallel, business processes which can be source and target of risks are systematically documented. Hence, it seems obvious to combine both tasks. Despite research’s long lasting focus on risk management and business process management, only few approaches exist that try to fully integrate risk aspects into business process models. Most methods consider risk management only partly. This paper therefore develops a comprehensive concept for the integration of risk aspects into business process modeling. It is based on the Business Process Model and Notation (BPMN) 2.0, that only needs to be extended carefully.


BPMN Business processes Business process modeling Risk management 


  1. 1.
    Asnar, Y., Giorgini, P.: Analyzing business continuity through a multi-layers model. In: Dumas, M., Reichert, M., Shan, M.-C. (eds.) BPM 2008. LNCS, vol. 5240, pp. 212–227. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Bai, X., Padman, R., Krishnan, R.: On Risk management in business process design. Technical report, The H. John Heinz III School of Public Policy and Management, Carnegie Mellon University (2006).
  3. 3.
    Becker, J., Weiß, B., Winkelmann, A.: Developing a business process modeling language for the banking sector – a design science approach. In: Proceedings of the 15th Americas Conference on Information Systems, San Francisco, pp. 1–12 (2009)Google Scholar
  4. 4.
    Betz, S., Hickl, S., Oberweis, A.: Risk-aware business process modeling and simulation using XML nets. In: Proceedings of the 2011 IEEE Conference on Commerce and Enterprise Computing, pp. 349–356 (2011)Google Scholar
  5. 5.
    Brabänder, E., Ochs, H.: Analyse und Gestaltung prozessorientierter Risikomanagement systeme mit Ereignisgesteuerten Prozessketten. In: Nüttgens, M., Rump, F. (eds.) Geschäftsprozessmanagement mit Ereignisgesteuerten Prozessketten – EPK 2002. Proceedings des GI Workshops und Arbeitskreistreffens, pp. 17–35 (2002)Google Scholar
  6. 6.
    Carter, R.L., Crockford, G. N.: The development and scope of risk management. In: Pountney, B. (eds.) Handbook of Risk Management, Kingston upon Thames, pp. 1.1–01–1.1–21 (1999)Google Scholar
  7. 7.
    Cope, E.W., Kuster, J., Etzweiler, D., Deleris, L., Ray, B.: Incorporating risk into business process models. IBM J. Res. Develop. 54, 4:1–4:13 (2010)CrossRefGoogle Scholar
  8. 8.
    COSO: Enterprise Risk Management - Integrated Framework. Executive Summary (2004).
  9. 9.
    Gleißner, W.: Identifikation, Messung und Aggregation von Risiken. In: Gleißner, W., Meier, G. (eds.) Wertorientiertes Risiko-Management für Industrie und Handel, pp. 111–137. Gabler, Wiesbaden (2001)CrossRefGoogle Scholar
  10. 10.
    Hengmith, L.: Geschäftsprozessmodellierung und -simulation als Hilfsmittel zum Management operationaler Risiken. Bank. Inf. Technol. 2, 17–29 (2005)Google Scholar
  11. 11.
    Herrmann, P., Herrmann, G.P.: Security requirement analysis of business processes. Electron. Commer. Res. 6(3–4), 305–335 (2006)CrossRefGoogle Scholar
  12. 12.
    International Standards Organization: ISO 31000:2009 Risk Management-Principles and Guidelines (2009)Google Scholar
  13. 13.
    Jakoubi, S., Tjoa, S., Quirchmayr, G.: ROPE: a methodology for enabling the risk-aware modelling and simulation of business processes. In: Österle, H., Schelp, J., Winter, R. (eds.) Proceedings of the Fifteenth European Conference on Information Systems (ECIS 2007), pp. 1596–1607. University of St. Gallen, St. Gallen (2007)Google Scholar
  14. 14.
    Karagiannis, D., Mylopoulos, J., Schwab, M.: Business process-based regulation compliance: the case of the Sarbanes-Oxley act. In: Sutcliffe, A., Jalote, P. (eds.) Proceedings of the Fifteenth IEEE International Conference on Requirements Engineering (RE 2007), pp. 315–321. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  15. 15.
    Knight, F.H.: Risk, Uncertainty and Profit. University of Chicago Press, Chicago and London (1971)Google Scholar
  16. 16.
    Lambert, J., Jennings, R., Joshi, N.: Integration of risk identification with business process models. Syst. Eng. 9(3), 187–198 (2006)CrossRefGoogle Scholar
  17. 17.
    Li, L.: Study on the application of information technology in enterprise risk management. In: Proceedings of the 2013 International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (QR2MSE), pp. 2146–2150 (2013)Google Scholar
  18. 18.
    Marcinkowski, B., Kuciapski, M.: A business process modeling notation extension for risk handling. In: Cortesi, A., Chaki, N., Saeed, K., Wierzchoń, S. (eds.) CISIM 2012. LNCS, vol. 7564, pp. 374–381. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  19. 19.
    März, O.: Die Kalkulierbarkeit des Risikos. Frankfurt am Main (1948)Google Scholar
  20. 20.
    Meland, P., Gjære, A.: Representing threats in BPMN 2.0. In: Proceedings of the 2012 Seventh International Conference on Availability, Reliability and Security (ARES), Prague, pp. 542–550 (2012)Google Scholar
  21. 21.
    Mock, R., Corvo, M.: Risk analysis of information systems by event process chains. Int. J. Crit. Infrastruct. IJCIS 1, 247–257 (2005)CrossRefGoogle Scholar
  22. 22.
    zur Muehlen, M., Rosemann, M.: Integrating risks in business process models. In: ACIS 2005 Proceedings, Paper 50, Sydney (2005)Google Scholar
  23. 23.
    Neiger, D., Churliov, L., zur Muehlen, M., Rosemann, M.: Integrating risks in business process models with value focused process engineering. In: Proceedings of the Fourteenth European Conference on Information Systems (ECIS 2006), Association for Information Systems (2006).
  24. 24.
    Panayiotou, N., Oikonomitsios, S., Athanasiadou, C., Gayialis, S.: Risk assessment in virtual enterprise networks: a process-driven internal audit approach. In: Ponis, S. (ed.) Managing Risk in Virtual Enterprise Networks: Implementing Supply Chain Principles, pp. 290–312. IGI Global, Hershey (2010)CrossRefGoogle Scholar
  25. 25.
    Rieke, T., Winkelmann, A.: Modellierung und Management von Risiken. Ein prozessorientierter Risikomanagement-Ansatz zur Identifikation und Behandlung von Risiken in Geschäftsprozessen. Wirtschaftsinformatik 5, 346–356 (2008)CrossRefGoogle Scholar
  26. 26.
    Romeike, F.: Der Prozess der Risikosteuerung und –kontrolle. In: Romeike, F., Finke, R.B. (eds.) Erfolgsfaktor Risikomanagement 3.0, 3rd edn, pp. 235–243. Gabler, Wiesbaden (2003)Google Scholar
  27. 27.
    Schultz, M., Radloff, M.: Modeling concepts for internal controls in business processes – an empirically grounded extension of BPMN. In: Sadiq, S., Soffer, P., Völzer, H. (eds.) BPM 2014. LNCS, vol. 8659, pp. 184–199. Springer, Heidelberg (2014)Google Scholar
  28. 28.
    Sienou, A., Lamine, E., Karduck, A., Pingaud, H.: Conceptual model of risk: towards a risk modelling language. In: Weske, M., Hacid, M.-S., Godart, C. (eds.) WISE 2007. LNCS, vol. 4832, pp. 118–129. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  29. 29.
    Siepermann, M.: Risikokostenrechnung. E. Schmidt, Berlin (2008)Google Scholar
  30. 30.
    Strecker, S., Heise, D., Frank, U.: RiskM: a multi-perspective modeling method for IT risk assessment. Inf. Syst. Front. 13(4), 595–611 (2011)CrossRefGoogle Scholar
  31. 31.
    Streitfeld, L.: Grundlagen und Probleme der betriebswirtschaftlichen Risikotheorie. Gabler, Wiesbaden (1973)CrossRefGoogle Scholar
  32. 32.
    Stroppi, L.J.R., Chiotti, O., Villarreal, P.D.: Extending BPMN 2.0: method and tool support. In: Dijkman, R., Hofstetter, J., Koehler, J. (eds.) BPMN 2011. LNBIP, vol. 95, pp. 59–73. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  33. 33.
    Suriadi, S., Weiß, B., Winkelmann, A., ter Hofstede, A., Adams, M.: Current research in risk-aware business process management – overview, comparison and gap analysis. Commun. Assoc. Inf. Syst. CAIS 34, 933–984 (2014)Google Scholar
  34. 34.
    Taylor, P., Godino, J., Majeed, B.: Use of fuzzy reasoning in the simulation of risk events in business processes. In: Proceedings of the Twenty Second European Conference on Modelling and Simulation (ECMS 2008), pp. 25–30 (2008).
  35. 35.
    Weiß, B., Winkelmann, A.: Developing a process-oriented notation for modeling operational risks ― a conceptual metamodel approach to operational risk management in knowledge intensive business processes within the financial industry. In: Proceedings of the Forty-Fourth Hawaii International Conference on Systems Science (HICSS 2011), pp. 1–10. IEEE Computer Society, Los Alamitos (2011)Google Scholar
  36. 36.
    Whylie, K., Gaedicke, C., Shahbodaghlou, F., Ganjeizadeh, F.: A risk analysis and mitigation methodology for infrastructure projects. J. Supply Chain Oper. Manag. 12(2), 50–67 (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Tobias Anton
    • 1
    Email author
  • Richard Lackes
    • 1
  • Markus Siepermann
    • 1
  1. 1.Faculty of Business, Economics and Social Sciences, Department of Business Information ManagementTU Dortmund UniversityDortmundGermany

Personalised recommendations