Solution Brief: Increasing Operational Efficiency: BPM in Utilities
Operational Risk Management and Bpm
-
Upload
nathaniel-palmer -
Category
Business
-
view
21 -
download
6
description
Transcript of Operational Risk Management and Bpm
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Michael zur Muehlen, Ph.D.Asst. Professor of Information SystemsStevens Institute of TechnologySessionTitle:Operational Risk Management and BPM
WelcomeWelcometo Transformation and Innovation 2007 The Business Transformation Conference
44May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
What this Talk is AboutRisk: Driving Process ManagementWhat are operational risks in the context of BPM?How to identify operational risksHow to prioritize operational risksHow to make better decisions based on risk information
4
5May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
MotivationDrivers for
Business Process Management (BPM)
Performance
Business Process ImprovementEngineering of Process-aware IS
ComplianceMandated compliance (e.g. SOX)
Desired compliance (e.g. ISO, ITIL)
6May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
You’re Hired
Process: New Hire IntegrationBackground CheckAllocation of office spaceReservation of phone, pagerCreation of access rights in operational systems
Problem: Lost productivity due to late provisioning of work infrastructureAutomating the process coordination reduced cycle time from 2 week average to 2 daysBPM Goal: Performance
7May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
You’re Fired
Process: Employee TerminationRemoval of computer access rightsCollection of company-issued phone, pager, access cardRemoval from employee directoryProblem: Not all equipment is collected, access
rights remain after an employee leavesAutomating the process coordination ensures that
no step is forgottenBPM Goal: Compliance
88May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 8
Operational Process RiskOperational Risk:
Probability that a process will either fail to meet its objectives or make excessive use of resources to meet them
A degradation in process output or process consistencyCan be valued financially
Risk is an inherent property of any business process
Quantifying operational risk exposure is difficult
99May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 9
Process and Risk Management
ProcessProcess RiskRisk
Process-orientedRisk Management
Risk-orientedProcess Management
1010
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 1
0
Process-Risk Management
How can we systematically identify operational process risk?How can we represent risk in popular process modeling methods?How can we quantify the risk exposure of processes and portfolios?How can we determine the cost effectiveness of process controls?How can we support risk-aware process design?
11
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Risk Management Lifecycle
12
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Potential BenefitsSystematic measurement of Process Risk enables us to:
Provide risk-adjusted process configurationsManage the risk of process portfoliosDetermine the capital reserve necessary to cover
operational risk contingenciesDesign fault-tolerant processes
13
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Risk Management and BPM
Risk Management BPMFocused on ensuring value for stakeholders
Focus on providing value for stakeholders
Risk is an inherent property of business processes
Performance depends on effectiveness of business processes
Risk is mitigated by process design Performance is influenced by process design
Feedback is obtained through Risk Indicators assigned to systems and processes
Feedback is obtained through Performance Indicators assigned to systems and processes
Risk is mitigated through optimized processes
Performance objectives are achieved through optimized processes
Frew (2006)
Compare Frew (2006)
1414
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Case Study: Where’s the Money?
14
15
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Case StudyPayroll process at Australian university
Failed in June 20052000+ employees not paid in timeExpensive mediation procedure
ReasonsData entry mistakeEstablished mitigation procedure (double sign-off) failedLack of risk awareness
16
Payroll Process
17
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Process without Control Activities
18
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Common Risk Modeling
1919
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 1
9
Risk PropertiesRisk ownerRisk category (e.g. Financial, Operational, Market, Strategic)Last risk evaluationReview periodRisk occurrence historyQuantitative & Qualitative evaluation:
Amount of damagesOccurrence frequency
2020
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 2
0
Control Activity PropertiesKey Control Activity (Yes/No)Control type, e.g. preventive, reactiveControl category, e.g. audit, passwordDesign effectivenessOperating effectivenessManual / Automated
21
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Closer Look At The Process
22
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Component Risk
2323
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
A Closer Look: Faults, Errors, Failures
23
2424
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 2
4
Risk = Faults, Errors, and Failures
FaultVulnerability of a process that may lead to process failureError-enabling contextCan be active or dormantExample: Unavailability of a database server
ErrorAction that may lead to failureExample: Attempt to retrieve data from the unavailable DB
FailureEvent, when process output deviates from correct outputExample: Process aborts due to lack of necessary data
2525
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 2
5
Chain of ThreatsFaults enable Errors
But errors might not happen for a long timeProcess design should strive to minimize faultsIf faults cannot be avoided we need error detection
2626
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 2
6
Chain of ThreatsErrors may lead to Failures
Options: prevention, detection, or mitigationIf faults are known, we can minimize errors: poka-yokeCost, effort play a role
2727
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 2
7
Chain of ThreatsFailures become visible at Interfaces
Noticeable once the process result leaves your handsService interfaces can be described in a hierarchical fashionInterfaces are unsuitable for error mitigation:Point of No Return = time of hand-over – recovery time
29
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Fault Latency
FaultFault
Inexperienced Inexperienced Staff Member on Staff Member on
DutyDuty
ErrorError
FailureFailure
Data Entry MistakeData Entry Mistake
Faulty Payroll Run Faulty Payroll Run ApprovedApproved
Complacent StaffComplacent Staff
Faulty Payroll Run TransmittedFaulty Payroll Run Transmitted
3030
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Where to Look First: Priorities30
31
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Prioritize: Not All Failures are Equal
Likelihood
EffectUnlikely Seldom Occasion
al Likely Frequent
Loss of Process
CapabilityLoss of Process Instance
Compromise of Process
Instance Goal
Minor effect or
obstruction
32
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Process Objectives
33
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Risk/Goal Matrix
34
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Understand Risks – Then Manage Them
Source: zur Muehlen, Rosemann (2005)
Matching Mitigation?
35
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Evaluation of Process Design Alternatives
AlternativeEntry cost
Approval cost
Probability
Rectific. cost Utility
Incorrect data entry
Error missed during
approval process Comb. risk
1. single entry, single approval $1,000 $500 0.05 0.3 0.015 $250,000 -$5,2502. double entry, single approval $2,000 $500 0.0025 0.3 0.00075 $250,000 -$2,688
3. single entry, double approval $1,000 $1,000 0.05 0.09 0.0045 $250,000 -$3,1254. double entry, double approval $2,000 $1,000 0.0025 0.09 0.000225 $250,000 -$3,056
36
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Sensitivity Analysis
Alternative with the best utility
Probability of error being missed during the approval process
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
Probability of data entry
error
0.01 alt 1 alt 1 alt 3 alt 3 alt 2 alt 2 alt 2 alt 2 alt 20.05 alt 3 alt 3 alt 2 alt 2 alt 2 alt 2 alt 2 alt 2 alt 2
0.1 alt 3 alt 2 alt 4 alt 4 alt 4 alt 4 alt 4 alt 2 alt 20.15 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4
0.2 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 40.25 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4
0.3 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 40.35 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4
0.4 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 40.45 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4
0.5 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 40.7 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 40.9 alt 3 alt 3 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4 alt 4
3737
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 3
7
From Control Activities to Control Patterns
3838
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Managing Risks38
3939
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 3
9
Risk Management Strategies
Risk Mgmt. Strategy Description Examples
Mitigation
Reduces the probability of a risk and/or the impact that results from the occurrence of a risk. Aims at the implementation of controls that dampen the effects of risk occurrences, while not completely alleviating them.
Standardized process routingFormalized exception
handling Complete kit processingCollaboration, checks &
balances
AvoidanceEliminates the probability of a specific risk before it materializes. Normally realized by trading the risk for other risks that are less threatening or easier to deal with.
Process redesign
TransferShifts risk or the consequences caused by risk from one party to another. Also called “risk sharing”. May involve the purchase of an insurance policy, or the outsourcing of risky project parts.
Process OutsourcingPurchase of Insurance
PoliciesAcceptance/Assumption
Adapts to the unavoidability of the risk. A risk contingency plan is required in this strategy.
Adaptation to regulatory requirements
40
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
ComplianceCompliance means adherence to rules and regulationsProcess models provide execution rules
Control flow: What happens when?Task allocation: Who is involved?Role models: Who may do what?
But what about context?Business object dependencies: Value/Customer TypeEnvironmental dependecies: Season/Off-season processingRegulatory compliance: Documentation/AuditCorrelation of multiple processes
42
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Managing Risk with BPMSUse formal Process Models to limit process non-compliance
Process Models can be scripts or mapsIf Scripts: Use BPMS to automate control flow, task allocation, application/service invocationIf Maps: Use collaborative tools to allow execution flexibility
BPMS provide risk management servicesAuthorizations / Access ControlEnforcement of routings, reviewsAudit capability to document compliance
4343
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Managing Risk with BRMSUse Business Rules to limit contextual non-compliance
Document process objectives to prevent business rules from turning into process rules
Performance Objectives combine BAM with BRMSDecision rules allow context-dependent enforcement of oversight
Use Business Rules Management System to enforce compliance
Document rules limit the state changes on documentsExample: Can’t go from draft to approved without reviewCustomer rules configure case handling
43
4444
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 4
4
TakeawaysMap Risks from different angles
Faults (can’t eliminate all)Errors (prevent, detect, mitigate)Failure (where is the point-of-no-return?)
Use Process Objectives to determine critical risk factorsUse Scenario Techniques to test different risk management strategiesCompliance refers to Process Rules and Business Rules
Don’t confuse the twoBPMS can help document and audit process rulesBRMS can help enforce contextual rules
4545
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Crisis = Risk + Opportunity
45
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference
Thank YouThank YouMichael zur Muehlen, Ph.D.Center of Excellence in Business Process InnovationHowe School of Technology ManagementStevens Institute of TechnologyCastle Point on the HudsonHoboken, NJ 07030Phone: +1 (201) 216-8293Fax: +1 (201) 216-5385E-mail: [email protected]: http://www.cebpi.org
5th International Conference on Business Process Management
Brisbane, Australia25-27 September 2007
http://bpm07.fit.qut.edu.au/
4747
May 22-24, 2007 Washington Dulles Hilton
The Business Transformation Conference 4
7
PublicationsNeiger, Dina; Churilov, Leonid; zur Muehlen, Michael; Rosemann, Michael: Integrating Risks in Business Process Models with Value Focused Process Engineering. In: Proceedings of the 2006 European Conference on Information Systems (ECIS 2006), Goteborg, Sweden, June 12-14, 2006.zur Muehlen, Michael; Rosemann, Michael: Integrating Risks in Business Process Models. In: Proceedings of the 2005 Australasian Conference on Information Systems (ACIS 2005), Manly, Sydney, Australia, November 30-December 2, 2005. (Winner of Best Paper Award).zur Muehlen, Michael; Ho, Danny Ting-Yi: Risk Management in the BPM Lifecycle. In: Bussler, Christoph; Haller, Armin (Eds.): Business Process Management Workshops: BPM 2005 International Workshops, BPI, BPD, ENEI, BPRM, WSCOBPM, BPS, Nancy, France, September 5, 2005. Revised Selected Papers, Springer LNCS 3812, Berlin 2006, pp. 454-466.PDFs available at: http://www.cebpi.org