An Exploratory View on Risk Management Constructs for Business

Process Models

Gabriel Bolson Dalla Favera

1

, Denilson dos Santos Ebling

1

, Vinicius Maran

1

, Jonas Bulegon Gassen

academia and industry, with a structure that is easy to understand and use. It contains more than a hundred

elements referring to various concepts. However, it does not cover risk management constructs. In this paper,

we seek to identify the need and which aspects are important if we were to associate process models with risk

management. We performed an exploratory research method with experts in the area of risk management that

also work with process models. The work resulted various concepts that could be related in process models,

such as risk presentation, control activities and risk mitigation. We conclude that experts would like to have

such disciplines better integrated and that we have a starting point to design, for instance, a BPMN extension

to cover such aspects.

1 INTRODUCTION

With the increasing size and complexity of processes

future situations that have some impact in organiza-

tions, being mostly negative (Tsiga et al., 2017).

Business Process Modeling and notation (BPMN)

is one of the most widely used modeling notations. It

covers various stages of the BPM life cycle, allowing

to build process models (Panagacos, 2012). It is im-

portant to use modeling rules to build efficient process

models (Dumas et al., 2018). According to the Object

Management Group (OMG), responsible for the ar-

chitecture of BPMN, the notation does not have con-

Event-driven Process Chain (EPC) has an approach

that allows to inform risks and controls policy situa-

tions. Despite the literature discussion regarding pro-

cess models containing risk management constructs,

empirical analysis on the needs of such constructs is

lacking. This paper intends do give a step towards

this direction. We approach this point by means of

an exploratory research method. Experts in the areas

of processes and risk management answered a survey.

Our analysis in this point is mainly qualitative, seek-

tions, aim, participants, material and data cleansing.

Sections 5 presents the results from the survey. Fi-

nally, discussion and conclusions are presented, re-

spectively in Sections 6 and 7.

2 BACKGROUND

In order to better understand the development of the

paper, in the following sessions we present the related

main concepts and references. BPM, BPMN, EPC

and Risk Management are presented, respectively.

BPM seeks to ensure constant positive results and

deliver maximum value to companies by improving

their business processes (Panagacos, 2012).

The BPM life cycle has six stages (Dumas et al.,

2018; vom Brocke and Rosemann, 2015; Panagacos,

2012; Weske, 2012): (i) process identification, (ii)

process discovery, (iii) process analysis, (iv) process

redesign, (v) process implementation and (vi) process

or even only once (Weske, 2012). BPM has notations

and languages that allow to express and share their

processes with stakeholders (Panagacos, 2012).

BPMN is a notation containing a series of standard

process design icons (Weske, 2012), which enables

a better understanding of the designed business pro-

cesses. The models produced may differ depending

on the reason for which they are built.

Frequently, process participants perform very spe-

et al., 2018). However, just some of them are re-

ally used, less common symbols can be aggregated

according to the organization needs, e.g. in more

complex projects. In BPMN modeling there are four

groups of elements: flow objects, connecting objects,

swimlanes and artifacts (Dumas et al., 2018; Panaga-

cos, 2012; Weske, 2012).

to define the behavior of a business process, being di-

vided into threes types: activities, events and gate-

ment. They are divided into two categories: pool and

to the process, as well as being used to represent a

data input or output. Even though BPMN does not

contain many key elements, building a process model

involves following a few rules. Good modeling prac-

tices should be used which make the process easy for

those involved to understand (Mendling et al., 2010).

Concerning risk management, the BPMN regula-

tory body (OMG) does not define any type of ele-

ment that allows managing risks in process modeling.

Which may be seen as a disadvantage if compared to

EPC.

policies (AG, 2019).

There are some similarities with BPMN. Among

them, the exclusive, parallel and inclusive connectors,

functions and events (Mendling, 2008). In BPMN

pools and lanes are used to describe organizations,

positions, tasks and functions. In EPC elements of

the group of organizations are used, divided into or-

ganizational unit, position, position and group, which

are directly associated with functions (Scheer et al.,

2005). EPC contains data and risk elements group,

is performed. In a qualitative analysis are identified,

the causes, effects and forms of identification.

The measurement step seeks to define the proba-

bility and impact of each identified risk. At this step,

the nature of the risks and the impacts that may occur

to the project and organization objectives should be

identified. Usually using a quantitative analysis.

ments; (vi) Present security solutions; (vii) Ratio-

nalise security solutions.

The method allows eliciting security requirements

in business models, however a holistic method of se-

cure risk management is required. It benefits business

analytics by allowing to choose cost-effective solu-

tions that fit the business. The method allows for ear-

lier recognition of risks knowing that if it occurs later

resent risk management in BPMN models. We start

they consider a good idea or not to link both. For

this, we chose an exploratory research method, aim-

ing at a qualitative analysis (Recker, 2013; Wohlin

et al., 2012).

First, we present our assumptions, followed by the

aim of this paper. Then we present the demographics

of the participants. After that, we present the material

used to achieve our goal and finally the data cleansing

We assume that risk management is a very important

task and that it should be considered by companies, at

least by the ones applying some sort of control in this

regard. Consequently, we assume that it is a very im-

portant aspect to be considered when applying BPM.

Finally, we assume that would be important to present

such controls in BPMN models, from our understand-

ing at least the risks related to activities and forms to

For this work, we try to explore the view of special-

ists working with business processes and risk man-

agement. The idea is to better understand which infor-

mation could be interesting to have in BPMN models.

We collected data from eight specialists, they are col-

laborators of public and private organizations, and

of educational institutions. All participants are from

Brazil. In order to better understand our respondents,

(iii) work with BPMN, the answers were repeated as

for (i). For question (iv) work with risk management

in organizations, the answers had bigger variations.

Three respondents answered ”three years or more”.

Three answered ”between one and three years”. And

two answered ”between six months and a year”.

Based on these answers we can understand that

the participants had good knowledge in the required

concepts.

In order to gather data from experts, we performed a

In the first section, demographic questions were

asked, seeking information from the respondents.

Questions related basically to the time that each par-

ticipant has interacted with: processes, process mod-

els, BPMN and risk management. With this, we can

have an idea about the knowledge of the participants.

In the second section, we presented three ques-

tions about risks and process models that should be

answered with free text. Those referred to (i) which

information should be presented in process models to

Finally, in the third section, we presented ques-

tions related to our assumptions, these were presented

in the last section to not create bias. We asked four

questions with Likert scale (1 to 6) and three ques-

tions with free text.

Two out of ten participants claimed they never worked

with risk management. As we seek to explore the

ideas of risk management experts, we did not con-

sider their answers. Additionally, they replied ”I do

ment and process models were gathered. As presented

in Section 4, the first questions had free text answers

and their descriptions tried to avoid bias. In order to

analyse the resulting data, all the authors followed the

process bellow:

important concepts from each answer, based on

each persons point of view. There might be N ex-

tracted concepts per answer;

concepts (e.g. by three out of four authors). Try

to standardize concepts that have very similar

names;

Based on this process, Table 1 presents the results

from the first question.

Table 1: Question: Which risk management information

should be presented in the process models to improve your

work?

1

It is worth mentioning that the work to be improved

pointed out in this question relates to risk manage-

ment. From the results, we can understand that pre-

senting the risks was the most cited concept to be in

process models, followed by control activities. Which

conforms with our assumptions. Additionally, five

other concepts were mentioned by specialists. Con-

cepts that are related but distinct were grouped, the

leftmost query presents a number for each group. For

instance, risk handling could be merged to control ac-

cepts were mentioned by the specialists. One inter-

management should be put in the process model for

the executors. The specialist claimed that the model

the work from who performs the processes?

Extracted concepts Freq.

1

Risk presentation 3

Signaling critical points 2

2

Risk handling 2

Control activities 1

Risk mitigation 1

3 None 1

4 Relating info sources (e.g. normative) 1

1

Presenting risks 4

Presenting high impact risks 1

2 Agile tool for process monitoring 1

3 Querying standard processes via tools 1

4

Reviewing unnecessary controls 1

Reviewing uncontrolled risks 1

5 Risk mitigation 1

6 Risk-based process improvement 1

prove your organization. Note that here we impose

that actions to mitigate risks present in the process

model was the most cited aspect. Followed by pre-

participants to express what would be more interest-

ing from their point of view. The most frequent aspect

was risk presentation. Six more options were given by

the specialists. One expert mentioned that adding el-

ements to the model is not the most important thing,

but applying BPM and risk management together.

Section 5 presents the concepts extracted from the

free text answers gave by specialists. Some aspects

are clear, e.g. they believe that information about risks

should be presented in process models. Having that,

we understand that people would have a clear view on

steps of the process that should have higher attention.

In addition to the concept itself, some other sug-

gestions were made:

• Identify the risks altogether with the stakeholders

that work in each process;

tion actions additionally to risk presentation. Aside

the concepts, some other suggestions refer to:

• Presenting the risk will make it easier for the ex-

ecutor, providing confidence;

• Where to find normative and manuals, also infor-

mation about handling the risk;

• Severity and repercussion also appear;

• Minimizing risks is important;

This answers bring the idea that experts see process

models as an additional vehicle to communicate how

stakeholders should perform their activities consider-

ing risk management.

When asking questions related to our assump-

tions: presenting risks and mitigation actions, we see

be taken into account, however not all information can

be fit into a process model.

Very few answers were negative on connecting

process models with risks, one of which concerns

model complexity. This is a very good point that

should be considered and it has been studied through-

out the literature (Mendling et al., 2010). Therefore,

the amount of information and presentation manner

have to be cautiously studied.

with more attention, avoiding risky situations.

Although in this paper we focus on a exploratory

qualitative analysis and no statistical tests were per-

formed, external validity could be improved by in-

creasing the number of specialists. Also, having spe-

cialists from different countries would be interesting.

With the application of a survey, we had a trade-

off, on the good side we were able to reach more spe-

cialists. On the bad side, we lost some power of un-

7 CONCLUSIONS

identify its importance. To this end, specialists from

Brazil answered a questionnaire about the importance

of risk management associated to modeling processes.

We had assumptions prior to this paper that presenting

risks and risk mitigation actions would be interesting.

Based on the results and discussions, it was possi-

ble to obtain a direction on concepts to associate risk

management with process models. Three concepts

were the most cited by the specialists: risk presen-

tation, control activities and risk mitigation. Aside of

many other information to be considered when plan-

ning to bring those areas together.

Therefore, this work contributes by providing a

starting point to create an adequate association ap-

ered. Experiments to test the extension will be carried

out. With this, we hope to allow experts from organi-

zations to apply the extension and improve risk man-

agement in their work places, better integrated with

BPM.

ACKNOWLEDGEMENTS

Special thanks to Col

´

dade Federal de Santa Maria, Brazil.

REFERENCES

Chapelle, A. (2019). Operational Risk Management - Best

Cope, E., K

Dumas, M., La Rosa, M., Mendling, J., and Reijers, H.

Mendling, J., Reijers, H., and Aalst, W. M. P. (2010). Seven

Moeller, R. R. (2011). COSO Enterprise Risk Management:

Establishing Effective Governance, Risk, and Compli-

ance Processes. John Wiley & Sons, 2nd edition edi-

tion.

OMG (2011). Business process model and notation (bpmn).

Accessed: may of 2019.

Panagacos, T. (2012). The ultimate guide to business pro-

cess management, pages 8–24. 1 edition.

Radloff, M., Schultz, M., and N

Verlag Berlin Heidelberg, 1 edition.

Scheer, A.-W., Thomas, O., and Adam, O. (2005). Process

modeling using event-driven process chains. pages

119–145.

Tsiga, Z., Emes, M., and Smith, A. (2017). Implementation

of a risk management simulation tool.

Tummala, V. and Schoenherr, T. (2011). Assessing and

managing risks using the supply chain risk manage-

ment process (scrmp). Supply Chain Management:

An International Journal, 16:474–483.

Wohlin, C., Runeson, P., H

B., and Wessl

´

en, A. (2012). Experimentation in Soft-

ware Engineering. Springer-Verlag Berlin Heidel-

berg, 1 edition.

zur Muehlen, M. and Rosemann, M. (2005). Integrating

risks in business process models. ACIS 2005 Proceed-

ings - 16th Australasian Conference on Information

Systems.