CMMN Modeling of the Risk Management Process Extended Abstract
Total Page:16
File Type:pdf, Size:1020Kb
CMMN modeling of the risk management process Extended abstract Tiago Barros Ferreira Instituto Superior Técnico [email protected] ABSTRACT Enterprise Risk Management (ERM) is thus a very important activity to support the Risk management is a development activity and achievement of the organizations' goals. increasingly plays a crucial role in Risk management is defined as “coordinated organization´s management. Being very activities to direct and control an organization valuable for organizations, they develop and with regard to risk” [1]. ERM, as a risk implement enterprise risk management management activity, comprises the strategies that improve their business model identification of the potential events in the whole and bring them better results. Enterprise risk organization that can affect the objectives, the management strategies are based on the respective risk appetite, and thus, with implementation of a risk management process reasonable assurance, the fulfillment of the and supporting structure. Together, this process organization's goals [2]. and structure form a framework. ISO 31000 Many organizations nowadays have their standard is currently the main global reference risk management framework, including framework for risk management, proposing the activities to identify their risks, and their general principles and guidelines for risk prevention measures, documented. To this end, management, regardless of context. The most [1] is at this moment the main reference for risk recent revision of the standard ISO 31000:2018 management frameworks, proposing the [1] depicts the process of risk management as general principles and guidelines for risk a case rather than a sequential process. To that management, regardless of their context. end, it was explored the potential and limitations The guidelines for risk management of the conceptual modeling language “Case processes described in [1] suggest a process in Management Model and Notation” (CMMN) for which the flow is not always deterministic, the elaboration of the related diagrams, and the where the decision of which next activity to “Decision Model and Notation” (DMN) notation perform depends on the judgment of the case to model risk decisions. The application of the worker. Moreover, different techniques, such as model is also demonstrated for a real case. those described in [3], may be applied in risk identification and should consider several KEYWORDS factors such as causes, events, consequences Risk, risk management, enterprise risk and risk sources. These facts make the management, CMMN, DMN problem potentially relevant to be modeled with 1. Introduction CMMN, a modeling language that has been As described in [1], risk is the “effect of recently affirmed for this type of processes. uncertainty on objectives” an effect being “a This paper is structured in eight more deviation from the expected”. The effect can be sections. Section two describes the main positive, negative or both, and thus it can concepts of risk management related to ISO address, create or result in opportunities or 31000. Section three presents the concept of threats. Still according to [1], risk can be case management and the CMMN language. In expressed in terms of: (i) Risk sources: An section four a preliminary analysis of the element that, alone or in combination with problem is made where it is proposed a CMMN others, has the potential to cause the risk; (ii) modelling of the ISO 31000 risk management Potential events: Occurrence or change of a process. Section five presents the analysis and particular set of circumstances; (iii) solution for the problem with the resulting Consequences: Outcome of an event that CMMN models for the risk management affects the objectives; (iv) Likelihood: Chance of process defined in the INCM´s ERM framework something happening. [4]. Section six presents the UML models of the In an organization, every process, from the domain model and the use cases that will serve simplest to the most complex, is subject to risks as the basis for the construction of an and its consequences can have positive or application1 using the Outsystems2 negative effects on the organizations' goals. methodology. Section seven presents a 1 Work already started in another dissertation 2 https://www.outsystems.com/ 1 comparative analysis on the two CMMN models understand the basis for the decisions made that were modeled. Last section presents the and the reasons for the need for specific conclusions of the dissertation and define future actions. steps to continue this dissertation. I) Recording and reporting: aims to communicate risk management activities and 2. Risk management concepts – ISO results across the organization; support 31000:2018 standard interaction with those who have responsibility The risk management process described in [1] and accountability for risk management and illustrated in Figure 1, “should be an integral activities; provide information for decision- part of management and decision-making and making; and improve risk management integrated into the structure, operations and activities. processes of the organization. It can be applied at strategic, operational, programme or project 3. Case management and case levels” [1]. It is up to each organization to adapt management model and notation the risk management process to its goals and to Automating processes increases their the context in which it is inserted. However, the efficiency. But not all processes can be main references activities of this process should automated, and as such, for situations where be: they require more flexibility, a proper approach A) Scope, context and criteria: since the is required in building the process where flow process can be applied at different levels, it is control is not used to describe the process. essential for the organizations to clearly define Case management empowers workers by the scope of its risk management activities and providing them with access to all information to understand the internal and external context about the process and giving them autonomy in which it operates. For the definition of the risk and control over how a process evolves [5]. criteria, the organization shall specify the In this type of process, the main concepts magnitude and types of risk that it may or may are: (i) A set of unordered activities that can be not assume considering its goals, values and performed completely to solve a business resources. problem; (ii) Activities occur in an unpredictable B) Risk assessment: should be carried out in a order; (iii) Events determine the process; systematic, iterative and collaborative manner, therefore, the resulting case may vary using the best available information. This depending on the current event. The activities activity is composed of the sub-activities: risk are not linked to each other; (iv) External identification, risk analysis and risk evaluation. documents are a fundamental part of the C) Risk identification: aims to “find, recognize process. and describe risks that might help or prevent an The OMG (Object Management Group) organization achieving its objectives” [1]. introduced CMMN [6], a notation to model and D) Risk analysis: aims to “comprehend the graphically express these knowledge-intensive nature of the risk and its characteristics” [1]. and weakly-structured processes. Detailed consideration of the risk characteristics CMMN can be used in addition to BPMN. (uncertainties, sources, consequences, events, CMMN uses an event-centric and case file controls and their effectiveness) allow the risk concept approach, bringing new flexibility to level to be calculated where appropriate. business process. It can specify what can E) Risk assessment: results obtained in the risk happen in a process, but not how it should analysis are compared with the risk criteria happen. initially established in order to determine what From this perspective, a case has two action to take against the risks analyzed. distinct phases, the design-time phase and the F) Risk treatment: based on the outcome of the run-time phase. During the design-time phase risk evaluation activity, the process moves to the business analysts model the plan items that the treatment phase where risk treatment are always part of the case model and the options will be selected and implemented. discretionary items, that are modeled but are G) Monitoring and review: monitoring and not immediately added to the execution plan. review the risk management process and its During the run-time phase case workers results should be an integral part of all phases execute the plan executing the planned items of the process with the aim of improving its and optionally add, in current time, discretionary effectiveness and quality. items to the execution plan of the case instance. H) Communication and consultation: should The flow control of the case is thus exercised by take place throughout the process on a the case workers assigning them greater continuous basis. It allows stakeholders to responsibility in the case. 2 Figure 1 - Risk management process according to [1] The complete case behavior is modeled using execution (entry criteria) or when a case the elements illustrated in Figure 23 and is (case plan), stage, or task should terminate captured by the case plan model: abnormally (exit criteria). Criteria can be • Stage: It can be seen as an “episode” of the IfPart meaning that there is a Boolean case. It groups various language elements expression which is part of the criteria and including tasks, milestones, case file items, should evaluate to true for the criteria to be and events. satisfied, or OnPart which indicates which • Task: It is a unit of work. They can be divided standard event can satisfy the entry criteria into blocking and non-blocking human tasks, or exit criteria process-tasks, case-tasks, and decision- To represent certain dependencies and tasks. associations between non-discretionary • Discretionary element (only for tasks and elements of the plan, CMMN uses connectors. stages): An element that can be added, These connectors are illustrated by a line with optionally and in current time, to the the “dash-dot-dot-dash” sequence.