Nowadays, the organic nature of business processes and the increasingly complex and dynamic business environment make organizations face severe operational risks. However, current risk analysis methods of Information Technology (IT) resources ignore inter-process correlation and thus inter-process risk propagation. This gap needs a solution since the rigid alignment of organizations cause the risks which propagate throughout the whole organization to be the most serious operational risks. This paper presents a holistic approach for quantifying risk propagation in business processes based on the risk analysis of their underlying IT and human resources. This approach adapts financial techniques to quantify the level of risk that average and severe events on IT resources generate on individual business processes, and to quantify the risk propagation impact among dependent processes. This approach was applied to an enterprise modeling case study to quantify risk propagation for different risk epicenter scenarios. The results show that the proposed approach is capable of finding and quantifying both direct and indirect dependencies among operational assets within an organization. A high level of accuracy was observed when comparing the actual value of the process risk and the projected value considering risk propagation.
González-Rojas, Oscar; Castro, Nicolás; and Lesmes Alvarado, Sebastián
"Quantifying Risk Propagation Within a Network of Business Processes and IT Services,"
Business & Information Systems Engineering:
Vol. 63: Iss. 2, 129-143.
Available at: https://aisel.aisnet.org/bise/vol63/iss2/5