OPERATIONAL IT RISK MANAGEMENT: COMBINING DECISION ANALYSIS AND BUSINESS PROCESS MODELLING
Operational risks have become more prominent than ever before, but recent events such as hacker attacks on the French and Dutch banking systems, or disruptions in the aftermath of natural disasters such as Sandy have highlighted the need for better IT risk management. Typically only few historical data on such events is available within organizations if at all. Therefore, new approaches need to be developed for Operational Risk Management (ORM) that are rooted in the organization and based on work flows and aims.
To ensure compliance with and use of the risk management approaches, an integration of ORM in day-to-day operative business processes is essential. Therefore, this paper focuses on a model assessing the impact of operational risks on business processes and activities. It develops a Petri-net model to derive valid data to describe the severity of an identified operational risk although there is no of absent comprehensive statistical data-base. To relate the work to the organizational aims at each hierarchical level, the Analytic Hierarchy Process (AHP) is used to provide a structured means for evaluation of risk.
An example from the finance sector illustrates the theoretical model that was developed together with users and developers from SAP research.