IT-Risk, Compliance and Resilience
Project: PROMISS: Extension of Process Models for the Risk-Management Process
Project description
Goal of the PROMISS project is to develop a process called "IT risk management by design" in order to be able to take risks into account already at the time of a business process model's design. Thus, a continous evaluation, rating and display of a business processe's IT risk shall be possible.
In companies, a value-orientated business management increasingly becomes more relevant. Such a management makes it necessary throughout the company that consistent profit and risk information are provided at any time. While automated business processes provide up-to-date information about profits, such data is not available for the IT risks. The reason for this can be found on the one hand in the missing integration of such risks into the business process models and on the other in the dependency of IT risks on the condition of the IT infrastructure. Therefore, information technology is the starting point of risks which may exceed the other operational risks in their economic consequences. Furthermore, IT risks depend on the degree of networking and automation of business processes. Nevertheless, IT risks are neither considered in the Service-Orientated Architectures (SOA), nor in other standardization efforts for business modelling. This results in the fact that when it comes to economics, they are not adequately treated.
IT risks are diffucult to quantify as the degree of networking of the IT infrastructure as well as the context has to be considered in the evaluation of damage. Starting from business processes which are orientated towards efficiency, it is mandatory for a value-orientated business management to model additional IT control processes so that control goals can be described and the IT risk at "runtime" can be estimated and evaluated based on the context. The extension of business processes models therefore is a precondition for displaying the profit as well as the risks at any time, and for realizing an IT risk management which is orientated towards economics. Goal of the PROMISS project is to develop a process called "IT risk management by design" in order to be able to take risks into account already at the time of a business process model's design. Thus, three research questions are investigated in detail and concepts for a risk integration are studied:
1) Process model extension: definition of a complementary control model
2) IT-risk model: information collection of IT cause-effect relationships per level
3) Measurement and display of the IT-risk situation
The resulting model can be a precondition for enabling a continous survey, rating and display of the business processes' IT-risk situation. The flaws of the proposed "IT-risk management by design" process can be found in the relation between technical and economic questions. This flaws are, on the one hand, starting point for technical protection mechanisms, and on the other, they constitute the starting point for a evaluation of failures with regard to economic success. The IT-risk situation is measured by risk and protection indicators, which themselves are visualized by the "IT-risk cockpit". Therefore, the extension of the business process models is necessary in order to be able to display the risk situation along with the profitability and to enable an economic-orientated IT-risk management.
In companies, a value-orientated business management increasingly becomes more relevant. Such a management makes it necessary throughout the company that consistent profit and risk information are provided at any time. While automated business processes provide up-to-date information about profits, such data is not available for the IT risks. The reason for this can be found on the one hand in the missing integration of such risks into the business process models and on the other in the dependency of IT risks on the condition of the IT infrastructure. Therefore, information technology is the starting point of risks which may exceed the other operational risks in their economic consequences. Furthermore, IT risks depend on the degree of networking and automation of business processes. Nevertheless, IT risks are neither considered in the Service-Orientated Architectures (SOA), nor in other standardization efforts for business modelling. This results in the fact that when it comes to economics, they are not adequately treated.
IT risks are diffucult to quantify as the degree of networking of the IT infrastructure as well as the context has to be considered in the evaluation of damage. Starting from business processes which are orientated towards efficiency, it is mandatory for a value-orientated business management to model additional IT control processes so that control goals can be described and the IT risk at "runtime" can be estimated and evaluated based on the context. The extension of business processes models therefore is a precondition for displaying the profit as well as the risks at any time, and for realizing an IT risk management which is orientated towards economics. Goal of the PROMISS project is to develop a process called "IT risk management by design" in order to be able to take risks into account already at the time of a business process model's design. Thus, three research questions are investigated in detail and concepts for a risk integration are studied:
1) Process model extension: definition of a complementary control model
2) IT-risk model: information collection of IT cause-effect relationships per level
3) Measurement and display of the IT-risk situation
The resulting model can be a precondition for enabling a continous survey, rating and display of the business processes' IT-risk situation. The flaws of the proposed "IT-risk management by design" process can be found in the relation between technical and economic questions. This flaws are, on the one hand, starting point for technical protection mechanisms, and on the other, they constitute the starting point for a evaluation of failures with regard to economic success. The IT-risk situation is measured by risk and protection indicators, which themselves are visualized by the "IT-risk cockpit". Therefore, the extension of the business process models is necessary in order to be able to display the risk situation along with the profitability and to enable an economic-orientated IT-risk management.
Duration
1 September 2008 until 1 February 2011
Project manager
Staff
Funding
- Deutsche Forschungsgemeinschaft (DFG)
Neues Buch: Müller, G.:„Protektion 4.0: Das Digitalisierungsdilemma“
