Business Process Risk management – Integrated Method

Keywords: Business Process Management, Risk Management

Affiliation: ISITCom Tunisia - INP Toulouse


A. BPRIM Approach

The BPRIM approach offers a complete conceptual methodological framework. It consists in the BPRIM lifecycle, the BPRIM conceptual models and the BPRIM modelling language.

  1. BPRIM Lifecycle

The BPRIM lifecycle is the process integrating risk management concept into the business process design. Indeed, it focuses on risk driven business process design. As shown in figure 2, it consists of the following four phases:

  • Contextualization: In this phase, the process models are defined. The information, organization, resource and functional aspects of the process models will allow establishing the context of risk.
  • Assessment: In this phase, first, risks are identified. Then processes are analysed. Qualitative and quantitative evaluation of risks is subsequently launched. The process models must be enriched with risks models.
  • Treatment: Based on information from the previous phase, this phase defines a set of treatment options, and then triggers a new iteration of the assessment phase in order to understand their possible effects. This phase can lead to a reframing that would imply the implementation of treatment actions by adjusting models or defining alternatives.
  • Monitoring: It is a control phase, which provides guidance for refinement of the models or the transition to the implementation phase.
  1. BPRIM conceptual models

In the context of risk-aware business process modelling, the links between the concepts of business process and risk are insufficient. The BPRIM conceptual models offers a conceptual unification of risks and processes into a common meta-model in order to fill this missing link. The latter is based on the standard ISO 19440 and it is compatible with the standard ISO 31000. Figure 1 illustrates an excerpt of the meta-model showing the relationship between the concepts of risks and business processes.


                                                                  Fig. 1. Excerpt of the risk-aware business process meta-model

  1. BPRIM Language

The BPRIM language is a common graphical modelling language of business processes and risks. It based on the extension of the EPC language. This language is designed to support the BPRIM lifecycle and must enable to extend the process models with risk models. The BPRIM language offers: an abstract syntax and a concrete syntax. The abstract syntax is represented by the meta-model of figure 1. This syntax constitutes the grammar of the BPRIM language, with a set of predefined to apply. In the following, we present the notation that defines the graphical representation of the BPRIM language.

BPRIM Constructs

  • Risk factor: Concept representing a set of conditions that promote the triggering of a risk event or influence the perception of the consequence of the risk. The symbol is similar to a CPE object. (a)
  • Risk situation: Concept that represents a feared situation resulting from a risk event. (b)
  • Value: Concept that simultaneously represents a value and the value object. The symbol is similar to a product / service in the ARIS method. (c)
  • Risk: Concept representing risk. The symbol is similar to a CPE event that has been marked for meter highlighting its hazard characterization. (d)
  • Control: Concept representing an action implemented in order to influence the risk level. The symbol is similar to two functions in the ARIS method. (e)
  • Risk Class: Concept that represents a class in which one can list risks according to given properties. (f)
  • Risk Indicator: Concept that represents a risk indicator whose variation reflects the increase in the occurrence probability of a risk event. The symbol is similar to an object of the ARIS method that has been marked to meter highlighting its link to risk. (g)
  • Risk Event: Concept that represents a risk event. It represents an occurrence of a particular set of circumstances causing a transition to a feared situation. The symbol represents the CPE event. (h)
  • Stakeholder: Concept representing a stakeholder. It represents a person, group or organization affected by the risk. The symbol is similar to an organizational unit CPE. Since a stakeholder is more than an organizational unit, we will not keep the same symbol. (i)
  • Logical operators. (j)
  • Influence: Relation that represents the influence of a risk factor on a risk event. It is also an inter-event influence relation. (k)
  • Classification: Relation that represents the belonging of the risk to a risk class. The direction indicates the risk class.(i)
  • Aggregation: Relation representing an aggregation between risks. It is a parameterized relation, which can be customized by defining an aggregation criterion. (m)
  • Generalisation: Relation that represents the risk generalization. The direction indicates the general risk. (n)
  • Causality: Relation between an event and a risk situation. (o)
  • Impact: Relation between risk situation and asset. (p)
  • General association: Relation between concepts. (q)
  • Directed association: Relation between risk and process concepts (process, activity, and object). The direction indicates the target component. (r)
  • Interest: Relation between a stakeholder and an asset. (s)
  • Treatment: Relation between risk and risk treatment measure. (t)


In figure 2, a detailed overview of the BPRIM approach is summarized using a mapping between BPRIM diagrams and BPRIM lifecycle.


                                                                    Fig. 2. Mapping between BPRIM diagrams and BRIM lifecycle

B. Tool Overview

The starting screen of the tool is the following.


In order to create a new model click on the document icon of the toolkit.


Then, choose the phase of the BPRIM lifecycle, select the model that you want to create (for example the model corresponding to the risk analysis diagram), insert the model name and choose the model group.


The user interface is following shown.

Once the model is built, three steps are necessary to evaluate it:

1. Check the validity of the constructed model. To do that, click on the "Check" button.


2. Analyze the constructed model. To do that, initial parameters of the model (risk factors or risk events) must be introduced. To do that, double-click on initial constructs of the diagram (risk factor or risk event) and select the corresponding parameters. For Risk Factors, it is necessary to select their intensities and for risk events it is necessary to introduce their likelihoods. Once the initial parameters are introduced, click on the "Analyze" button to analyze the built model.



3. Evaluate the analyzed model. To do that, double click on the risk situation, select its severity and click on the "Evaluate" button. It should be noted that constructs parameters are specific for health field and more specifically for the Medication Use System.