This is the final article in our three-part series about process risk simulation. The previous article described how the amount of financial damages from risk occurrence can be determined with simulation. This article will demonstrate how controls can be used to counter risks, either by preventing them or by mitigating their effects. Since controls usually come at a cost it will also provide some information about how to decide if a control is worthwhile to be introduced or not.
Controls are artifacts or procedures which reduce the probability of risk occurrence (preventive controls) or reduce the damages resulting from a risk occurrence (detective controls).
The following figure shows how controls appear in an event-driven process chain (EPC). This is the same example which was used in the previous article except that the two controls have been added. They appear as pale red triangles and are connected to the functions where they are supposed to be carried out as well as to the risks they affect. The connection to the risks is done in so-called business control diagrams which are not shown in the figure. Traits of controls like the control effectiveness or the strength of effects on risk occurrence or damages are specified in attributes which are also not displayed in the diagram.
Figure: Credit transfer process with risk and control objects
In order to counter the risk of a data transfer error an additional check of the transferred data has been introduced. The risk of a system failure is countered by the provision of a backup system. The former control has been modeled as a detective one and the latter as a preventive one.
With all relevant settings in place, the model is simulated with ARIS Business Simulator. A screenshot of the paused simulation run can be seen in the following figure.
Figure: Simulation with ARIS Business Simulator
The goal of the analysis is to decide if it is sensible to introduce controls for the risks in the process. In the example there is no regulatory or contractual need for them so it suffices to look at the monetary consequences. The idea is to compare the loss reduction a control achieves with the cost it causes. If the loss reduction is higher than the cost, then the control should be implemented. (Such a decision depends on other factors as well, but for the sake of simplicity those are neglected in the example.)
Information about the loss reduction can be found in the cumulative risk statistics and the cumulative function statistics.
The cumulative risk statistics contain information per risk and were already used for analysis in the previous article. The newly acquired data is shown in the following table. It exhibits high amounts of prevented and reduced damages compared to the losses which actually occurred. These results already look quite positive.
| Risk | Data transfer error | System failure |
|---|---|---|
| Number of occurrences | 4,308 | 4 |
| Number of prevented occurrences | 0 | 46 |
| Number of detected occurrences | 4,092 | 0 |
| Accumulated amount of damages | 4,218.82 | 40,659.62 |
| Accumulated amount prevented of damages | 0.00 | 463,933.53 |
| Accumulated amount of damage reduction | 81,898.83 | 0.00 |
However, regarding the question about the net effect of the introduced controls the cumulative function statistics have more interesting information to offer because they provide data per control. An excerpt of the statistics is contained in the following table.
| Control | Double check | Backup system |
|---|---|---|
| Process folders processed | 43,199 | 43,199 |
| Number of effective controls | 41,013 | 38,884 |
| Number of successful effective controls | 4,092 | 46 |
| Accumulated amount of prevented damages | 0.00 | 463,933.53 |
| Accumulated amount of unprevented damages | 0.00 | 40,659.62 |
| Accumulated amount of damage reduction | 81,898.83 | 0.00 |
| Accumulated amount of failed damage reduction | 4,218.82 | 0.00 |
The interesting pieces of information for the analysis goal are the amount of damage reduction by the double check control and the amount of prevented damages by the backup system control. These have to be compared with the costs of the controls which can be found in the function cost statistics (not shown here). The respective values are given in the following calculations. The results are the net effects which can be achieved with the introduction of the controls.
| Control | Data transfer error | System failure | ||
|---|---|---|---|---|
| Savings | 81,898.83 | 463,933.53 | ||
| Cost | − 8,639.80 | − 17,279.60 | ||
| Net effect | 73,259.03 | 446,653.93 |
In both cases the amount of savings due to damage reduction or prevention is higher than the cost for the control, i.e. both controls should be implemented from a monetary point of view.
The above analysis is mostly focused on the monetary aspects of risks and controls. This does not mean that the capabilities of process simulation end here. A model to be analyzed could cover aspects of times and resources as well, e.g. by defining follow-up activities which are to be carried out once a risk is detected. Such activities can temporarily influence the process performance. In such a case it can be interesting to track the performance over time and how the system recovers from the occurrence of a risk event. This is where simulation really shines and has a clear advantage over a calculation which can hardly provide information about the dynamic behavior of a process. There are other details of process risk simulation which were not covered in this series of articles but hopefully it still gave you some insight into what process risk simulation is about and what can be done with it.
In case you found the articles about process risk simulation interesting and want all the content in a single document, you can download a white paper from the GRC Lounge. The white paper contains roughly the same information as the articles but is more verbose in its explanations.
Hello Mr. Angeli,
appart from the analysis, I have two questions.
In my experience the control is implemented by the following function, since the control activity is actually a part of a Workflow (in most of the cases). Why do you connect the control to the function, in which the risk occurs and why isn´t it a function in the process?
Thanks for your answer in advance
Dear Mr. Lüderitz,
As always, the best practice will depend on your particular process and intention. The example given in the original post's screenshot illustrates two frequent scenarios. The "Double check" control could be part of the process flow as you suggest. However, the "Backup system" control one step further is not really part of the principal process flow but really an independent security measure. In any case, modeling the controls outside the process flow increases the focus on value adding process designs. Furthermore, often controls will be inserted following risk assessment of the 'as is' process. Modelling controls as suggested in the post maintains the motivation for a particular control also for subsequent re-assessments.
Best regards,
Jochen
Besides the reasons given by Jochen regarding the nature of some controls and their role in process designs, there are also technical reasons to discourage modeling controls as part of the process flow. These apply if you intend to use the process models in ARIS Risk & Compliance Manager (ARCM). If you keep the controls out of the process flow, then you can achieve a clear separation between controls and process functions. This makes it easier to work with the respective objects in ARCM.
But as Jochen noted, it is also possible to use controls as part of the process flow and e.g. ARIS Business Simulator supports this kind of usage.
So how exactly you want to model controls depends to some extent on your particular situation and requirements.
(As a side note: The model in the article actually contains a mixture of the modeling approaches which should be used in conjunction with ARCM: risk-based and control-based modeling. In case of the former only risks are modeled in the process models and in case of the latter only controls. For the article these two approaches where mixed in order to reduce the complexity of the example.)
Hi Community,
Do we have capability to simulate risks and controls for BPMN diagrams. I have activated risk(cumulative and detailed statistics), but looks like they are available only for EPCs.
I have used Enterprise BPMN colloboration diagram for my process.
Thanks,
Subash
