Title: A REFERENCE MODEL FOR PROCESS-ORIENTED
IT RISK MANAGEMENT
Authors: Stefan
Sackmann.
Published: 2008
This
paper focuses on threats generated from IT and their influence on BPM, and relevance
of IT risks resulting from flexible business processes and the integration of
cause-effect relations into the typical risk management process and necessary
extensions.
It
starts with trying to define “IT Risks”; and settled on that “IT risks should
be seen as part of operational risks measuring the unexpected losses that are
determined by the frequency and amount of losses e.g. by their value at risk”.
Then it shows the importance on IT in today’s organizations, and explains how
that Traditional methods for risk management are challenged by the increasing
flexibility of business processes and their support by IT.
“The
management of risks occurring from IT in its role as flexible and continuously
changing infrastructure supporting business processes requires an extension of
“traditional” risk management that enables continuously changing cause-effect
relations to be taken into consideration. For this purpose, the layer-based IT
Risk Reference Model is proposed providing a formal approach for modeling IT
risks in a structured way on the basis of their relation between cause and
effect.”
Then
in Section 3 it went in to establishing the “IT Risk Reference Model”; Modeling
the relations between the causes of IT risks and their effects on business
processes:
Layer 4: Business Process (BP): On this layer, parts of
the business process should be regarded as independent components that are
defined as enclosed activities using at least one IT application for their
realization.
Layer 3: IT Application / IT
Infrastructure (AP): The assignment of protection goals to IT applications
allows the bringing together of the economic handling of IT risks with the more
technological.
Layer 2: Vulnerabilities (VN): the vulnerabilities
identified are interpreted as independent “components” that can be associated
to at least one IT application.
Layer 1: Threats (TH): This layer includes all
known threats that are seen as causes of IT risks and, ideally, can be
described with a probability of their occurrence.
Within
these four layers, the relations between the causes and effects can be modeled
addressing the needs of process-oriented IT risk management. Witch is done in
the 4th section; “MODELING CAUSE & EFFECT RELATIONS FOR IT RISKS”.
Then
in the 5th section the paper discussed some extensions, such as risk
identification, risk quantification, risk treatment, and risk control.
This
paper showed that the relations between the threats to IT (causes) and their
implications on the business process activities (effects) have to be modeled in
a standardized and formal way. The IT Risk Reference Model proposed in this
contribution reduces the complexity of the modeling challenge by defining four
layers. It also established the IT Risk Reference Model, which serves as a
framework modeling the interdependent layers in the form of matrixes and allows
a formal description of the interdependencies between the separated layers
according to a company’s requirements.
No comments:
Post a Comment