=Paper=
{{Paper
|id=Vol-3188/short2
|storemode=property
|title=Risk Assessment Information System of Enterprise Business Processes (short paper)
|pdfUrl=https://ceur-ws.org/Vol-3188/short2.pdf
|volume=Vol-3188
|authors=Eleonora Tereshchenko,Olga Sosnovska,Natalya Ushenko,Viktoriya Andryeyeva,Mariia Kovalova
|dblpUrl=https://dblp.org/rec/conf/cpits/TereshchenkoSUA21
}}
==Risk Assessment Information System of Enterprise Business Processes (short paper)==
https://ceur-ws.org/Vol-3188/short2.pdf
Risk Assessment Information System of Enterprise Business
Processes
Eleonora Tereshchenko1, Olga Sosnovska2, Natalya Ushenko2, Viktoriya Andryeyeva2,
and Mariia Kovalova1
1
Kyiv National University of Trade and Economics, 19 Kyoto str., Kyiv, 02156, Ukraine
2
Borys Grinchenko Kyiv University, 18/2 Bulvarno-Kudriavska str., Kyiv, 04053, Ukraine
Abstract
The paper substantiates the feasibility of forming and implementing a comprehensive
information system for assessing the risks of business processes at the enterprise. The
information system for assessing the risks of business processes of the enterprise, which is
proposed here, is based on the convergence of the systemic approach, the concept of risk
management, the process approach to the management of the enterprise. Implementation
of this information system will ensure permanent identification of risks of business
processes, their assessment and create opportunities to resist risks when making
managerial decisions. It has been proven that the information system for assessing the risks
of business processes is the most important part of risk management, thanks to which it is
possible to timely and fully determine the values of the indicators that are tracked. In
addition, this system allows you to trace the trends in the development of business
processes in the short term, and, as a result, take timely managerial corrective actions
aimed at achieving the strategic goals.
Keywords1
Information system, risk management, business processes, risk assessment criteria,
ranking of business processes.
1. Introduction
Within the framework of economic science, the assessment of risks of business processes is most
often associated with the division and function of risk management, since the main contribution to these
studies was made by the founders of managerial science. Effective management of business processes
of the enterprise involves accuracy, reliability and efficiency of information; this allows you to form a
system of permanent identification, assessment and formation of opportunities to resist risks when
making managerial decisions; this is very important because a mistake in the decision taken can lead to
large losses and a decrease in the rating of the enterprise. That is why the formation of an information
management system for assessing the risks of an enterprise is one of the keys to improving the efficiency
of its business processes [1]. In this regard, we consider it advisable to justify the formation and
implementation of a comprehensive information system for assessing the risks of business processes at
enterprises, which will ensure the qualitative implementation of a process approach that is focused on
the system management of interconnected processes and resources [2–4].
CPITS-II-2021: Cybersecurity Providing in Information and Telecommunication Systems, October 26, 2021, Kyiv, Ukraine
EMAIL: e.tereshchenko@knute.edu.ua (E. Tereshchenko); o.sosnovska@kubg.edu.ua (O. Sosnovska); n.ushenko@kubg.edu.ua
(N. Ushenko); v.andryeyeva@knute.edu.ua (V. Andryeyeva); kovalova1503@gmail.com (M. Kovalova)
ORCID: 0000-0003-2272-5224 (E. Tereshchenko); 0000-0002-2177-0691 (O. Sosnovska); 0000-0002-3158-4497 (N. Ushenko); 0000-0002-
9529-0543 (V. Andryeyeva); 0000-0002-6890-4853 (M. Kovalova)
©️ 2022 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
214
�2. Analysis of Recent Research
Transformational changes in the modern economy are characterized by a tangible influence on
business development from the information systems of enterprises. The relevance of the research of this
issue is due to the fact that the formation of an information system for assessing the risks of business
processes of the enterprise, which is based on the convergence of a systemic approach, the concept of
risk management and process approach to enterprise management, determines the level of efficiency of
business structures.
Mayer, N., Aubert, J., Grandry, E., Feltus, C., Goettelmann, E., and Wieringa determined that the
efficiency of assessment of risks of business processes of the enterprise is aimed at their optimization.
[5].
Lei, Y. considered business process optimization as a set of actions taken and implemented by the
business process owner to maximize by minimizing risk costs [6,7].
Zhang Y. focuses on the fact that optimization of business processes should take into account the
criterion that characterizes the balance between the cost of managing risks and losses from their possible
implementation [9].
Therefore, objectively necessary is the implementation of the information system of risk assessment
at enterprises, which is adapted to the specifics of their business processes.
Alter, S. focused on the fact that the information system is a working system, the processes and
activities of which are devoted to the processing of information, that is, the accumulation, transfer,
storage, extraction, manipulation and display of information [6].
At the same time, according to researchers (Shenglan Ma, Hao Wang, Hong-Ning Dai), the main
goal of implementing a system of information risk assessment in business process management is to
identify and reduce risks to an acceptable level [10].
The purpose of the research is to substantiate the theoretical and methodological bases of the
formation of an information system for assessing the risks of business processes of the enterprise, based
on the convergence of a systemic approach, the concept of risk management, and the process approach
to management the enterprise's activities. Implementation of this goal will ensure permanent
identification of risks of business processes, their assessment and create opportunities to resist risks
when making managerial decisions.
3. Research Results
Analyzing the effectiveness of the risk management system of business processes in enterprises, it
should be noted that to ensure their sustainable development, especially in the conditions of modern
transformational challenges, it is necessary to constantly identify risks, assess actions to minimize them
and the ability to withstand these risks.
As a rule, the above procedures are required when the company has a number of minor negative
symptoms, diagnosing the causes of which is quite difficult. Such symptoms can occur due to the
gradual accumulation of changes or may result from cardinal management decisions (for example,
extending or reducing directions of activity).
The business process of the enterprise should be understood as a system-closed process that
permeates all the functional structures of the enterprise, has entrance and exit, and also includes an
interconnected sequence of stages of the enterprise, the purpose of which will be to make a profit.
Process management should be systematic, cover all components in space, in time and in interaction
with the external environment, otherwise the company will be in a state of dismanagement. System
management involves the consideration of the composition, relationships and features of the system
structure of any management object. In this case, this will eliminate the existing shortcomings and
establish the work of each site and unit at the enterprise. In modern conditions, a fairly large number of
enterprises are forced to resort to optimization, which is carried out under the conditions of risk
consideration, this process is quite costly and time consuming.
Assessing the risks of business processes, first of all, it is necessary to analyze each part of the
business process carried out by a particular executor, that is, the procedure. It is also necessary to check:
215
�to what results leads the correct execution; what data or materials the executor receives as a result; what
he does to them; how optimal its actions are; working time; duration of the procedure.
Assessment of the risks of business processes is carried out in order to find the optimal state, its
result should be the identification of deficiencies in the process or in the group of processes. If the
enterprise uses the optimal technological path, then, first of all, it is necessary to identify all the main
shortcomings of the business process regarding the approval of the parameters. These parameters are
then compared to the optimal criteria, and only after that, solutions are formed to eliminate the identified
shortcomings.
Further, the optimization process involves the development of proposals to correct the identified
shortcomings. It is necessary to rebuild the process model taking into account these proposals, review
the persons of performers and their actions, and most importantly - to improve the means of work.
Improvement the means of work are to improve the forms of fixation, storage and primary processing
of data used during a specific procedure. At the end of the optimization process, it is also necessary to
analyze all the problems that may arise during optimization in other areas of the process, including
possible resistance of employees. As a rule, it is not necessary to analyze those processes that already
exist in the company. Modern specialists can always offer new business processes to various companies.
However, there are difficult situations when it is almost impossible to determine which business
processes are necessary, for example, a completely new kind of business, enterprise with a large number
of complex interactions between departments, need to improve the efficiency of work. It is possible to
optimize the work only by a detailed analysis of the risks of existing business processes.
At the same time, you should highlight a number of criteria that you need to focus on when assessing
the risks of business processes:
1. Integral and organic assessment of the risks of upper-level business processes.
2. Prioritization in assessing the risks of business processes to achieve strategic goals. Business
processes that do not affect the main activity are elaborated by the latter or are not elaborated at all.
3. The degree of risk assessment detail should meet the needs. The main criterion in this case is
simple: further detail is not required if a clear separation of duties between employees is achieved and
the basic principles of execution of operations are established.
4. Determination of basic parameters of assessment of risks of business processes at the design stage.
Most often, after completing the design of the risk management system, there is a need for optimization,
in which the existence of the basic parameters of the business process becomes necessary.
5. The importance of assessing the risks of a particular business process. It allows you to understand
what processes should be designed in the first place, as well as to determine the processes, the design
of which can be postponed somewhat.
6. Distribution of zones of responsibility at the enterprise.
7. Willingness to the fact that on the part of the employees of the enterprise there will be resistance
and disagreement with everything that will begin to destroy the already formed system of relations in
various ways [10].
The result of successful modeling should be a suitable, process description of the business.
Evaluation, like modeling, can be carried out at different levels: from abstract understanding of gaps in
block circuits to detailed description of all low-level processes. Assessment should create value for the
business, so it is always worth determining its framework and depth, based on the task. When
determining the most promising business processes, it is necessary to rank them according to the degree
of priority. Most often, the criteria are:
• The importance of assessing the risk of a particular business process, which is determined by
the proportion of contribution of a particular process to achieve the key goals of the organization.
How the optimization of the invoice design process will affect the key indicators of efficiency in
increasing profits - whether it is necessary to improve this process, whether there are processes, the
optimization of which will give a greater effect.
• The difficulty of assessing the risk of the business process, that is, what is the gap between the
actual level of risk and the planned one. Depending on the criteria developed for evaluating the
result, the difficulty can be expressed in interest, monetary units, points, etc.
• The possibility of implementation of changes, which is estimated in the cost of resources to
perform work on improving the efficiency of assessing the risks of business processes.
Developed criteria for risk assessment and a list of business processes, conveniently formatted in the
216
�form of a matrix with an evaluation system (Table 1).
Each process is evaluated in points from 1 to 5, where: 1 is minimum and 5 is maximum score.
Points are awarded by expert method. There are several approaches to the implementation of this
procedure. The method of budget allocation allows experts to give assessments according to the
established criteria. Often used hierarchy analysis method, it involves a pairwise comparison of
processes by certain factors [11].
Table 1
Example of business process risk assessment matrix
Possibility of
Importance of risk Problem of risk
Process implementation Summary
assessment assessment
of changes
Business process 1 5 2 3 10
Business process 2 4 4 3 11
…….. … … … ..
Business process n 4 3 5 12
The sum of the points will determine the sequence of their optimization, based on the expected
effect. Using such a matrix will greatly simplify the risk assessment procedure and make it possible to
determine the presence of problems in business processes.
It is advisable to consider the business process risk assessment efficiency model, taking into account
the importance of each process and the percentage of optimization. Suppose that there are n business
processes in the enterprise, for each of which it is possible to determine its significance by means of.
The importance of each process is determined on a scale: the higher the coefficient, the greater the
importance of the business process.
The evaluation step for the weight coefficients can be chosen as small as possible, which allows you
to change any estimates using scaling. If n – is the number of business processes, a – is the number of
business processes for optimization, then (n – a) – is the number of business processes that are not
subject to optimization. Then the calculation formula for evaluating the efficiency of business process
optimization can be presented in the form of (1):
∑𝑛
𝑖=1 𝑝𝑖
𝐸𝑓 = 1 𝑎 , (1)
∑𝑖=1 𝑝𝑖 +∑𝑛−𝑎
𝑗=1 𝑝𝑗
𝑛
where: 𝑝𝑖 is weight coefficients of processes for optimization, 𝑝𝑗 is weight coefficients of processes
that are not subject to optimization. Fig. 1 shows the dependence of optimization efficiency on the total
number of equivalent business processes calculated by the formula (1).
140
Ef
120
100 40
80
30
60
20
40
20 15
0 n
10 20 30 40
Figure 1: Dependence of optimization efficiency on the total number of equivalent business processes
217
� With the equivalence of processes, all weight coefficients are considered equal.
If you optimize all business processes, then with the increase in the number of business processes
there is a linear increase in efficiency. If the proportion of equivalent processes for optimization is
75%, then increasing the total number of processes to 10 ensures an increase in efficiency more than 2
times. If the proportion of equivalent processes for optimization is 95%, then increasing the total
number of processes to 20 ensures an increase in efficiency by 10 times. Nonlinear graphs of
optimization efficiency versus the total number of business processes when the value of the optimized
processes is twice as high as that of the non-optimized processes.
Thus, business process risk assessment matrices should ensure: reducing costs, reducing data
collection and analysis time, reducing the number of defects during the implementation of business
processes. It should be noted that any change should be justified and pursue certain goals, otherwise the
risk of ineffective changes (improvements) that cause additional costs increases significantly.
The basis for assessing the risks of the enterprise's business processes is its information system,
which, in accordance with the target requirements, is an interconnected set of data on technical and
software; personnel; interactive procedures intended for the collection, processing, distribution, storage,
provision of information (Fig. 2).
Information system
risk assessment of business processes of the enterprise
Information technologies
Business
Regulatory Generation of
support process
performance management
information apparatus
Program
support Data Information
Establishment of a databank
processing flows (intra-
Technological support
system system and
information
Data transfer
links)
Mathema-
tical support Preparation
of input data
Enterprise
business
Technic process
support system
Acquisition and
recording of
data according
Linguistic to each business
support process
Figure 2: Information system for assessment of risks of business processes of the enterprise
218
� The quality of risk assessment of business processes is determined by the reliability and efficiency
of information system. Reliability is the ability of the information system to store for a certain time the
values of all parameters, which characterize the ability of the system to perform the functions assigned
to it in a given mode, within the established limits. At the same time, a reliable the information system
will be only when it is characterized by reliability and durability. The level of reliability of the
information system of risk assessment of business processes of the enterprise also depends on:
• Composition and level of reliability of technical means, their interaction and reliability of the
structure.
• Composition and level of software reliability, their capabilities and interaction in the structure of
information system software.
• Rational distribution of tasks between technical means, software and personnel serving this
system.
• Modes, parameters and organizational forms of operation of a set of technical means.
4. Conclusion
The effectiveness of the information system for assessing the risks of business processes of an
enterprise is determined by comparing the results obtained with the costs of all types of resources
necessary for the development of this system. The information system, like any other system operating
within the enterprise, has its own structure.
The structure of the enterprise's business process risk assessment information system determines its
functions: data collection and registration; preparation of information arrays; processing, accumulation
and storage of data; formation of effective information; transfer of data from sources to place of
processing and further to consumers of information for making managerial decisions; protection of
information.
During the performance of all the above functions, information protection is provided, the essence
of which is to preserve and confidentiality, that is, effective information is not subject to disclosure and
is intended for specific users. The most reliable mechanisms for protecting information are
cryptographic methods: encryption, message authentication and electronic recording.
Thus, the information system for assessing the risks of business processes is the most important part
of risk management, thanks to which it is possible to timely and fully determine the values of the tracked
indicators, as well as the tendencies of their development in the near future in order to carry out timely
managerial corrective actions aimed at achieving the set strategic goals.
5. References
[1] Shevchenko, H., et al., Information security risk analysis SWOT, in: Workshop on Cybersecurity
Providing in Information and Telecommunication Systems, CPITS, vol. 2923, 309–317, 2021.
[2] V. Buriachok, V. Sokolov, P. Skladannyi, Security rating metrics for distributed wireless systems,
in: Workshop of the 8th International Conference on "Mathematics. Information Technologies.
Education": Modern Machine Learning Technologies and Data Science (MoMLeT and DS), vol.
2386, 222–233, 2019.
[3] Berestov, D., et al., Analysis of features and prospects of application of dynamic iterative assessment
of information security risks, in: Workshop on Cybersecurity Providing in Information and
Telecommunication Systems (CPITS), vol. 2923, 329–335, 2021.
[4] S. Alter, Defining information systems as work systems: implications for the IS field. European
Journal of Information Systems (EJIS), 17(5), 448-469, 2008. https://doi.org/10.1057/ejis.2008.37
[5] Y. Lei, Minimizing the Cost of Risk with Simulation Optimization Technique. Risk Management
and Insurance Review, 14(1), 121–144, 2011. https://doi.org/10.1111/j.1540-6296.2010.01193.x
[6] N. Mayer, et al., An integrated conceptual model for information system security risk management
supported by enterprise architecture management. Software & Systems Modeling, 2018.
[7] J. McKeen, H. Smith, Making IT Happen: Critical Issues in IT Management. Wiley, 2003.
https://doi.org/10.1007/s10270-018-0661-x
219
�[8] M. Shenglan, et al., A Blockchain-Based Risk and Information System Control Framework. IEEE
16th Intl Conf on Dependable, Autonomic and Secure Computing, 16th Intl Conf on Pervasive
Intelligence and Computing, 4th Intl Conf on Big Data Intelligence and Computing and Cyber
Science and Technology Congress, 2018. https://doi.org/10.1109/DASC/PiCom/DataCom/
CyberSciTec.2018.00031
[9] Suroso, J. S, & Fakhrozi, M. A. (2018). Assessment of Information System Risk Management with
Octave Allegro at Education Institution, 3rd International Conference on Computer Science and
Computational Intelligence 2018. https://doi.org/10.1016/j.procs.2018.08.167
[10] Suroso, J. S., Rahadi, B. (2017). Development of IT Risk Management Framework Using COBIT
4.1, Implementation, in IT Governance for Support Business Strategy. ACM International
Conference Proceeding Series. Part F130654, pp. 92-96. https://doi.org/10.1145/3124116.3124134
[11] Y. Zhang, A Study on Risk Cost Management. International Journal of Business and Management,
4(5), 145–148, 2009. https://doi.org/10.5539/ijbm.v4n5p14
220
�