Risk Assessment Information System of Enterprise Business Processes Eleonora Tereshchenko1, Olga Sosnovska2, Natalya Ushenko2, Viktoriya Andryeyeva2, and Mariia Kovalova1 1 Kyiv National University of Trade and Economics, 19 Kyoto str., Kyiv, 02156, Ukraine 2 Borys Grinchenko Kyiv University, 18/2 Bulvarno-Kudriavska str., Kyiv, 04053, Ukraine Abstract The paper substantiates the feasibility of forming and implementing a comprehensive information system for assessing the risks of business processes at the enterprise. The information system for assessing the risks of business processes of the enterprise, which is proposed here, is based on the convergence of the systemic approach, the concept of risk management, the process approach to the management of the enterprise. Implementation of this information system will ensure permanent identification of risks of business processes, their assessment and create opportunities to resist risks when making managerial decisions. It has been proven that the information system for assessing the risks of business processes is the most important part of risk management, thanks to which it is possible to timely and fully determine the values of the indicators that are tracked. In addition, this system allows you to trace the trends in the development of business processes in the short term, and, as a result, take timely managerial corrective actions aimed at achieving the strategic goals. Keywords1 Information system, risk management, business processes, risk assessment criteria, ranking of business processes. 1. Introduction Within the framework of economic science, the assessment of risks of business processes is most often associated with the division and function of risk management, since the main contribution to these studies was made by the founders of managerial science. Effective management of business processes of the enterprise involves accuracy, reliability and efficiency of information; this allows you to form a system of permanent identification, assessment and formation of opportunities to resist risks when making managerial decisions; this is very important because a mistake in the decision taken can lead to large losses and a decrease in the rating of the enterprise. That is why the formation of an information management system for assessing the risks of an enterprise is one of the keys to improving the efficiency of its business processes [1]. In this regard, we consider it advisable to justify the formation and implementation of a comprehensive information system for assessing the risks of business processes at enterprises, which will ensure the qualitative implementation of a process approach that is focused on the system management of interconnected processes and resources [2–4]. CPITS-II-2021: Cybersecurity Providing in Information and Telecommunication Systems, October 26, 2021, Kyiv, Ukraine EMAIL: e.tereshchenko@knute.edu.ua (E. Tereshchenko); o.sosnovska@kubg.edu.ua (O. Sosnovska); n.ushenko@kubg.edu.ua (N. Ushenko); v.andryeyeva@knute.edu.ua (V. Andryeyeva); kovalova1503@gmail.com (M. Kovalova) ORCID: 0000-0003-2272-5224 (E. Tereshchenko); 0000-0002-2177-0691 (O. Sosnovska); 0000-0002-3158-4497 (N. Ushenko); 0000-0002- 9529-0543 (V. Andryeyeva); 0000-0002-6890-4853 (M. Kovalova) ©️ 2022 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) 214 2. Analysis of Recent Research Transformational changes in the modern economy are characterized by a tangible influence on business development from the information systems of enterprises. The relevance of the research of this issue is due to the fact that the formation of an information system for assessing the risks of business processes of the enterprise, which is based on the convergence of a systemic approach, the concept of risk management and process approach to enterprise management, determines the level of efficiency of business structures. Mayer, N., Aubert, J., Grandry, E., Feltus, C., Goettelmann, E., and Wieringa determined that the efficiency of assessment of risks of business processes of the enterprise is aimed at their optimization. [5]. Lei, Y. considered business process optimization as a set of actions taken and implemented by the business process owner to maximize by minimizing risk costs [6,7]. Zhang Y. focuses on the fact that optimization of business processes should take into account the criterion that characterizes the balance between the cost of managing risks and losses from their possible implementation [9]. Therefore, objectively necessary is the implementation of the information system of risk assessment at enterprises, which is adapted to the specifics of their business processes. Alter, S. focused on the fact that the information system is a working system, the processes and activities of which are devoted to the processing of information, that is, the accumulation, transfer, storage, extraction, manipulation and display of information [6]. At the same time, according to researchers (Shenglan Ma, Hao Wang, Hong-Ning Dai), the main goal of implementing a system of information risk assessment in business process management is to identify and reduce risks to an acceptable level [10]. The purpose of the research is to substantiate the theoretical and methodological bases of the formation of an information system for assessing the risks of business processes of the enterprise, based on the convergence of a systemic approach, the concept of risk management, and the process approach to management the enterprise's activities. Implementation of this goal will ensure permanent identification of risks of business processes, their assessment and create opportunities to resist risks when making managerial decisions. 3. Research Results Analyzing the effectiveness of the risk management system of business processes in enterprises, it should be noted that to ensure their sustainable development, especially in the conditions of modern transformational challenges, it is necessary to constantly identify risks, assess actions to minimize them and the ability to withstand these risks. As a rule, the above procedures are required when the company has a number of minor negative symptoms, diagnosing the causes of which is quite difficult. Such symptoms can occur due to the gradual accumulation of changes or may result from cardinal management decisions (for example, extending or reducing directions of activity). The business process of the enterprise should be understood as a system-closed process that permeates all the functional structures of the enterprise, has entrance and exit, and also includes an interconnected sequence of stages of the enterprise, the purpose of which will be to make a profit. Process management should be systematic, cover all components in space, in time and in interaction with the external environment, otherwise the company will be in a state of dismanagement. System management involves the consideration of the composition, relationships and features of the system structure of any management object. In this case, this will eliminate the existing shortcomings and establish the work of each site and unit at the enterprise. In modern conditions, a fairly large number of enterprises are forced to resort to optimization, which is carried out under the conditions of risk consideration, this process is quite costly and time consuming. Assessing the risks of business processes, first of all, it is necessary to analyze each part of the business process carried out by a particular executor, that is, the procedure. It is also necessary to check: 215 to what results leads the correct execution; what data or materials the executor receives as a result; what he does to them; how optimal its actions are; working time; duration of the procedure. Assessment of the risks of business processes is carried out in order to find the optimal state, its result should be the identification of deficiencies in the process or in the group of processes. If the enterprise uses the optimal technological path, then, first of all, it is necessary to identify all the main shortcomings of the business process regarding the approval of the parameters. These parameters are then compared to the optimal criteria, and only after that, solutions are formed to eliminate the identified shortcomings. Further, the optimization process involves the development of proposals to correct the identified shortcomings. It is necessary to rebuild the process model taking into account these proposals, review the persons of performers and their actions, and most importantly - to improve the means of work. Improvement the means of work are to improve the forms of fixation, storage and primary processing of data used during a specific procedure. At the end of the optimization process, it is also necessary to analyze all the problems that may arise during optimization in other areas of the process, including possible resistance of employees. As a rule, it is not necessary to analyze those processes that already exist in the company. Modern specialists can always offer new business processes to various companies. However, there are difficult situations when it is almost impossible to determine which business processes are necessary, for example, a completely new kind of business, enterprise with a large number of complex interactions between departments, need to improve the efficiency of work. It is possible to optimize the work only by a detailed analysis of the risks of existing business processes. At the same time, you should highlight a number of criteria that you need to focus on when assessing the risks of business processes: 1. Integral and organic assessment of the risks of upper-level business processes. 2. Prioritization in assessing the risks of business processes to achieve strategic goals. Business processes that do not affect the main activity are elaborated by the latter or are not elaborated at all. 3. The degree of risk assessment detail should meet the needs. The main criterion in this case is simple: further detail is not required if a clear separation of duties between employees is achieved and the basic principles of execution of operations are established. 4. Determination of basic parameters of assessment of risks of business processes at the design stage. Most often, after completing the design of the risk management system, there is a need for optimization, in which the existence of the basic parameters of the business process becomes necessary. 5. The importance of assessing the risks of a particular business process. It allows you to understand what processes should be designed in the first place, as well as to determine the processes, the design of which can be postponed somewhat. 6. Distribution of zones of responsibility at the enterprise. 7. Willingness to the fact that on the part of the employees of the enterprise there will be resistance and disagreement with everything that will begin to destroy the already formed system of relations in various ways [10]. The result of successful modeling should be a suitable, process description of the business. Evaluation, like modeling, can be carried out at different levels: from abstract understanding of gaps in block circuits to detailed description of all low-level processes. Assessment should create value for the business, so it is always worth determining its framework and depth, based on the task. When determining the most promising business processes, it is necessary to rank them according to the degree of priority. Most often, the criteria are: • The importance of assessing the risk of a particular business process, which is determined by the proportion of contribution of a particular process to achieve the key goals of the organization. How the optimization of the invoice design process will affect the key indicators of efficiency in increasing profits - whether it is necessary to improve this process, whether there are processes, the optimization of which will give a greater effect. • The difficulty of assessing the risk of the business process, that is, what is the gap between the actual level of risk and the planned one. Depending on the criteria developed for evaluating the result, the difficulty can be expressed in interest, monetary units, points, etc. • The possibility of implementation of changes, which is estimated in the cost of resources to perform work on improving the efficiency of assessing the risks of business processes. Developed criteria for risk assessment and a list of business processes, conveniently formatted in the 216 form of a matrix with an evaluation system (Table 1). Each process is evaluated in points from 1 to 5, where: 1 is minimum and 5 is maximum score. Points are awarded by expert method. There are several approaches to the implementation of this procedure. The method of budget allocation allows experts to give assessments according to the established criteria. Often used hierarchy analysis method, it involves a pairwise comparison of processes by certain factors [11]. Table 1 Example of business process risk assessment matrix Possibility of Importance of risk Problem of risk Process implementation Summary assessment assessment of changes Business process 1 5 2 3 10 Business process 2 4 4 3 11 …….. … … … .. Business process n 4 3 5 12 The sum of the points will determine the sequence of their optimization, based on the expected effect. Using such a matrix will greatly simplify the risk assessment procedure and make it possible to determine the presence of problems in business processes. It is advisable to consider the business process risk assessment efficiency model, taking into account the importance of each process and the percentage of optimization. Suppose that there are n business processes in the enterprise, for each of which it is possible to determine its significance by means of. The importance of each process is determined on a scale: the higher the coefficient, the greater the importance of the business process. The evaluation step for the weight coefficients can be chosen as small as possible, which allows you to change any estimates using scaling. If n – is the number of business processes, a – is the number of business processes for optimization, then (n – a) – is the number of business processes that are not subject to optimization. Then the calculation formula for evaluating the efficiency of business process optimization can be presented in the form of (1): ∑𝑛 𝑖=1 𝑝𝑖 𝐸𝑓 = 1 𝑎 , (1) ∑𝑖=1 𝑝𝑖 +∑𝑛−𝑎 𝑗=1 𝑝𝑗 𝑛 where: 𝑝𝑖 is weight coefficients of processes for optimization, 𝑝𝑗 is weight coefficients of processes that are not subject to optimization. Fig. 1 shows the dependence of optimization efficiency on the total number of equivalent business processes calculated by the formula (1). 140 Ef 120 100 40 80 30 60 20 40 20 15 0 n 10 20 30 40 Figure 1: Dependence of optimization efficiency on the total number of equivalent business processes 217 With the equivalence of processes, all weight coefficients are considered equal. If you optimize all business processes, then with the increase in the number of business processes there is a linear increase in efficiency. If the proportion of equivalent processes for optimization is 75%, then increasing the total number of processes to 10 ensures an increase in efficiency more than 2 times. If the proportion of equivalent processes for optimization is 95%, then increasing the total number of processes to 20 ensures an increase in efficiency by 10 times. Nonlinear graphs of optimization efficiency versus the total number of business processes when the value of the optimized processes is twice as high as that of the non-optimized processes. Thus, business process risk assessment matrices should ensure: reducing costs, reducing data collection and analysis time, reducing the number of defects during the implementation of business processes. It should be noted that any change should be justified and pursue certain goals, otherwise the risk of ineffective changes (improvements) that cause additional costs increases significantly. The basis for assessing the risks of the enterprise's business processes is its information system, which, in accordance with the target requirements, is an interconnected set of data on technical and software; personnel; interactive procedures intended for the collection, processing, distribution, storage, provision of information (Fig. 2). Information system risk assessment of business processes of the enterprise Information technologies Business Regulatory Generation of support process performance management information apparatus Program support Data Information Establishment of a databank processing flows (intra- Technological support system system and information Data transfer links) Mathema- tical support Preparation of input data Enterprise business Technic process support system Acquisition and recording of data according Linguistic to each business support process Figure 2: Information system for assessment of risks of business processes of the enterprise 218 The quality of risk assessment of business processes is determined by the reliability and efficiency of information system. Reliability is the ability of the information system to store for a certain time the values of all parameters, which characterize the ability of the system to perform the functions assigned to it in a given mode, within the established limits. At the same time, a reliable the information system will be only when it is characterized by reliability and durability. The level of reliability of the information system of risk assessment of business processes of the enterprise also depends on: • Composition and level of reliability of technical means, their interaction and reliability of the structure. • Composition and level of software reliability, their capabilities and interaction in the structure of information system software. • Rational distribution of tasks between technical means, software and personnel serving this system. • Modes, parameters and organizational forms of operation of a set of technical means. 4. Conclusion The effectiveness of the information system for assessing the risks of business processes of an enterprise is determined by comparing the results obtained with the costs of all types of resources necessary for the development of this system. The information system, like any other system operating within the enterprise, has its own structure. The structure of the enterprise's business process risk assessment information system determines its functions: data collection and registration; preparation of information arrays; processing, accumulation and storage of data; formation of effective information; transfer of data from sources to place of processing and further to consumers of information for making managerial decisions; protection of information. During the performance of all the above functions, information protection is provided, the essence of which is to preserve and confidentiality, that is, effective information is not subject to disclosure and is intended for specific users. The most reliable mechanisms for protecting information are cryptographic methods: encryption, message authentication and electronic recording. Thus, the information system for assessing the risks of business processes is the most important part of risk management, thanks to which it is possible to timely and fully determine the values of the tracked indicators, as well as the tendencies of their development in the near future in order to carry out timely managerial corrective actions aimed at achieving the set strategic goals. 5. References [1] Shevchenko, H., et al., Information security risk analysis SWOT, in: Workshop on Cybersecurity Providing in Information and Telecommunication Systems, CPITS, vol. 2923, 309–317, 2021. [2] V. Buriachok, V. Sokolov, P. Skladannyi, Security rating metrics for distributed wireless systems, in: Workshop of the 8th International Conference on "Mathematics. Information Technologies. Education": Modern Machine Learning Technologies and Data Science (MoMLeT and DS), vol. 2386, 222–233, 2019. [3] Berestov, D., et al., Analysis of features and prospects of application of dynamic iterative assessment of information security risks, in: Workshop on Cybersecurity Providing in Information and Telecommunication Systems (CPITS), vol. 2923, 329–335, 2021. [4] S. Alter, Defining information systems as work systems: implications for the IS field. European Journal of Information Systems (EJIS), 17(5), 448-469, 2008. https://doi.org/10.1057/ejis.2008.37 [5] Y. Lei, Minimizing the Cost of Risk with Simulation Optimization Technique. Risk Management and Insurance Review, 14(1), 121–144, 2011. https://doi.org/10.1111/j.1540-6296.2010.01193.x [6] N. Mayer, et al., An integrated conceptual model for information system security risk management supported by enterprise architecture management. Software & Systems Modeling, 2018. [7] J. McKeen, H. Smith, Making IT Happen: Critical Issues in IT Management. Wiley, 2003. https://doi.org/10.1007/s10270-018-0661-x 219 [8] M. Shenglan, et al., A Blockchain-Based Risk and Information System Control Framework. IEEE 16th Intl Conf on Dependable, Autonomic and Secure Computing, 16th Intl Conf on Pervasive Intelligence and Computing, 4th Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress, 2018. https://doi.org/10.1109/DASC/PiCom/DataCom/ CyberSciTec.2018.00031 [9] Suroso, J. S, & Fakhrozi, M. A. (2018). Assessment of Information System Risk Management with Octave Allegro at Education Institution, 3rd International Conference on Computer Science and Computational Intelligence 2018. https://doi.org/10.1016/j.procs.2018.08.167 [10] Suroso, J. S., Rahadi, B. (2017). Development of IT Risk Management Framework Using COBIT 4.1, Implementation, in IT Governance for Support Business Strategy. ACM International Conference Proceeding Series. Part F130654, pp. 92-96. https://doi.org/10.1145/3124116.3124134 [11] Y. Zhang, A Study on Risk Cost Management. International Journal of Business and Management, 4(5), 145–148, 2009. https://doi.org/10.5539/ijbm.v4n5p14 220