Operational risk is an important, complex, and di cult, criterion to consider during any form of organizational decision making. In practice (1) complexity typically arises from: the use of a variety of risk related indicators; the use of multiple heterogeneous measurement scales; measurement uncertainty; varying levels of measurement precision; and, the widespread e ect of each measurement; (2) di culties arise due to the: time bound nature of the decision making process; and, the availability and interpretation of risk-related measurements. To help address these issues, we propose a conceptual framework to support and minimize the level of analyst involvement during the management of operational risk speci ed in organizational models. This is achieved by propagating/analyzing risk-related evaluations across descriptions of distributed, inter-dependant and mission critical work activities.
Ad-hoc risk analyses are common within operational decision making [
In this paper, we outline a novel framework for propagating measurements
(in a large class of measurement frameworks) across and between descriptions
of inter-dependant work activities speci ed using a language in uenced by the
i* [
Section 2 provides a background and related work; Section 3 de nes a risk modeling scheme; Section 4 describes risk propagation; we then describe how to deal with inconsistencies in Section 5; Section 6 describes some modes of analysis; and, we conclude in Section 7.
Risk has been studied within many elds including economic theory [
In organizations, \...governance and decision making are the cause, risk and
reward - the e ect or outcome of those decisions" [
Operational risk is \...associated with the expected outcome of a process"
[
Organizational modeling in notations such as the i* framework provide rich anthropomorphic abstractions for modeling the social, intentional, and strategic viewpoints of organizational actors. In i*, dependencies such as goals to be satis ed, soft-goals to be satis ced, task to be performed, and resources to be furnished can be represented to help reason about the optimal delegation of responsibilities among actors in some organizational context. An actors' internal motivations and capabilities are represented as an AND/OR goal graph. In this mode, tasks may be decomposed and alternatives means for goals de ned with means-end relationships. In addition, directed links between actors signify that a depender (i.e. source) actor depends on a dependee (i.e. target) actor for a dependum (i.e. the node between dependency links).
Take for example, Figure 1 - An Organizational Model of a Transport Organization. This model represents the interdependencies between three actors: a Bond Department; a Sort Facility; and a Regulatory Agency. Dependencies are represented as goals (ovals) connected to other types of goals (or tasks) via links labeled with a directional `D'. For example, the Bond Department depends on a Sort Facility to achieve the goal of \Forwarded[Bonded Packages]". Within the scope of an actor, goals (or tasks) are decomposed into sub-tasks and goals or alternative tasks and goals (as represented in the legend in Figure 1).
In these types of models, risk and uncertainty are left implicit within the
structure of an organization, and can sometimes be catered for within the
underlying analysis framework - i.e. i* incorporates a qualitative argumentation
system for reasoning about levels of satisfaction towards soft-goals that has
been extended [
Risk is measured by \...the probability of occurrence of loss/gain multiplied by
its respective magnitude" [
5-tuple hA; ; ; 0; 1i with the following properties: A is a set of abstract (numeric, boolean, or symbolic) preference values and 0; 1 2 A; is a binary operator used to compare preference values, which is closed (i.e. if a; b 2 A, then a b 2 A), commutative (i.e. a b = b a), associative (i.e. a (b c) = (a b) c), indempotent (i.e. if a 2 A, then a a = a), has a unit element of 0 (i.e. a 0 = a = 0 a), and an absorbing element of 1 (i.e. a 1 = 1 = 1 a); is a binary operator used to combine preference values, which is closed (i.e. if a; b 2 A, then a b 2 A), commutative (i.e. a b = b a), associative (i.e. a (b c) = (a b) c), has a unit element of 1 (i.e. a 1 = a = 1 a), and an absorbing element of 0 (i.e. a 0 = 0 = 0 a); distributes over (i.e. a (b c) = (a b) (a c)). In addition, the comparison operator induces a partial ordering s such that forall a; b 2 A a s b i a b = b.
Risk measurement attempts to quantify the impact and uncertainty of some meaningful event. Traditionally, probabilistic and/or qualitative scales can be used. The c-semiring structure allows us to seamlessly describe and analyze precise and imprecise evaluations under the same unifying scheme. That is, qualitative evaluations do not need to be massaged into the same totally ordered numeric scheme.
Take for instance the case where two or more c-semirings have been used
to model the problem at hand. In our instance, we would like to incorporate
multiple risk measures (e.g. one risk measured using a numeric scale R+ and
another measured using a symbolic scale fLow; M ed; Highg). This has been
brie y discussed in [
The c-semiring structure has been referred to as a negative preference
structure in [
Given the endemic nature of risk, the broad range of risk attributes (see [
It is surprising that little attention has been given to organizational risk
analysis within the organizational modeling literature. For example, [
In [
The approach outlined in this paper aims to support mixed-mode and iterative evaluation of organizational structures with respect to a variety of heterogeneous endogenous (i.e. structural) and exogenous (i.e. environmental) risk measurements. As this task is knowledge intensive, we present a scheme to minimize analyst involvement by propagating evaluations across evolving organizational models. Our application is also primarily targeted toward risk analysis, although it could also be used in other settings. This permits improved visibility for risk related (and other) factors across an entire organizational model, even when the model is only partially evaluated.
Risk evaluations are annotated to functional goal or task nodes on an organizational model. These evaluations choose values from a combined instance of a c-semiring risk scale. This evaluation provides a course grained measure of the risk of a deviation to the annotated node.
De nition 2 (Risk Evaluation). Let R = hM; S; Slow; Suppi be a risk evaluation such that: M 2 fN ormative; Descriptiveg indicates the mode of an evaluation. S = hA; ; ; 0; 1i is a combined c-semiring scale we are using to measure the risk of a functional deviation, and this scale may be a composition of multiple scales/dimensions for each ner-grained deviation; Slow is a value from S (possibly an n-tuple) that indicates the lower bound on some evaluation, and states that the evaluation cannot get any worse than the designated value; Supp is a value from S (also possibly an n-tuple) that indicates the upper bound on some evaluation, and states that the evaluation cannot get any better than the designated value; and, Slow s Supp (under the partial ordering s induced by comparison operator ). 3.1
The approach we have discussed for structuring risk evaluations can be used to capture and analyze endogenous (i.e. structural) as well as exogenous (i.e. environmental) risk under the same unifying scheme.
Exogenous risk exists outside the organizational model and is annotated (by an analyst) to describe the risk of a functional deviation. For example, a common scale attempts to measure risk as a real (R+) number. Let the risk indicator for some undesirable event be hR+; min; max; 1; 0i, where: { a value from R+ signi es the risk of a functional deviation measured as a positive real number; { the better value when two risk values are compared (a b) is de ned as the min of those values; { the result of a combination between the two risk values (a b) is the max risk between them; { the least preferred value is 1; and, { the most preferred value is 0.
Such a risk indicator could e ectively be used where statistical information is available. For example, the risk of an untimely operation, where the timeliness of a result has been previously monitored. Another instantiation could be hfLow; M ed; Highg; cpI ; cbI ; High; Lowi, where: { a value from fLow, Med, Highg signi es the risk of a functional deviation; { a comparison between two values will result in the best value given the ordering: High <s Med <s Low, where for any two a; b 2 A; a <s b states that b is strictly `better' than a, and a <s b i a cpI b = b; { the result of a combination operation cbI applied to two distinct values is the least preferred of the two; { the least preferred value is High; and, { the most preferred value is Low.
Endogenous risk manifests itself within an organizational model. For example, we could determine the vulnerability (or dependence) for a speci c node as the set of agents (a 2 2A) on whom the node depends. Let the vulnerability measure of a node be h2A; ; [; A; ;i, where: { 2A is the powerset of A; { the comparison operator ( ) is based on the superset relation, where for any two a; b 2 2A, a s b i a b (the operator in this case would return the least upper bound in the lattice produced by this partial ordering); { the combination operation ([) results in the union of the sets; { the least preferred value is A; and, { the most preferred value is ;.
Another interesting endogenous indicator measures node criticality as the set of agents (a 2 2A) that depend on a node. That is, if the node were to fail, the agents in the criticality set would be adversely a ected. As such, criticality uses the same scheme as set forth for vulnerability. The di erence lies in the local evaluations that provide a basis for propagation (i.e. we consider depender actors instead of dependees). The capability to capture and combine measurements from various risk indicators such as these is important. 4
The evaluation of an element within an organizational model is situated within the context of all related nodes. For example, the evaluation of a task partaking within an AN D decomposition (as a root or leaf node) also says something about the other related tasks. In order to gain a fuller evaluation of risk across an entire organizational model we provide some general techniques for propagating bounded evaluations bi-directionally across links within an organizational model.
The following constraints can provide a basis for propagation, de ned with respect to alternative re nement patterns within organizational models: 1. AP 2. OP 3. D s AC1 : : : ACn (parent AP AND decomposed into AC1 ; : : : ; ACn ); s OC1 : : : OCn (parent OP OR decomposed into OC1 ; : : : ; OCn ); s DE (dependency D related to dependee node DE ).
Informally, the evaluation of: (1) the parent of an AND re nement can be no better than the combined value of its children; (2) the parent of an OR re nement can be no better than the best value among its children; and, (3) a dependency can be no better than the associated node realizing the dependency. These constraints, in combination with unary constraints for bounds, can provide a means to deploy constraint solvers in pre-processing or solving mode. Although, some types of operators and domains may not be completely catered to in traditional solvers (e.g. the vulnerability measures). The discussion in the following sections provide some lightweight heuristic guidance for adjusting bounds and resolving con icts during change. Please note that organizational models do not typically include cycles. 4.1
Given the bounds Slow, Supp of a risk evaluation for some parent node, and a set of bounds fSlow1 ; Supp1 ; : : : ; Slown ; Suppn g for its children, we compute an AN D " propagated update of its upper (Su0pp) and lower (Sl0ow) bounds such that: Su0pp = Supp1 : : : Suppn ; and, Sl0ow = Slow1 : : : Slown ; where is the combination operator of the associated c-semiring scale. Note that evaluations of a dependency node from a dependee task propagate using this scheme. Given the bounds Slow, Supp of a risk evaluation for some child node, and the bounds of its parent SlowP ; SuppP , we compute an AN D # propagated update of its lower (Sl0ow) bound such that: Sl0ow = SlowP if Slow s SlowP . Note that evaluations of a dependency node to a dependee task propagate using this scheme.
Given the bounds Slow, Supp of a risk evaluation for some parent node, and a set of bounds fSlow1 ; Supp1 ; : : : ; Slown ; Suppn g for its children, we compute an OR " propagated update of its upper (Su0pp) and lower (Sl0ow) bounds such that: Su0pp = Supp1 : : : Suppn ; and, Sl0ow = Slow1 : : : Slown ; where is the comparison operator, and is the combination operator of the associated c-semiring scale.
In this setting we treat the re nement as an inclusive evaluation of the parent node. We apply the comparison operation to the upper bound of all the children in order to determine the best possible value for the parent node. We then apply the combination operation to all the lower bounds of each child to determine the worst possible value for the parent node.
Alternatively, we could treat the re nement as exclusive and apply a pessimistic evaluation of each alternative. In this case, we apply a function to determine the worst case lower bound of each re nement. The parent node then inherits an evaluation of its upper and lower bounds from the child[ren] with this property. That is, Su0pp = Suppi and Sl0ow = Slowi such that i 2 f1; : : : ; ng and Slowi = min(fSlow1 ; : : : ; Slown g).
Finally, we could have treated the re nement as exclusive and applied an optimistic evaluation of each alternative. In this strategy, we apply the comparison operator to the upper bounds of all child nodes and allow the parent to inherit the upper and lower bounds of the child[ren] with the best upper bound. Formally, Su0pp = Suppi and Sl0ow = Slowi such that i 2 f1; : : : ; ng and Suppi = Supp1 : : : Slown . 4.4
Given the bounds Slow, Supp of a risk evaluation for some child node, and the bounds of its parent SlowP ; SuppP , we compute an OR # propagated update of its upper (Su0pp) and lower (Sl0ow) bounds such that: Su0pp = SuppP if Supp s SuppP ; and, Sl0ow = SlowP if Slow s SlowP . 4.5
Given the bounds SlowD ; SuppD of an evaluation for a dependency node, and the bounds Slow, Supp of its dependee node, we compute a propagated update of its upper (Su0ppD ) and lower (Sl0owD ) bounds such that: Su0ppD = Supp; and, Sl0owD = Slow. Propagation (or matching) of this kind may also occur in the opposite direction. 5
Inconsistencies can be detected during value propagation. Given the current bounds of a risk evaluation Slow, Supp, a propagation step (Sl0ow, Su0pp) can result in three types of outcomes: 1. Bound Consistency. The updated bounds are consistent with the current evaluation (i.e. Su0pp s Supp and Sl0ow s Slow). That is, a propagation should respect the current lower and upper bounds of a node, i.e. the result of a propagation should tighten an evaluation. 2. Bound Inconsistency. The updated bounds are inconsistent with the current evaluation (i.e. Su0pp >s Supp or Sl0ow <s Slow). A relaxation is one type of update that will inevitably be highlighted as an inconsistency. The problem here lies in accommodating the relaxation by resolving inconsistencies. 3. Bound Incomparability. One of the updated bounds is incomparable to a current bound (i.e. Su0pp Supp 2= fSu0pp; Suppg or Sl0ow Slow 2= fSl0ow; Slowg). The result of the operator on incomparable values is their least upper bound (lub) in the c-semiring lattice.
Bound consistency does not necessarily mean that we can accept the update in a straightforward manner. This is due to situations where the updated bound is incomparable to the current bound. Dealing with these types of situations is discussed below. 5.1
Inconsistency may be due to: mixed perspectives of multiple stakeholders / analysts; the timeliness of each evaluation where the newer evaluation should succeed an older evaluation; or even, identi ed when two incomparable values are provided. In any case, strategies are required to deal with such inconsistencies during propagation. Below we provide a short-list of possible strategies that may be applied, combined and/or integrated within the framework for risk analysis. Cautious and Credulous. The cautious strategy selects the worst case for propagation among the set of alternatives. We can intuitively determine the worst case within our framework by applying the combination operator when evaluating the alternative to select.
Given two sets of bounds Slow, Supp (current) and Sl0ow, Su0pp (updated) that are inconsistent, we de ne Sl0o0w, Su00pp as the cautious revision of these inconsistent bounds such that: if Sl0ow s Slow, then Sl0o0w = Sl0ow Slow, otherwise Sl0o0w = Sl0ow; and if Su0pp s Supp, then Su00pp = Su0pp Supp, otherwise Su00pp = Su0pp; where is the combination operator of the associated c-semiring.
The credulous approach is the inverse of the cautious approach. In this strategy, the analyst will choose to take the best case alternative with the hope that it will su ce. It is also just as simple to implement the credulous approach via the use of the comparison operator for each risk evaluation.
Given two sets of bounds Slow, Supp (current) and Sl0ow, Su0pp (updated) that are inconsistent, we de ne a Sl0o0w, Su00pp as the credulous revision of these inconsistent bounds such that: if Sl0ow s Slow, then Sl0o0w = Sl0ow Slow, otherwise Sl0o0w = Sl0ow; and if Su0pp s Supp, then Su00pp = Su0pp Supp, otherwise Su00pp = Su0pp; where is the comparison operator of the associated c-semiring. Model Re-Evaluation. Inconsistencies may reveal a need to re-evaluate an organizational model. For example, a normative evaluation on a dependency (e.g. any dependency in Figure 1) may become inconsistent with the descriptive evaluation on that node. If the measurements provided are valid, either: an evaluation may need to be relaxed; a goal, or goals, may need to be re-implemented (to achieve an acceptable evaluation); or, the model may need to be re-con gured. 6
Under this framework the organizational model becomes a persistent source of knowledge that is required to bring together and combine distributed risk analyses during organizational decision making. 6.1
The scheme we have discussed allows us to conduct the two broad types of analysis outlined below. Analyzing Modal Evaluations. A local risk evaluation for a node on an organizational model may be either: normative - indicating the acceptable threshold for an evaluation (that may be propagated from another node); or, descriptive indicating a current or future risk state within the organization. Distinguishing between normative and descriptive evaluations provides us with three important levels of analysis: at the level of normative measurement expectations; between descriptive and normative evaluations; and, between perceived descriptive evaluations. This is especially desirable when evaluating organizational models with multi-modal elements (e.g. the normative nature of dependencies). Ordering Model Elements. Propagation also provides us with a basis for ordering elements on an organizational model, based on their bounded evaluations. Given two sets of bounds Slowi , Suppi and Slowj , Suppj for a speci c risk, the status of their ordering may be either: strictly better (Slowi >s Suppj ); conceivably better (Suppi >s Suppj , Slowi s Slowj ); incomparable, (Suppi s Suppj and Slowi s Slowj ). Ordering model elements in this way can help to identify areas of the model that are more prone to risk (i.e. a risk portfolio), and therefore requiring speci c attention. 6.2
Below, we illustrate two examples of evaluation and propagation. In Tables 1 and 2, we will use \ujl" to signify the upper and lower bounds of an evaluation. Propagating Precise Risk Measures in Figure 1. Table 2 summarizes the local (L) and contextual (C) evaluations for one normative (i.e. L(N) and C(N)) and one descriptive (i.e. L(D) and C(D)) evaluation. The local evaluations describe the immediate evaluation of a node, prior to propagating the evaluation in order to contextualize the evaluation of other nodes in a model. Contextualized evaluations are inferred from the local evaluations, structure of the model and propagation procedure used. In this example, an initial N ormative evaluation at the M anage[P ackageRouting] node was provided, indicating that the aforementioned risk should only ever have a risk value within the range [0; 0:01]. The prominence of the node resulted in the evaluation being propagated to every node in the model (i.e. for brevity we have only included interesting evaluations in Table 1). Next, the Recieve[P ackage] node was evaluated with a descriptive evaluation of 0:05, resulting in propagation to the Released[ClearedP ackages] and Release[P ackages] nodes. As a result, the descriptive evaluations at these nodes have been determined to be inconsistent with the normative evaluation, requiring resolution.
node is de ned as the set of actors it depends on, including the owner of the node. In the setting we have described, local evaluation, propagation, and inconsistency resolution can be completely automated. Although the contextual evaluation of a node (as in the previous example) can be determined using other mechanisms (e.g. simple graph traversal), we would like to illustrate how these evaluations can be determined using the simple and general scheme for propagating evaluations that we have described. We start by approximating bounds. Naturally, the upper bound of each dependency (and related depender node) receive a value consisting of the depender and dependee actors. This indicates that these nodes are vulnerable to at least this degree. All other nodes receive an upper bound value consisting of the actor who owns the node. The lower bound on the other hand, may either: receive the entire domain of actors in the model - limiting the possibility for further propagation; or, receive the value of the upper bound as an strong approximation that is resolved using an inconsistency resolution strategy (e.g. the cautious strategy). Table 2 summarizes the results of the local evaluation and propagation of vulnerability across Figure 1 in the case of a strong approximation. For brevity we have only included a subset of the nodes and their evaluations.
In this example, each node was assigned a crisp local evaluation indicating the immediate vulnerability of that node with respect to outgoing dependencies. For example, the Sort[P ackage] task was given an evaluation of \SF,RAjSF,RA" since it is owned by the Sort Facility (SF) and depends on the Regulatory Authority (RA). The result of the propagation nally indicated that the Sort[P ackage] and Handled[P ackageClearance] nodes are the most vulnerable in our Transport Organization. 7
Risk is an important consideration during organizational decision making, however there is little discussion of techniques to further support operational risk analysis in this setting. We outline a general framework for supporting risk assessment using rich organizational models. We provide an extensible means to de ne and incorporate highly con gurable risk metrics for evaluation. The propagation schemes we have proposed, reduce analyst involvement over previous approaches, and allow for iterative and distributed evaluation driven by the detection of inconsistency. Furthermore, model elements can be ordered across speci c risk-related dimensions to help in focusing attention to speci c problem prone areas.