=Paper=
{{Paper
|id=Vol-459/paper-5
|storemode=property
|title=Risk-Aware Organizational Design
|pdfUrl=https://ceur-ws.org/Vol-459/paper5.pdf
|volume=Vol-459
}}
==Risk-Aware Organizational Design==
https://ceur-ws.org/Vol-459/paper5.pdf
Risk-Aware Organizational Design
George Koliadis and Aditya K. Ghose
Decision Systems Laboratory
School of Computer Science and Software Engineering
University of Wollongong, NSW 2522 Australia
{gk56,aditya}@uow.edu.au
Abstract. Operational risk is an important, complex, and difficult, cri-
terion to consider during any form of organizational decision making. In
practice (1) complexity typically arises from: the use of a variety of risk
related indicators; the use of multiple heterogeneous measurement scales;
measurement uncertainty; varying levels of measurement precision; and,
the widespread effect of each measurement; (2) difficulties arise due to
the: time bound nature of the decision making process; and, the avail-
ability and interpretation of risk-related measurements. To help address
these issues, we propose a conceptual framework to support and minimize
the level of analyst involvement during the management of operational
risk specified in organizational models. This is achieved by propagat-
ing/analyzing risk-related evaluations across descriptions of distributed,
inter-dependant and mission critical work activities.
Key words: Operational Risk Management, Organizational Design
1 Introduction
Ad-hoc risk analyses are common within operational decision making [1]. The
bounded nature of choice between alternatives requires time and information to
be rationalized. As such, conceptual tools that help make use of, collect and dis-
seminate available knowledge are critical. In many cases, precise risk assessment
based on well defined problem specifications or statistical data are infeasible (e.g.
in green-fields and time-bound projects). This may lead to increased levels of un-
certainty with respect to the conditions surrounding some decision to be made.
Efficient and effective techniques are required that allow for the combination of
precise and imprecise assessments when evaluating risk.
In this paper, we outline a novel framework for propagating measurements
(in a large class of measurement frameworks) across and between descriptions
of inter-dependant work activities specified using a language influenced by the
i* [2] notation and the c-semiring [3] constraint modeling paradigm. This from
of propagation allow us to: determine the effect of an evaluation across an or-
ganization; determine inferred bounds for improved analysis of organizational
models; and determine when and where evaluations are inconsistent and adjust
the evaluations or model to resolve an inconsistency. The examples we illustrate
�2 Proceedings of GRCIS 2009
in this paper primarily refer to risk-related measurements, although the tech-
niques we describe can also be deployed to model and analyze many other forms
of measurements (e.g. cost, time, etc.). The theory outlined in this paper is im-
plemented in the ISORROPIA Service Mapping Software Toolkit available for
download at: http://www.isorropia.org/.
Section 2 provides a background and related work; Section 3 defines a risk
modeling scheme; Section 4 describes risk propagation; we then describe how
to deal with inconsistencies in Section 5; Section 6 describes some modes of
analysis; and, we conclude in Section 7.
Fig. 1. An Organizational Model of a Transport Organization
2 Background and Related Work
Risk has been studied within many fields including economic theory [1], social
science [4], project management [5], and software engineering [6]. In [7], risk is
defined as “...exposure to a proposition of which one is uncertain” [7], whereby
a self aware individual is uncertain of a proposition if they do not know it to
� Proceedings of GRCIS 2009 3
be true or false, or it is unknown to them, and exposure is defined as the per-
sonal condition of that individual who would care (and has a preference toward)
whether the proposition is either true or false [7].
2.1 Organizational Risk
In organizations, “...governance and decision making are the cause, risk and
reward - the effect or outcome of those decisions” [8]; whereby, governance is
defined as “...finding ways to ensure that decisions are made effectively” [9]
by specifying “...the distribution of rights and responsibilities among different
participants in the corporation, such as the board, managers, shareholders, and
other stakeholders” [10]. Five core elements of risk include [11]: (1) Context, or
the “...environment in which the risk is being viewed” [11]. The context describes
the situation in which the conditions and consequences of a risk have some
bearing, as well as identifying the scope of actions that trigger and can mitigate
a risk. (2) Action, whose ramifications in certain conditions trigger a risk; (3)
Conditions, when in combination with an action trigger a risk; (4) Consequences,
or the potential effect of the action under certain conditions. These may lead to
losses across many diverse attributes ranging from the stability of tasks through
to the co-operation among work groups [12]; (5) Controls, to prevent, detect and
correct the consequences of risk.
Operational risk is “...associated with the expected outcome of a process”
[11], and is “enterprise-wide... endemic across the institution, affecting every
business activity” [13]. [11] states that increased work distributions “...by their
very nature increase risk”, indicating a structural relationship. In organizational
settings, risk becomes a key attribute for informing analysis and decision making
that should be analyzed and controlled during organizational design.
2.2 Organizational Modeling
Organizational modeling in notations such as the i* framework provide rich
anthropomorphic abstractions for modeling the social, intentional, and strate-
gic viewpoints of organizational actors. In i*, dependencies such as goals to be
satisfied, soft-goals to be satisficed, task to be performed, and resources to be
furnished can be represented to help reason about the optimal delegation of re-
sponsibilities among actors in some organizational context. An actors’ internal
motivations and capabilities are represented as an AND/OR goal graph. In this
mode, tasks may be decomposed and alternatives means for goals defined with
means-end relationships. In addition, directed links between actors signify that
a depender (i.e. source) actor depends on a dependee (i.e. target) actor for a
dependum (i.e. the node between dependency links).
Take for example, Figure 1 - An Organizational Model of a Transport Or-
ganization. This model represents the interdependencies between three actors: a
Bond Department; a Sort Facility; and a Regulatory Agency. Dependencies are
represented as goals (ovals) connected to other types of goals (or tasks) via links
labeled with a directional ‘D’. For example, the Bond Department depends on a
�4 Proceedings of GRCIS 2009
Sort Facility to achieve the goal of “Forwarded[Bonded Packages]”. Within the
scope of an actor, goals (or tasks) are decomposed into sub-tasks and goals or
alternative tasks and goals (as represented in the legend in Figure 1).
In these types of models, risk and uncertainty are left implicit within the
structure of an organization, and can sometimes be catered for within the un-
derlying analysis framework - i.e. i* incorporates a qualitative argumentation
system for reasoning about levels of satisfaction towards soft-goals that has
been extended [14] to cater for certain types of cancelation (relevant to risk
mitigation).
2.3 Risk Modeling as Negative Preferences
Risk is measured by “...the probability of occurrence of loss/gain multiplied by
its respective magnitude” [5]. Within the constraint satisfaction literature, sim-
ilar issues relating to the uncertainty of a solution (or partial-solution) have
required the use of soft-constraints, ranked according to probabilistic, fuzzy or
weighted scales. In order to unify soft-constraint paradigms, [3] propose a ab-
stract c-semiring framework that generalizes the classical (i.e. boolean), fuzzy,
probabilistic and weighted approaches.
Definition 1 (Constraint-Semiring). A c-semiring (as in [3]) is defined as a
5-tuple hA, ⊕, ⊗, 0, 1i with the following properties: A is a set of abstract (nu-
meric, boolean, or symbolic) preference values and 0, 1 ∈ A; ⊕ is a binary opera-
tor used to compare preference values, which is closed (i.e. if a, b ∈ A, then a⊕b ∈
A), commutative (i.e. a ⊕ b = b ⊕ a), associative (i.e. a ⊕ (b ⊕ c) = (a ⊕ b) ⊕ c),
indempotent (i.e. if a ∈ A, then a ⊕ a = a), has a unit element of 0 (i.e.
a ⊕ 0 = a = 0 ⊕ a), and an absorbing element of 1 (i.e. a ⊕ 1 = 1 = 1 ⊕ a);
⊗ is a binary operator used to combine preference values, which is closed (i.e.
if a, b ∈ A, then a ⊗ b ∈ A), commutative (i.e. a ⊗ b = b ⊗ a), associative (i.e.
a ⊗ (b ⊗ c) = (a ⊗ b) ⊗ c), has a unit element of 1 (i.e. a ⊗ 1 = a = 1 ⊗ a), and
an absorbing element of 0 (i.e. a ⊗ 0 = 0 = 0 ⊗ a); ⊗ distributes over ⊕ (i.e.
a ⊗ (b ⊕ c) = (a ⊗ b) ⊕ (a ⊗ c)). In addition, the comparison operator induces a
partial ordering ≤s such that forall a, b ∈ A a ≤s b iff a ⊕ b = b.
Risk measurement attempts to quantify the impact and uncertainty of some
meaningful event. Traditionally, probabilistic and/or qualitative scales can be
used. The c-semiring structure allows us to seamlessly describe and analyze pre-
cise and imprecise evaluations under the same unifying scheme. That is, qual-
itative evaluations do not need to be massaged into the same totally ordered
numeric scheme.
Take for instance the case where two or more c-semirings have been used
to model the problem at hand. In our instance, we would like to incorporate
multiple risk measures (e.g. one risk measured using a numeric scale R+ and
another measured using a symbolic scale {Low, M ed, High}). This has been
briefly discussed in [15] and more deeply discussed in [16]. The simple approach
for combining two c-semiring instances produces another c-semiring instance
� Proceedings of GRCIS 2009 5
(proved by [15]) that is the cartesian product of the abstract preference values,
comparison operators, combination operators, and inclusion of least and most
preferred values as respective tuples.
The c-semiring structure has been referred to as a negative preference struc-
ture in [17], used to compare and combine the values associated to tuples in the
constraints of constraint satisfaction problems. This structure is a natural candi-
date for modeling risk measurements, as the combination operator monotonically
decreases - i.e. the combination of two risks (occurring simultaneously) is worse
than either of them occurring on their own. The structure also permits a partial
ordering among values to allow for indecision among divergent evaluations.
Given the endemic nature of risk, the broad range of risk attributes (see [12]),
and the application of risk assessments across many inter-related areas within
an organization (e.g. financial, resource, project and software management), a
combined, general and more holistic scheme would help to unify these otherwise
independently structured and applied evaluations.
2.4 Related Work
It is surprising that little attention has been given to organizational risk anal-
ysis within the organizational modeling literature. For example, [2] discusses
techniques for evaluating and analyzing actor criticality and vulnerability within
organizations that may arguably attribute to both the impact and likelihood of
certain classifications of failure. In other work, [18] discuss obstacles and [19]
discuss hazards that may both obstruct the satisfaction of organizational goals,
thus requiring analysis and mitigation. In addition, [20] discuss how quantitative
risk evaluation and analysis can be incorporated into business process models to
help evaluate taxonomic risk.
In [14] and [21], a goal-oriented and qualitative framework for modeling and
reasoning about the consequences of risk (extending the formal framework of
[22]) is presented. Speculative, hazardous and mitigating risk events and their
contribution (positive and negative) towards organizational objectives can be
clearly modeled. In [23], a goal-oriented, quantitative/probabilistic method for
analyzing risks is presented. In their approach, risks are defined as fault-tree ex-
tensions to the existing NASA Defect Detection and Prevention (DDP) method.
The approach outlined in this paper aims to support mixed-mode and itera-
tive evaluation of organizational structures with respect to a variety of heteroge-
neous endogenous (i.e. structural) and exogenous (i.e. environmental) risk mea-
surements. As this task is knowledge intensive, we present a scheme to minimize
analyst involvement by propagating evaluations across evolving organizational
models. Our application is also primarily targeted toward risk analysis, although
it could also be used in other settings. This permits improved visibility for risk
related (and other) factors across an entire organizational model, even when the
model is only partially evaluated.
�6 Proceedings of GRCIS 2009
3 Modeling Risk within Organizational Models
Risk evaluations are annotated to functional goal or task nodes on an organi-
zational model. These evaluations choose values from a combined instance of a
c-semiring risk scale. This evaluation provides a course grained measure of the
risk of a deviation to the annotated node.
Definition 2 (Risk Evaluation). Let R = hM, S, Slow , Supp i be a risk eval-
uation such that: M ∈ {N ormative, Descriptive} indicates the mode of an
evaluation. S = hA, ⊕, ⊗, 0, 1i is a combined c-semiring scale we are using to
measure the risk of a functional deviation, and this scale may be a composition
of multiple scales/dimensions for each finer-grained deviation; Slow is a value
from S (possibly an n-tuple) that indicates the lower bound on some evaluation,
and states that the evaluation cannot get any worse than the designated value;
Supp is a value from S (also possibly an n-tuple) that indicates the upper bound
on some evaluation, and states that the evaluation cannot get any better than
the designated value; and, Slow ≤s Supp (under the partial ordering ≤s induced
by comparison operator ⊕).
3.1 Examples
The approach we have discussed for structuring risk evaluations can be used
to capture and analyze endogenous (i.e. structural) as well as exogenous (i.e.
environmental) risk under the same unifying scheme.
Exogenous risk exists outside the organizational model and is annotated (by
an analyst) to describe the risk of a functional deviation. For example, a common
scale attempts to measure risk as a real (R+ ) number. Let the risk indicator for
some undesirable event be hR+ , min, max, ∞, 0i, where:
– a value from R+ signifies the risk of a functional deviation measured as a
positive real number;
– the better value when two risk values are compared (a ⊕ b) is defined as the
min of those values;
– the result of a combination between the two risk values (a ⊗ b) is the max
risk between them;
– the least preferred value is ∞; and,
– the most preferred value is 0.
Such a risk indicator could effectively be used where statistical information
is available. For example, the risk of an untimely operation, where the timeli-
ness of a result has been previously monitored. Another instantiation could be
h{Low, M ed, High}, cpI , cbI , High, Lowi, where:
– a value from {Low, Med, High} signifies the risk of a functional deviation;
– a comparison between two values will result in the best value given the
ordering: High s Supp or Slow s Suppj ); conceiv-
ably better (Suppi >s Suppj , Slowi ≥s Slowj ); incomparable, (Suppi ≥s Suppj and
Slowi ≤s Slowj ). Ordering model elements in this way can help to identify areas
of the model that are more prone to risk (i.e. a risk portfolio), and therefore
requiring specific attention.
6.2 Evaluation and Propagation
Below, we illustrate two examples of evaluation and propagation. In Tables 1
and 2, we will use “u|l” to signify the upper and lower bounds of an evaluation.
Propagating Precise Risk Measures in Figure 1. Table 2 summarizes the
local (L) and contextual (C) evaluations for one normative (i.e. L(N) and C(N))
and one descriptive (i.e. L(D) and C(D)) evaluation. The local evaluations de-
scribe the immediate evaluation of a node, prior to propagating the evaluation in
order to contextualize the evaluation of other nodes in a model. Contextualized
evaluations are inferred from the local evaluations, structure of the model and
propagation procedure used. In this example, an initial N ormative evaluation
at the M anage[P ackageRouting] node was provided, indicating that the afore-
mentioned risk should only ever have a risk value within the range [0, 0.01]. The
prominence of the node resulted in the evaluation being propagated to every
node in the model (i.e. for brevity we have only included interesting evaluations
in Table 1). Next, the Recieve[P ackage] node was evaluated with a descriptive
evaluation of 0.05, resulting in propagation to the Released[ClearedP ackages]
and Release[P ackages] nodes. As a result, the descriptive evaluations at these
nodes have been determined to be inconsistent with the normative evaluation,
requiring resolution.
Propagating Vulnerability Measures in Figure 1. The vulnerability of a
node is defined as the set of actors it depends on, including the owner of the
node. In the setting we have described, local evaluation, propagation, and in-
consistency resolution can be completely automated. Although the contextual
�12 Proceedings of GRCIS 2009
Table 1. Failure Likelihood of Figure 1
Node L (N) C (N) L (D) C (D)
Release[Packages] 0|∞ 0|.01 0|∞ 0|.05
Manage[Package Routing] 0|.01 0|.01 0|∞ 0|∞
Receive[Package] 0|∞ 0|.01 .05|.05 .05|.05
Released[Cleared Packages] 0|∞ 0|.01 0|∞ 0|.05
. . . . .
. . . . .
. . . . .
evaluation of a node (as in the previous example) can be determined using other
mechanisms (e.g. simple graph traversal), we would like to illustrate how these
evaluations can be determined using the simple and general scheme for propa-
gating evaluations that we have described. We start by approximating bounds.
Naturally, the upper bound of each dependency (and related depender node)
receive a value consisting of the depender and dependee actors. This indicates
that these nodes are vulnerable to at least this degree. All other nodes receive an
upper bound value consisting of the actor who owns the node. The lower bound
on the other hand, may either: receive the entire domain of actors in the model
- limiting the possibility for further propagation; or, receive the value of the
upper bound as an strong approximation that is resolved using an inconsistency
resolution strategy (e.g. the cautious strategy). Table 2 summarizes the results
of the local evaluation and propagation of vulnerability across Figure 1 in the
case of a strong approximation. For brevity we have only included a subset of
the nodes and their evaluations.
Table 2. Vulnerability Analysis of Figure 1
Node Local Contextual
Handle[Bonding Duties] BD|BD BD,SF|BD,SF
Handled[Package] RA|RA RA|RA,BD
Manage[Package Routing] SF|SF SF|SF,RA,BD
Routed[Packages] SF|SF SF|SF,RA,BD
Sort[Package] SF,RA|SF,RA SF,RA,BD|SF,RA,BD
Received[Package] SF|SF SF|SF,BD
Handled[Package Clearance] SF,RA|SF,RA SF,RA,BD|SF,RA,BD
. . .
. . .
. . .
In this example, each node was assigned a crisp local evaluation indicating
the immediate vulnerability of that node with respect to outgoing dependencies.
For example, the Sort[P ackage] task was given an evaluation of “SF,RA|SF,RA”
since it is owned by the Sort Facility (SF) and depends on the Regulatory Author-
ity (RA). The result of the propagation finally indicated that the Sort[P ackage]
� Proceedings of GRCIS 2009 13
and Handled[P ackageClearance] nodes are the most vulnerable in our Trans-
port Organization.
7 Conclusion
Risk is an important consideration during organizational decision making, how-
ever there is little discussion of techniques to further support operational risk
analysis in this setting. We outline a general framework for supporting risk as-
sessment using rich organizational models. We provide an extensible means to
define and incorporate highly configurable risk metrics for evaluation. The prop-
agation schemes we have proposed, reduce analyst involvement over previous
approaches, and allow for iterative and distributed evaluation driven by the
detection of inconsistency. Furthermore, model elements can be ordered across
specific risk-related dimensions to help in focusing attention to specific problem
prone areas.
References
1. Knight, F.H.: Risk, uncertainty and profit. Hart, Schaffner, and Marx Prize Essays,
no. 31. Boston and New York: Houghton Mifflin, Boston and New York (1921)
2. Yu, E.: Modelling Strategic Relationships for Process Reengineering. PhD thesis,
Graduate Department of Computer Science, University of Toronto, Toronto (1995)
3. Bistarelli, S., Montanari, U., Rossi, F., Schiex, T., Verfaillie, G., Fargier, H.:
Semiring-based csps and valued csps: Frameworks, properties, and comparison.
Constraints 4(3) (1999) 199–240
4. Anderson, E.L., ed.: Risk Analysis - An International Journal. Blackwell Publishing
(1981-)
5. Jaafari, A.: Management of risks, uncertainties and opportunities on projects: time
for a fundamental shift. International Journal of Project Management 19(2) (2001)
89–101
6. Boehm, B.W. DeMarco, T.: Software risk management. IEEE Software 14(3)
(1997) 17–19
7. Holton, G.A.: Defining risk. Financial Analysts Journal 60(6) (2004) 19–25
8. Shaw, J.C.: Corporate Governance and Risk - A Systems Approach. John Wiley
and Sons Inc, Hoboken, New Jersey (2003)
9. Pound, J.: The promise of the governed corporation. Harvard Business Review
73(2) (1995)
10. Mathiesen, H.: The encyclopedia about corporate governance.
http://www.encycogov.com (2006)
11. Alberts, C.J.: Common elements of risk. Technical report, Carnegie Mellon Uni-
versity, Software Engineering Institute, TN-014 (2006)
12. Gallagher, B.P., Case, P.J., Creel, R.C., Kushner, S., Williams, R.C.: A taxon-
omy of operational risks. Technical report, Carnegie Mellon University, Software
Engineering Institute, TR-036 (2005)
13. Alvarez, G.: Operational Risk. Risk Books (2005)
14. Asnar, Y., Giorgini, P.: Modelling and analysing risk at organizational level. Tech-
nical report, University of Trento, DIT-06-063 (2006)
�14 Proceedings of GRCIS 2009
15. Bistarelli, S.: Soft Constraint Solving and Programming: a General Framework.
PhD thesis, Computer Science Department, University of Pisa (2001)
16. Harvey, P., Ghose, A.K.: Relaxation of soft constraints via a unified semiring. In:
Proceedings of the 2006 Canadian National Conference on Artificial Intelligence.
(2006)
17. Bistarelli, S., Pini, M.S., Rossi, F., Venable, B.: Positive and negative preferences.
In: Proceedings of the 7th International Workshop on Preferences and Soft Con-
straints. (2005)
18. van Lamsweerde, A., Letier, E.: Handling obstacles in goal-oriented requirements
engineering. IEEE Transactions on Software Engineering 26(10) (2000) 978–1005
19. Supakkul, S., Chung, L.: Applying a goal-oriented method for hazard analysis: A
case study. In: Proceedings of the Fourth International Conference on Software
Engineering Research, Management and Applications, Los Alamitos, CA, USA,
IEEE Computer Society (2006) 22–30
20. zur Muehlen, M., Rosemann, M.: Integrating risks in business process models. In:
Proc.eedings of the 16th Australasian Conference on Information Systems, Sydney
(2005)
21. Asnar, Y., Giorgini, P.: Risk analysis as part of the requirements engineering
process. Technical report, University of Trento, DIT-07-014 (2007)
22. Giorgini, P., Mylopoulos, J., Nicchiarelli, E., Sebastiani, J.: Formal reasoning
techniques for goal models. In: Journal on Data Semantics. Springer Berlin /
Heidelberg (2003) 1–20
23. Feather, M.S.: Towards a unified approach to the representation of, and reasoning
with, probabilistic risk information about software and its system interface. In:
Proceedings of the 15th International Symposium on Software Reliability Engi-
neering (ISSRE’04). (2004)
�