Skip to Content

In this blog entry we brainstorm ideas on integrating risk management into Business Process Management Systems (BPMS), such as SAP Netweaver BPM or SAP Business Workflow.  Proactively managing the risk using a business process management system has not drawn much attention yet, although the financial crisis has shown that it is crucial to manage the risk of your assets. Nevertheless, there is lack of tool support for managing the risks during runtime of business processes. Even more important, none of these tools focus on the business users, with a particular attention on usability. We propose here a system that addresses control-flow oriented risk evaluation. The system takes into account potential future process execution paths defined in the business process models to calculate the risk. Appropriate actions can be defined in the system to handle risk incidents.

Scenario: The Loan Originating Process

Risk is an integral part of management, not only since the financial crisis, where proper risk management can save billions. Surprisingly, risk management has not been yet considered in business process management systems.  We take as an example for our approach a simplified loan origination process (see following figure). However, the concepts are genric and can be extended to any business process that can be modeled using BPMN or any other modeling notation.


A loan origination is a business process that formalizes, evaluates and possibly accepts a Customer (C) request for a Loan Amount (LA). The Bank (B) carries out a careful evaluation of the customer’s credit worthiness through internal mechanisms and by asking assurance to external agencies called Credit Bureaus (CB). A credit bureau is a third party business partner of a financial institution that processes, stores and safeguards credit information of physical individuals or industrial companies. Credit bureaus gather data from various sources and cross-check and match the data for accuracy. Some of these sources include publicly available records (courts and deeds offices) and credit account details (from credit granters or subscribers). Credit granters in turn are companies such as banks, retailers and any other organizations whose business is credit. They are also called “subscribers” because they subscribe to the credit bureau in order to collect, submit, use and share the information held in the database management systems. They use the information from the credit bureau to make decisions on whether or not to grant credit, in terms of their own credit granting policies. External insurance companies can provide additional insurances for the credit.

Risk Rules

Let us assume that there is the possible event (initiating event) that creditworthiness of customers has been re-evaluated (e.g. due to the economic crisis). It would be risky to grant credits without taking into account this re-evaluation (risk event). However, we cannot just simply treat all loan process instances the same. In case of loans with a low amount (e.g. 1000 Euro), we would proceed as normal, because the risk of loss is low (below the threshold risk) and the cost of stopping these process are not justified. However,   in case of loans with a high amount (e.g. 1 Million Euro) with a high impact, we would stop or restart the process to take into account the changed conditions. One example rule which can be applied to the loan origination process:

  • Initiating event: Creditworthiness of customers has been re-evaluated
  • Risk event: Granting large Credit
  • Threshold: Risk  > 1000 Euro
  • Impact:100.000 Euro
  • Action: Stop Processes


This rule does not look much different than a normal business rule. For a proper risk evaluation, we have also to take into account how probable it is that a risk event occurs (e.g. “Granting Credit”). This can be calculated from the process model describing all possible executions of a process and from supplementary data (e.g. process event logs). Thus, the rule can fire even before the risk event happen (i.e. we can prevent that credit is granted) to mitigate the risk.

Evaluating Risk Rules against Executed Business Processes

Once the risk is defined we want to evaluate it during execution of business processes. There can be several instances of a business process and these instances are subject to different risk exposure depending on the state of the instance. The evaluation of the risk is based on the process model, where different execution paths have a different probability and depending on the chosen execution path there is a different risk. There are different ways to determine this probability: process mining (i.e. based on previous executions), simulations, manually entered probabilities etc. The risk is calculated via the probability of the execution path and the impact defined in the risk rule. If the risk of an instance is over a certain threshold we can initiate counter-measures, such as stopping the instance or initiating mitigating processes (e.g. renegotiation of the contract).

Let us illustrate this with a small example (cf. process model in previous section):

We assume that the rating of insurance has been re-evaluated (e.g. it turns out that insurances will get much more expensive in the future). Particularly, the special insurances for loans with a large amount are affected.

We have the following Risk Rule:

  • Initiating event: Rating of insurance has been reevaluated. 
  • Risk event: Special Additional Insurance, 100.000
  • Threshold: 7.000 Euro
  • Action: Stop Processes


The credit bureau is currently executing the activity “Customer Assessment”. The probability that the regional manager will evaluate regional criteria for the loan is 40 % (i.e. there is a probability of 40% that this execution path will be taken). The probability that afterwards a special insurance need to be taken into account is 20% (i.e. there is a probability of 20% that this execution path will be taken).

We calculate the risk as follows

W = 0,4 (probability of the special insurance execution path) * 0,2 (probability of the regional criteria execution path) = 0,08 = 8 %

Risk = 0,08 * 100.000 = 8000 Euro

It is over the threshold of 7000 Euro and thus the process instance is stopped. 

The idea in a nutshell – Control-flow oriented Risk Evaluation

We designed a system that addresses control-flow oriented risk evaluation. We motivated it with a loan originating process. The system consists of two components:

  • Risk Rule Engine: Define risk rules that needs to be monitored over currently executed business processes. It takes probabilities from various sources (e.g. process event logs or simulation engines).
  • BPM Engine: Define, Execute and Monitor your processes. For example, SAP Netweaver BPM or SAP Business Workflow. A Business Process Engine is a component that is in charge of the execution of the different applications. An executable Business Process is stored as an application so that the Business Process engine can handle it appropriately in order to execute instances of that process.

We illustrate in the following figure how the system works. The business analyst describes at design time the process, risk management rules and annotates the business process with probabilities in order to measure the risk exposure at runtime. The process canalso be automatically annotated using results from previous process executions, simulations etc. The modeled process is executed at run-time and the risk rule engine monitors initiating events. It evaluates in case of an event the process instances with respect to their risk exposure. If the risk is over a certain threshold we can take various actions (e.g. calling a service to stop certain process instances).

Conclusion and Future Work

We presented here concepts for integrating risk management into the process engine. Special risk rules are defined and current running process instances are evaluated for risk when a risk event occurs.  Measures can be taken when the risk for an instance is over a certain threshold.  At the moment, we find only proposal for risk modeling in business process, but without risk evaluation during run-time [1].

We see following perspectives for future work

  • Integrating into the paradigms for case-based or artifact-based process management [2,3] and extension to the inter-organizational level
  • Risk-aware resource scheduling in business processes to manage assignment of resources according to the risk of separation of duty, binding of duty and privacy rules
  • Benefiting from SAP HANA technology to do risk evaluations in real time
  • Risk Dashboard for simple management of risk related to processes. We are working on a method to visualize risk in a simple way to the business user.

We are looking for your comments!

What do you think about managing the risks using our proposed system? Please comment if you like the idea and would like to see a proof-of-concept in the future.

The following people work on this project:


[1] Michael zur Mühlen and Michael Rosemann. Integrating risks in business process models. In 16th Australasian Conference on Information Systems, 2005

[2] OMG, Case Management,

[3] K. Bhattacharya, N. S. Caswell, S. Kumaran, A. Nigam, and F.Y. Wu. “Artifact-centered operational modeling: Lessons from customer engagements.” IBM Systems Journal, 46(4):703- 721, 2007

To report this post you need to login first.


You must be Logged on to comment or reply to a post.

    1. Former Member Post author
      Hi Norman,

      thanks for your interesting question. I think it is quite complementary to the existing solution. However, I am not a specialist in the whole solution. It can be useful to derive probabilities for risk from SAP’s risk management solution. Maybe we can utilize also the fire fighter solution, so that only certain business users can define risks and monitor them. Clearly, also the other roles are important, e.g. risk owner or process owner. I could imagine that is also possible to automatically annotate business processes with risk based on the risks already defined in the GRC solution. It should be as easy and transparent as possible for the business user.

      These are first thoughts ๐Ÿ˜‰



  1. Former Member
    I am unclear as to how the process manager overlaps in several SAP products.  One GRC, which is about to launch a banking specific operational risk version, and the other Event Insight which is bundled with process management capabilities.  Are they the same process engines?  We also have Business analytics enterprise risk reporting for banking and Solvency II and ERM for insurance, not to mention SAP for Basel II….
    1. Former Member Post author

      yes there several bpm solutions in SAP:
      * SAP Netweaver BPM (cross industries)
      * SAP Business Workflow (ERP)
      * …

      They are not the same process engines. This also has historical reasons. The idea here was not to execute compliance specific processes (Basel II…), but do evaluate any process executed by a business process engine with respect to the current risk. This goes beyond modeling of risk or mapping of processes, but it monitors the execution of any process and evaluates the current risk given the current facts.

      Let me know if you have more questions.

      Best regards,


  2. Former Member
    How we can calculate the probability of an event to occur in a business process? Do we have metrics or benchemarking values? One thing that I find hard is to calculate the probability of an event. Do we have independent studies (gartner, forester, IDC, etc) that can support our business case when we present to a customer risk issues?

    Sorry, I if this is not the right place to put these questions…

    1. Former Member Post author
      Hi Vitor,

      this place is the right place to ask and discuss these questions! ๐Ÿ™‚ The purpose of the blog was to have a discussion about these topics. The probability of an event occuring can be derived from the process model – we have alternative execution paths. For each alternative execution paths there are different possibilities to define the probability:
      * past executions of the business process – this is the most easiest because every BPM engine produces log files of past executions
      * simulation (requires some expertise0
      * manually / based on mathematical assumptions  (using the right density functions etc.) => see also six sigma

      I mentioned several research papers in the blog that describe the benefits of modeling and managing risk using business process models. If you for example see risk cases that a bank can go bankrupt (e.g. Lehmann Brothers) than you want to evaluate the risk of affected business processes. What exact business case do you refer to? I think risk is an important topic for every customer(cf. also six sigma).



      1. Former Member Post author
        Some of the possibilties for calculating risk probabilities may require SAP HANA, because they involve a huge amount of data.
      2. Former Member
        Hi Frank,

        Risk is an important topic, but for most of Portuguese customer that very often don’t have business process correctly mapped, they do not have no sensibility to this topic. So my original question can be defined in 3 questions:

        1- Do we have KPI, benchaemarking values for present to customer stating the risk failure of a process like, Order To cash, Invoice payment process and others?

        2- For us as SAP employes, do we have a tool that can help to predict the probalility of an event?

        3-Is there any Xcelsius dashboard with main risk KPI for business?

        1. Former Member Post author
          Hi Vitor,

          ad 1) I do not know if SAP offers this out of the box. I think you can get this information from SAP consulting. It is very specific to the processes of the company. I assume that there are some industry specific benchmarks (e.g. for banks).

          ad 2 and 3) see 1) and Business Object GRC solution:



        2. Former Member
          With respect to dashboards and Excelcius, the SAP BusinessObjects Risk Management (RM) solution includes dashboards and partners, such as su53, have created Excelsius based on the data in RM.
    2. Former Member
      Although there are models that people use to calculate probability, generally based on history, judgement is key – and it usually will come down (IMHO) to what people think. The models don’t always work well, just look at the models used to predict home prices.

Leave a Reply