The execution of tasks in a business process is often subject to risks, defined as the product of the probability of a threat (i.e., a risk-inducing event) and its potential impact. These threats may stem from internal process failures or external disruptions, and their effects can propagate depending on process structure. Although existing business process management (BPM) approaches incorporate risk assessment, they typically analyze risks at the task level, neglecting the influence of control-flow dependencies on overall process risk. In this paper, we propose a formal method to estimate aggregated risk at the levels of individual tasks, execution traces, and entire business processes. The method assumes risk events are independent and each threat affects only one task, which allows tractable computation of risk via the inclusion-exclusion principle. We also provide formal properties of the risk aggregation and demonstrate the approach’s scalability and effectiveness through experiments on synthetic process models exhibiting common control-flow patterns, including SESE structures.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

A Formal Methodology for Risk Estimation in Business Process Management

  • Matteo Cristani,
  • Tewabe Chekole Workneh,
  • Claudio Tomazzoli,
  • Federica Paci

摘要

The execution of tasks in a business process is often subject to risks, defined as the product of the probability of a threat (i.e., a risk-inducing event) and its potential impact. These threats may stem from internal process failures or external disruptions, and their effects can propagate depending on process structure. Although existing business process management (BPM) approaches incorporate risk assessment, they typically analyze risks at the task level, neglecting the influence of control-flow dependencies on overall process risk. In this paper, we propose a formal method to estimate aggregated risk at the levels of individual tasks, execution traces, and entire business processes. The method assumes risk events are independent and each threat affects only one task, which allows tractable computation of risk via the inclusion-exclusion principle. We also provide formal properties of the risk aggregation and demonstrate the approach’s scalability and effectiveness through experiments on synthetic process models exhibiting common control-flow patterns, including SESE structures.