R-BPM: Uma Metodologia para Gerenciamento de Processos de Negócios Consciente dos Riscos

Na busca por agilidade, economia e qualidade em seus processos, um número crescente de empresas tem adotado técnicas de Gerenciamento de Processos de Negócios (Business Process Management – BPM). No entanto, mesmo gerenciados, os processos podem enfrentar riscos que podem causar forte impacto sobre os objetivos da organização caso estes riscos não sejam gerenciados de forma apropriada. Este artigo tem como objetivo construir e avaliar uma metodologia para realizar o gerenciamento de riscos em processos de negócios de forma integrada com o ciclo de vida BPM. A metodologia, chamada de R-BPM, é composta de um modelo de fases e de uma ferramenta de apoio. Ela é inspirada na estrutura de gerenciamento de riscos do COSO e foi construída através da estratégia de Design Science Research. Para realizar a avaliação da metodologia, ela foi aplicada em uma organização experiente em BPM e avaliada através de um survey com pesquisadores e especialistas na área. Os resultados mostram que a metodologia permite que as atividades relacionadas à gestão de riscos sejam executadas em conjunto com o ciclo de vida BPM. A integração entre atividades de riscos e processos de negócios otimiza recursos e fornece uma visão holística dos processos de negócios e seus riscos associados

An internal fraud model for operational losses : an application to evaluate data integration techniques in operational risk management in financial institutions

The handling of external operational loss data by individual banks is one of the longstanding problems in risk management theory and practice. The extant literature has not provided a method to identify the best way to combine internal and external operational loss data to calculate operational risk capital. Hence, to improve the knowledge and understanding of internal-external data combination in operational risk management, this study applied a simulation-based evaluation of well-known data combination techniques such as the scaling, the Bayesian, and the covariate-base techniques. This research considered operational losses arising from internal fraud in retail banking within a group of international banks that share data through an operational loss data exchange. One of the key elements of the simulation-based statistical evaluation was the development of a dynamic internal fraud model for operational losses in retail banking. The internal fraud model incorporated human factors such as the number of employees per branch and the ethical quality of workers. It also included the extent of risk controls set by bank managers. There were two sets of findings. First, according to the simulation-based evaluation, the scaling technique was by far the less useful for estimating the appropriate operational risk capital. The Bayesian and the covariate-based techniques performed best. The Bayesian technique was the best for higher percentiles while the covariate-based technique was the best at not so extreme quantiles. The choice of technique therefore depends on the risk appetite of the financial institution. The second set of findings relates to the model validation with hard data. Losses generated by the model in the banks across the world were associated with GDP growth and the corruption perception of the country where banks were located. In general, internal fraud losses are pro-cyclical and the corruption perception in a country positively affects the occurrence of internal fraud losses. When a country is perceived as more corrupt, retail banking in that country will feature more severe internal fraud losses. To the best of knowledge, it is the first time in the operational risk literature that this type of result is reportedTesi

The Role of Information Security Awareness for Promoting Information Security Policy Compliance in Banks

Banks rely heavily on information security (IS) by preserving confidentiality, integrity, and availability of information. A key layer for ensuring information security is the employees, who need to be aware of possible information security issues and behave accordingly. Banks introduce information security policies (ISP) to establish required rules for IS behavior and implement information security awareness (ISA) programs, which are systematically planned ISA interventions such as structured campaigns using intranet messages or posters to educate employees and enhance their ISA. According to previous conceptual research, the most cost-effective method to prevent IS incidents is fostering ISA. The purpose of this dissertation is to explore the role of ISA for promoting employees' ISP compliance. The four stages of this dissertation project focus on organizational efforts such as ISA programs to improve employees' compliant IS behavior and identifying predecessors for explaining employees' ISP compliance based on established scientific theories. A developmental mixed methods approach is conducted through these four stages of analysis. Primary data were collected in each stage to investigate banks operating in countries such as Austria, Germany, Czech Republic, Hungary, Slovakia, and Rumania. In the first research stage, semi-structured expert interviews were conducted with operational risk and IS managers to explore banks' efforts to counteract IS incidents. The considered banks primarily use online methods such as intranet articles and conventional methods such as posters for building ISA. Second, the findings from stage one were incorporated in research stage two, in which a positivistic case study was conducted to test the Theory of Reasoned Action, Neutralization Theory, as well as the Knowledge-Attitude-Behavior model. The data were analyzed by utilizing partial least squares structural equation modeling (PLS-SEM). In addition to several qualitative interviews and an online survey at the headquarters of the case bank, data such as internal ISA materials (e.g., posters or IS intranet messages) were also analyzed. The second research stage provided empirical evidence that ISA program components affect employees' ISA, which further positively affects employees' attitudes and social norms toward compliance with ISPs, but negatively affects the use of neutralization techniques. All of these effects should eventually positively influence IS. This is shown in the chain of subsequent factors. The employees' attitudes and social norms positively affect the intention for compliant IS behavior, which is negatively affected by the use of neutralization techniques. In the third research stage, the influence of employees' perception of ISA programs on the Protection Motivation Theory was examined by conducting an online survey among German bank employees. It is demonstrated that employees' perception of ISA programs positively affects perceived severity as well as their coping mechanisms, which play the most important role in positively affecting the intention for compliant IS behavior. Surprisingly, employees' perception of ISA programs negatively affect perceived vulnerability. Moreover, perceived monitoring has a positive moderation effect on the intention-behavior link. Finally, the fourth research stage consists of a qualitative study to analyze the efforts of IS managers to enhance IS and examine how these efforts are perceived by users. Further, the inductive part of the study uncovers factors that influence the compliant IS behavior of users. Therefore, semi-structured interviews with IS managers were carried out to discover ISA program designs and categorize them according to design recommendations gained from current literature. In addition, this stage shows that individual ISP compliance seems to be connected with individual perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. To conclude, this dissertation provides several practical as well as theoretical contributions. From an academic perspective, the findings highlight the importance of attitudes, social norms, neutralization techniques, as well as coping mechanisms for employees' intentions to comply with their ISP. Future research might extend the findings by establishing and characterizing IS enhancing social norms and exploring methods of counteracting the common use of neutralization techniques. For practitioners, analysis of the design practices of ISA programs provides a better understanding of effectively using ISA interventions in the context of banks. (author's abstract

Ingénierie dirigée par les modèles d'un pilotage robuste de la prise en charge médicamenteuse

L’un des principaux défis des établissements hospitaliers aujourd’hui est de maitriser les risques liés aux erreurs médicamenteuses au cours de la Prise En Charge Médicamenteuse (PECM) du patient. Afin d’accompagner les professionnels de santé dans cette voie, il existe plusieurs méthodes de gestion des risques et une culture attenante. L’utilisation de certaines d’entre elles est recommandée par la Haute Autorité de Santé, nous citons la méthode ALARM (Association of Litigation And Risk Management). Son analyse par la théorie et par la pratique nous a permis de dresser un constat de ses limites. En effet, ni elle, ni les autres méthodes connues ne qualifie la dynamique du risque, pas plus que l’explication fine des contextes générateurs de ce dernier. Pour progresser vers une approche plus performante, nous préconisons l’emploi d’une approche de gestion intégrée des risques et des processus métier. Dans cette optique, notre recherche vise à améliorer la méthode BPRIM (Business Process-Risk management – Integrated Method) mise au point par les travaux de thèse de M. A Sienou. Cette amélioration consiste à : (1) enrichir le méta-modèle de BPRIM, le langage de modélisation et les diagrammes associés ; (2) intégrer des techniques de navigation pour assurer la cohérence entre ces diagrammes ; et (3) intégrer des algorithmes de vérification de modèles, d’analyse, d’évaluation et de cartographie des risques. Notre travail a donné naissance à un logiciel de modélisation, appelé AdoBPRIM, la mettant en oeuvre à partir de techniques d’ingénierie dirigée par les modèles et en suivant une méthode de développement agile. Pour montrer l’utilité et les apports de l’approche proposée, nous l’avons mise à l’épreuve sur un cas d’études réel avec des professionnels qualifiés dans un établissement de santé. Cette étude a permis de positionner notre cadre intitulé e-BPRIM par rapport à la pratique en cours sur des réunions de retour d’expériences faisant suite à des évènements indésirables. Et ainsi de vérifier le bien-fondé de l’application de notre approche et de mesurer la valeur de l’idée de recourir à un emploi plus intensif de modèles du système

Strategisches GRC-Management: Anforderungen, Forschungsagenda und datenseitiges Modell

„Governance, Risk and Compliance“ (GRC) wird gegenwärtig überwiegend als Schlagwort aufgegriffen und durch isolierte, kurzfristige Initiativen umgesetzt. Die Integrationsmöglichkeiten und strategische Bedeutung von GRC werden unzureichend erkannt, wodurch Nutzenpotentiale und mögliche Synergieeffekte nicht genutzt werden können. Obwohl erste integrierte GRC-Ansätze existieren, ist das Thema bislang wenig strukturiert. Die vorliegende Arbeit entwickelt daher ein allgemeines Verständnis für ein integriertes und strategisch ausgerichtetes Management von GRC, das als strategisches GRC-Management bezeichnet wird. Hierfür werden Anforderungen hergeleitet, der Forschungsstand analysiert und eine Forschungsagenda entwickelt. Durch eine Delphi-Studie werden die Anforderungen und Forschungsbedarfe priorisiert. Ein datenseitiges Modell stellt die strukturellen Zusammenhänge von GRC auf Informationsebene dar.GRC as an acronym for governance, risk and compliance is currently looked at as a catchword and implemented with short-term, isolated initiatives. GRC is more considered to be a burden for the business and opportunities for integration as well as the strategic relevance of the topic is not recognized, which makes it difficult to realize potential benefits and synergies. Even though first GRC approaches exist, the overall topic area remains quite unstructured and is not narrowed down precisely. Detailed questions, which are relevant for the topic area, like automation of compliance controls and risk measures, modeling of GRC information as well as the determinants of compliance behavior cannot be sorted into their overall context. The research work at hand therefore aims to establish a basic understanding of an integrated and strategically oriented GRC management, which is called strategic GRC management. For this purpose, this research identifies requirements for such an approach based on an exhaustive and structured literature review, discusses the current state of research in this field and develops a research agenda. These research results are evaluated with a three round Delphi study which at the same time determines the importance of the requirements and the research needs and thereby enables its prioritization. Furthermore, a data-centred model for strategic GRC management, which depicts the structural relationships of GRC on the level its information, is constructed. The data model is demonstrated based on an example and evaluated using published practical examples. This research work provides, specifically with the research agenda, various research opportunities. The requirements and the data-centred model enable the assessment and further development of GRC related management systems in company practice.GRC als Akronym für "Governance, Risk and Compliance" wird gegenwärtig in der Unternehmenspraxis überwiegend als Schlagwort aufgegriffen und durch isolierte, kurzfristige Initiativen umgesetzt. GRC wird mehrheitlich als Bürde gesehen und die Integrationsmöglichkeiten sowie die strategische Bedeutung des Themas werden unzureichend erkannt, wodurch Nutzenpotentiale und mögliche Synergieeffekte nicht genutzt werden können. Obwohl erste integrierte GRC-Ansätze existieren, ist das Thema bislang wenig strukturiert und die Eingrenzung bleibt vage. Relevante Detailfragen, wie die Automatisierung der Compliance-Sicherung und Risikosteuerung, die Modellierung von GRC-Informationen und die Determinanten des Compliance-Verhaltens können nur schwer in den Gesamtzusammenhang eingeordnet werden. Die vorliegende Arbeit verfolgt daher das Ziel der Grundlegung eines allgemeinen Verständnisses für ein integriertes und strategisch ausgerichtetes Management von GRC, das als strategisches GRC-Management bezeichnet wird. Hierfür werden basierend auf einem umfangreichen Literaturreview Anforderungen an das strategische GRC-Management hergeleitet, der Forschungsstand strukturiert analysiert und eine Forschungsagenda entwickelt. Diese Forschungsergebnisse werden durch eine Delphi-Studie bestehend aus drei Befragungsrunden abgesichert. Die Studie bestimmt zudem die Bedeutung der einzelnen Anforderungen und Forschungsbedarfe, wodurch eine Priorisierung ermöglicht wird. Darüber hinaus wird ein datenseitiges Modell für das strategische GRC-Management entwickelt, das die strukturellen Zusammenhänge von GRC auf Informationsebene darstellt. Das Datenmodell wird an Hand eines Beispiels demonstriert und mit Hilfe einer Auswertung von publizierten Praxisbeispielen evaluiert. Die Arbeit stellt durch die Forschungsagenda vielfältige Anknüpfungspunkte für weitere Forschung zur Verfügung. Die Anforderungen sowie das datenseitige Modell ermöglichen eine Bewertung und Weiterentwicklung des GRC-Managements in der Unternehmenspraxis