We present rISk-arounD, an enterprise-wide framework for modeling risks and workarounds in conformity with ISO 9001.
Our contribution suggests that:
  • (1) risks and workarounds should be jointly considered to model uncertainty in organizations
  • (2) participative enterprise modeling can assist process improvement and regulatory compliance
  • (3) it is also necessary to address informal “shadow” practices in enterprise models

This framework can help organizations in their transition to the new 2015 version of ISO 9001, which endorses process oriented approaches and risk-based thinking as top priorities.
Risks and Workarounds
  • Risks
- Risk:
  • (1) Probability that the actual outcome of an event will differ from the expected outcome
  • (2) The impact associated with that outcome

- Kaplan suggests a three-level hierarchy of risks:
  • (1) Global enterprise risks (black swan)
  • (2) Strategy
  • (3) Operational and compliance risks

- Risk-based thinking involves anticipation of undesired events that affect reality and its models of expected behavior, ultimately raising improvement opportunities

- Standards such as ISO 9001 suggest risk-based thinking: process visibility, problem prevention, and system auditability

- Dealing with certainty and uncertainty: Design-time vs run-time

- What if the process is not followed as designed?

  • Workarounds

- Workaround: alternative procedure to the “official process”, which can result from a mismatch between people expectations and actual practice

- Risk-benefit analysis

- In IS, it can be a discrepancy between the information technologies (IT) expectations and the actual practices, resulting in the creation of alternative ones and “shadow applications”

- Some workarounds are sporadic and disappear, while others can persist over time and become the standardized formal practice

  • Intertwining Risks and Workarounds

- Enterprise Modeling is “an activity where an integrated and negotiated model describing different aspects of the enterprise is created”

- “Most approaches [for design-time phase] do not provide principles or guidance to support risk-informed business process models”

- EM deal with two types of uncertainty:
  • (1) Values of key parameters, which are uncertain because of a lack of knowledge and a natural variability
  • (2) The structure of the model itself - whether the structure of the model fundamentally represents the system or decision of interest

- Risks and Workarounds are interrelated, however, they are typically studied independently

- A model of IS risk was proposed by Alter and Sherer, considering the facets:
  • (1) Goals and expectations
  • (2) Risk factors and other sources of uncertainty
  • (3) The operation of the work system whose risks are being managed
  • (4) The risk management (contingency management) effort
  • (5) The possible outcomes and their probabilities
  • (6) The impacts on other systems
  • (7) The resulting financial gains or losses

- WPMN - Workaround Process Model and Notation, including risk-benefit, impact

- Lack of approaches built specifically for small and medium enterprises (SMEs)

  • The rISk-arounD Framework

Fig. 1: rISk-arounD (Barata, Cunha, and Abrantes, 2015)

  • Examples of certainty/uncertainty models
Dimension Models for Certanity Models for Uncertainty
Context The Principles that the organization states in its quality policy 'Black Swan' list
People The company organigram; Functions Informal power structures; Infromal leaders; Individual goals
Process Process models representing activities, roles, business, rules, ... Workarounds to improve efficiency; Misfit between 'static' process maps and the dynamic of real practice
IT The 'official' IT portfolio, for example an ERP The 'unofficial' applications sourced by process users (e.g. parallel spreadsheets)
Information/Data The organizational databases; Statutory reports Information/data quality issues; Omitted information/data
  • Modeling workaround risks at process level

Fig. 2: Business Process Design with rISk-arounD (Barata, Cunha, and Abrantes, 2015)

  • Evaluating

- The new models addressed distinct levels of uncertainty - an advance when compared to previous (formal, certain, predictable) process maps

- Risks and workarounds are dynamic and require a continuous (cyclic) effort in:
  • (1) Addressing strategic and cultural aspects of enterprise-wide risk management
  • (2) Framing informal processes in risk-based thinking
  • (3) Highlighting actions to address risks and also opportunities

- Benefits:
  • (1) Increased transparency about the organizational practice
  • (2) Anticipation of formal process risks that can trigger a workaround decision by process participants
  • (3) Reflection about the risks raised by the workaround execution

- Due to the participatory nature of the proposed approach, it is necessary to identify potential bias and treats to trustworthiness of the participants’ statements

  • Main Conclusions

- We presented a guiding framework to deal with risks and workarounds

- Risks and workarounds should be jointly considered to model uncertainty in organizations

- It is necessary to consider five interrelated dimensions in the enterprise-wide rISk-arounD framework: context, people, process, IT, and information/data

- It is necessary to address informal “shadow” practices in enterprise models

- Participative enterprise modeling can assist risk-based thinking and regulatory compliance

rISk-arounD is the result of a joint R&D project leaded by CTCV.
Authors of the article published in 2015: João Barata (CTCV), Paulo Rupino da Cunha (CISUC, University of Coimbra), Luís Abrantes (MIC)
For detailed information about the rISk-arounD approach, please contact the corresponding author: João Barata, Ph.D. (