Nowadays, the organic nature of business processes and the increasingly complex and dynamic business environment make organizations face severe operational risks. However, current risk analysis methods of Information Technology (IT) resources ignore inter-process correlation and thus inter-process risk propagation. This gap needs a solution since the rigid alignment of organizations cause the risks which propagate throughout the whole organization to be the most serious operational risks. This paper presents a holistic approach for quantifying risk propagation in business processes based on the risk analysis of their underlying IT and human resources. This approach adapts financial techniques to quantify the level of risk that average and severe events on IT resources generate on individual business processes, and to quantify the risk propagation impact among dependent processes. This approach was applied to an enterprise modeling case study to quantify risk propagation for different risk epicenter scenarios. The results show that the proposed approach is capable of finding and quantifying both direct and indirect dependencies among operational assets within an organization. A high level of accuracy was observed when comparing the actual value of the process risk and the projected value considering risk propagation.

中文翻译：

---

量化业务流程和 IT 服务网络中的风险传播

如今，业务流程的有机性和日益复杂和动态的业务环境，使组织面临严峻的运营风险。然而，当前信息技术（IT）资源的风险分析方法忽略了进程间的相关性，从而忽略了进程间的风险传播。这种差距需要一个解决方案，因为组织的严格一致性导致在整个组织中传播的风险成为最严重的运营风险。本文基于对底层 IT 和人力资源的风险分析，提出了一种量化业务流程中风险传播的整体方法。这种方法采用财务技术来量化 IT 资源上的平均和严重事件对单个业务流程产生的风险水平，并量化相关流程之间的风险传播影响。该方法应用于企业建模案例研究，以量化不同风险震中情景的风险传播。结果表明，所提出的方法能够发现和量化组织内运营资产之间的直接和间接依赖关系。在比较过程风险的实际值和考虑风险传播的预计值时，观察到了高度的准确性。