A Formal Methodology for Risk Estimation in Business Process Management
摘要
The execution of tasks in a business process is often subject to risks, defined as the product of the probability of a threat (i.e., a risk-inducing event) and its potential impact. These threats may stem from internal process failures or external disruptions, and their effects can propagate depending on process structure. Although existing business process management (BPM) approaches incorporate risk assessment, they typically analyze risks at the task level, neglecting the influence of control-flow dependencies on overall process risk. In this paper, we propose a formal method to estimate aggregated risk at the levels of individual tasks, execution traces, and entire business processes. The method assumes risk events are independent and each threat affects only one task, which allows tractable computation of risk via the inclusion-exclusion principle. We also provide formal properties of the risk aggregation and demonstrate the approach’s scalability and effectiveness through experiments on synthetic process models exhibiting common control-flow patterns, including SESE structures.