Enhancing Business Impact Analysis and Risk Assessment Applying a Risk-Aware Business Process Modelling and Simulation Methodology
Ilayda Tunc
EHL Hospitality Business School (Switzerland), Lausanne, CH
Download PDF
http://doi.org/10.37648/ijps.v21i01.006
Abstract
Business Impact Analysis (BIA) and risk assessment are both central to resilience planning, yet many organizations still perform them as separate exercises. That separation creates blind spots: BIA may identify critical processes without modeling how disruptions propagate through real process flows, while risk assessments may score threats without estimating operational and business consequences over time. Earlier work by Tjoa, Jakoubi, and Quirchmayr proposed bridging this gap through the ROPE (Risk-Oriented Process Evaluation) approach, and later work formalized risk-aware business process modeling and simulation for evaluating threats, safeguards, and recovery measures in a unified process view. This paper presents a human-centered, applied research synthesis and methodology for enhancing BIA and risk assessment using risk-aware business process modeling and simulation. Building on the risk-aware BPM literature, multi-view modeling approaches, BPMN-based risk extensions, and recent integration efforts in crisis management and asset criticality analysis, the paper proposes a stepwise methodology that links process models, resource dependencies, threat scenarios, impact dimensions, and simulation outputs to decision-making. The contribution is practical: a structured way to move from static risk registers and spreadsheet-style BIA templates toward dynamic, scenario-based analysis that better supports prioritization, recovery strategy design, and resilience investment decisions. The paper also outlines implementation challenges, governance requirements, and a realistic adoption roadmap for organizations that want stronger continuity planning without overengineering the effort.
Keywords:
business impact analysis; risk assessment; business process modeling; business process simulation; risk-aware BPM; resilience; business continuity; scenario analysis
References
- Aghabegloo, M., Rezaie, K., Torabi, S. A., & Yazdani, M. (2024). Integrating business impact analysis and risk assessment for physical asset criticality analysis: A framework for sustainable operations in process industries. Expert Systems with Applications, 241, Article 122737. https://doi.org/10.1016/j.eswa.2023.122737
- Betz, S., Hickl, S., & Oberweis, A. (2011). Risk-aware business process modeling and simulation using XML nets. In 2011 IEEE 13th Conference on Commerce and Enterprise Computing (CEC) (pp. 349–356). IEEE. https://doi.org/10.1109/CEC.2011.58
- Cardoso, P., Respício, A., & Domingos, D. (2021). riskaBPMN - A BPMN extension for risk assessment. Procedia Computer Science, 181, 1247–1254. https://doi.org/10.1016/j.procs.2021.01.324
- Dumas, M., La Rosa, M., Mendling, J., & Reijers, H. A. (2018). Fundamentals of business process management (2nd ed.). Springer. https://doi.org/10.1007/978-3-662-56509-4
- Hassel, H., & Cedergren, A. (2021). Integrating risk assessment and business impact assessment in the public crisis management sector. International Journal of Disaster Risk Reduction, 69, Article 102136. https://doi.org/10.1016/j.ijdrr.2021.102136
- Lamine, E., Thabet, R., Sienou, A., Bork, D., Fontanili, F., & Pingaud, H. (2020). BPRIM: An integrated framework for business process management and risk management. Computers in Industry, 117, Article 103199. https://doi.org/10.1016/j.compind.2020.103199
- Quinn, S., Ivy, N., Barrett, M., Feldman, L., Topper, D., Witte, G., Scarfone, K., Gardner, R., & Chua, J. (2023). Enterprise impact of information & communications technology risk (NIST SP 800-221). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-221
- Suriadi, S., Weiß, B., Winkelmann, A., ter Hofstede, A. H. M., Adams, M., Conforti, R., Fidge, C., La Rosa, M., Ouyang, C., Pika, A., Rosemann, M., & Wynn, M. (2014). Current research in risk-aware business process management—Overview, comparison, and gap analysis. Communications of the Association for Information Systems, 34(1), 1099–1139. https://doi.org/10.17705/1CAIS.03452
- Thabet, R., Bork, D., Boufaied, A., Lamine, E., Korbaa, O., & Pingaud, H. (2021). Risk-aware business process management using multi-view modeling: Method and tool. Requirements Engineering, 26(3), 371–397. https://doi.org/10.1007/s00766-021-00348-2
- Tjoa, S., Jakoubi, S., & Quirchmayr, G. (2008). Enhancing business impact analysis and risk assessment applying a risk-aware business process modeling and simulation methodology. In 2008 Third International Conference on Availability, Reliability and Security (pp. 1041–1048). IEEE. https://doi.org/10.1109/ARES.2008.206
- Tjoa, S., Jakoubi, S., Goluch, G., Kitzler, G., Goluch, S., & Quirchmayr, G. (2011). A formal approach enabling risk-aware business process modeling and simulation. IEEE Transactions on Services Computing, 4(2), 153–166. https://doi.org/10.1109/TSC.2010.17
