By Topic

IBM Journal of Research and Development

Issue 3 • Date May-June 2010

Business Integrity and Risk Managementa

The increasingly complex and global nature of business enterprises and their activities—which include worldwide supply chains, cross-border financial activity, and services outsourcing—is accompanied by increasing levels of economic uncertainty, global competition, governmental regulatory controls, and use of interdependent information technologies. This issue covers a broad array of domain and non-domain-specific topics and technologies for enhancing business integrity through the provisioning of risk management capabilities. Topics range from enterprise risk management to IT security to the management of power-outage risks.

Filter Results

Displaying Results 1 - 13 of 13
  • Cover 1

    Page(s): C1
    Save to Project icon | PDF file iconPDF (724 KB)  
    Freely Available from IEEE
  • Table of contents

    Page(s): 1 - 2
    Save to Project icon | PDF file iconPDF (49 KB)  
    Freely Available from IEEE
  • Preface: Business Integrity and Risk Management

    Page(s): 1 - 2
    Save to Project icon | PDF file iconPDF (47 KB)  
    Freely Available from IEEE
  • Three key enablers to successful enterprise risk management

    Page(s): 1:1 - 1:15
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (5476 KB)  

    Enterprise risk management (ERM) refers to a set of processes that enables the effective management of the risks, opportunities, and expected and unexpected events that may affect the enterprise. The successful implementation of ERM is a challenging task in part because it requires collaboration among multiple business units of different sizes, scope, and capability, each facing what it perceives as unique risks. Other difficulties with ERM implementations include lack of adoption of an enterprise-wide governance model, lack of a common risk language (e.g., taxonomy), and uneven levels of maturity within an organization regarding the management of risks. This paper establishes three conceptual frameworks that provide a basis for an enterprise embarking on ERM: 1) a risk management cycle; 2) a risk-related taxonomy; and 3) an ERM maturity model. The risk management cycle provides a discipline to consistently and coherently manage virtually all risks in the enterprise. The risk taxonomy provides a foundation for clear and concise communication about risk across the enterprise to enable better risk management. The ERM maturity model, and its associated capability assessment, allows an organization to determine gaps in its current risk management processes and define ways to improve those ERM capabilities. Together, these three frameworks are key enablers for a successful ERM implementation and ongoing operation. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Problems with scoring methods and ordinal scales in risk assessment

    Page(s): 2:1 - 2:10
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (232 KB)  

    Risk assessment methods based on scoring methods that rate the severity of each risk factor on an ordinal scale are widely used and frequently perceived by users to have value. We argue that this perceived benefit is probably illusory in most cases. We begin by describing a number of common scoring methods currently used to assess risk in a variety of different domains. We then review the literature on the use of ordinal scales in risk analysis, the use of “verbal scales” for eliciting estimates of risks and probabilities, and the extensive research about peculiar human errors when assessing risks. We also supplement this overview with some data of our own. When these diverse kinds of evidence are combined, the case against scoring methods is difficult to deny. In addition to the evidence against the value of scoring methods, there is also a lack of good evidence in their favor. We conclude our overview by reviewing the reasons why risk assessment approaches should describe risk in terms of mathematical probabilities. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A risk-metric framework for enterprise risk management

    Page(s): 3:1 - 3:10
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (1650 KB)  

    We describe a risk-metric framework that supports enterprise risk management. At the core of the framework is the notion of a risk profile that provides risk measurement for risk elements. By providing a generic template in which metrics can be codified in terms of metric space operators, risk profiles can be used to construct a variety of risk measures for different business contexts. These measures can vary from conventional economic risk calculations to the kinds of metrics that are used by decision support systems, such as those supporting inexact reasoning and that are considered to closely match how humans combine information. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Incorporating risk into business process models

    Page(s): 4:1 - 4:13
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (4059 KB)  

    Although business process modeling is considered as a core activity in enterprise risk management, existing process modeling languages do not include a complete notation for documenting how processes can fail. This paper develops a conceptual framework for extending standard business process metamodels to include comprehensive information that is useful for managing and quantifying operational risk in business processes. We provide formal extensions of the Business Process Modeling Notation standard, as well as a step-by-step process for creating a risk-extended process model. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Firm objectives, IT alignment, and information security

    Page(s): 5:1 - 5:7
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (934 KB)  

    More and more attention has been devoted to the alignment of information technology (IT) spending and initiatives with organizational strategic objectives. IT spending across organizations and industries has a high opportunity cost and involves a substantial opportunity for deviations from support for the highest priorities of business units. The business justification and rationale for information security has come under similar scrutiny at a time when the nature of many organizations is being transformed by the network economy. More and more business functions and processes are enabled by information assets and capabilities that are vulnerable to new and adapting threats. This paper examines the impact of the strategic alignment of information security spending with organizational goals and with the risk tolerances of decision makers. It provides an explanation for and insight into the observed differences in executive responses to cyber threats and risk assessments. It models the relationship between security resources and risk mitigation, and it identifies the premiums that organizations expect to receive or pay for bearing or avoiding information security risk. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Causal networks for risk and compliance: Methodology and application

    Page(s): 6:1 - 6:12
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (2859 KB)  

    This paper presents a statistical approach to quantitatively measure the current exposure of a company to failures and defects in product quality or to compliance to government regulations. This approach is based on causal networks, which have previously been applied to other fields, such as systems maintenance and reliability. Causal networks allow analysts to causally explain the values of variables (an explanatory approach), to assess the effect of interventions on the structure of the data-generating process, and to evaluate “what-if” scenarios, that is, alternative methods or policies (an exploratory approach). Building the causal structure raises some challenges. In particular, there is no automated way to collect the needed data. We present a methodology for model selection and probability elicitation based on expert knowledge. We apply the proposed approach to the case of pharmaceutical manufacturing processes. The use of such networks allows for a more rigorous comparison of practices across different manufacturing sites, creates the opportunity for risk remediation, and allows us to evaluate alternative methods and approaches. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Service operation classification for risk management

    Page(s): 7:1 - 7:17
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (6390 KB)  

    We propose an empirical service-operation risk-classification model to provide managerial insights to service providers in terms of risk management. The model is developed through an investigation of the dependencies between the characteristics of service operations in consumer services and the broad classes of provider risk to which they are exposed. A survey of professional managers has been conducted in which respondents were asked to assess 30 service operations across six service dimensions and five factors representing provider risk. The data have been analyzed using statistical methods, in particular Bayesian network analysis and hierarchical clustering. The results indicate relationships between service operations, service dimensions, and risk factors. Due to the limited sample size, our findings should be regarded as preliminary. The proposed model should help determine the most relevant types of service risks based on the specific characteristics of the service provided and therefore help to develop risk mitigation strategies. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A statistical model for risk management of electric outage forecasts

    Page(s): 8:1 - 8:11
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (4113 KB)  

    Risk management of power outages caused by severe weather events, such as hurricanes, tornadoes, and thunderstorms, plays an important role in electric utility distribution operations. Damage prediction based on weather forecasts on an appropriate spatial scale can improve the efficiency of risk management by reducing the economic and societal costs associated with restoration efforts. We have developed a method of predicting the number of outages in a fashion that is suitable for use by electric utilities by using a Poisson regression model for spatial data in a Bayesian hierarchical framework. Particular attention is given to building models that incorporate uncertainty in the outage data from the perspective of multiple spatial resolutions and spatial correlation in the outage data. The outage-prediction model was developed using historical outage data from an electric utility company in the northeastern part of the United States. The model is being used by that company in the operations of its overhead electrical distribution system and emergency management operations. We discuss results to date and how the model is being applied. In addition to the damage forecasts, we have developed tools for risk visualization by displaying the uncertainty of the damage forecasts on geographic maps. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Risk-adjusted approach to optimize investments in product development portfolios

    Page(s): 9:1 - 9:15
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (3001 KB)  

    Companies invest in a portfolio of products with the financial objective of increasing revenue and net profit. They also have a limited product development budget and uncertainty around which products will be successful. In this paper, we offer a methodology to manage the allocation of a limited budget across a portfolio of products. Specifically, we provide a practical approach for quantifying the risk in relation to attaining financial objectives, and we offer an approach to reallocate the limited budget across the various products. This approach also provides long-term financial implications of investment decisions that are taken today. This practical end-to-end methodology can build on existing portfolio management practices prevalent in many companies. The approach uses all available measured and estimated data, expert opinions, and mathematical techniques for risk elicitation, Monte Carlo simulation for risk quantification, and mathematical programming with risk measures for optimal reallocation. We also introduce a web-based tool, called Portfolio Risk and Investment Management Engine, that implements this methodology along with an illustrative case study. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Management of disruption risk in global supply chains

    Page(s): 10:1 - 10:9
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (1595 KB)  

    Global supply chains (GSCs) are an integral part of the twenty-first century economy. A disruption occurring within a supply chain, whether it is attributable to a natural disaster or a human-induced event, presents substantial risk to organizations within the supply chain and the markets that it serves. In this paper, we discuss new research toward a risk-based modeling approach to managing a GSC disruption. We introduce the concept of a supply-risk network to capture potential disruptions. Using this framework, we formulate a GSC disruption-risk model that allows for organizations within the supply chain to strategically plan for the sourcing (i.e., procurement) and flow of goods throughout the supply chain in a manner that directly incorporates the risk of disruption. The GSC disruption-risk model is formulated as a two-stage stochastic integer programming problem with fixed recourse, which is an appropriate modeling approach when decisions can be made after uncertainties are resolved in order to ensure that the stochastic constraints hold. This formulation is illustrated with an example five-node network. Furthermore, we explore implications of increasing the reliability of nodes in the network. Finally, we conclude with implications for further theoretical research and for managerial practice. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.

Aims & Scope

The IBM Journal of Research and Development is a peer-reviewed technical journal, published bimonthly, which features the work of authors in the science, technology and engineering of information systems.

Full Aims & Scope

Meet Our Editors

Editor-in-Chief
Clifford A. Pickover
IBM T. J. Watson Research Center