The consequences of a risk are damages or losses that occur as soon as the risk occurs. Generally, risk occurrence can have various consequences, such as financial loss, resource loss, or material loss. These different types and effects of risks can be defined in a business process model at various positions and at different levels. According to the ARIS risk management methodology, a risk is represented by an object of the Risk type. The object is either directly linked to a function via a connection of the occurs at type (risk-based approach) or indirectly via a control (control-based approach).
Risk occurrence
The occurrence of risk events or the causing of damage depends on the type of risk and various other factors. Process management focuses on the context of risks and functions. Therefore, the occurrence of a risk event is considered here based on the execution of the associated function. A risk can occur only if it is linked to a function via a occurs at connection. The attribute Probability (attribute type group Simulation) controls the occurrence of risks and is indicated with a floating point number between 0 and 1. For example, the probability 0.5 indicates that the risk occurs on average at every other function execution. Each time a function is carried out the system determines based on the probability whether the risk occurs or not. If it occurs it will occur at the end of function execution. If the attribute is not specified, the default probability 1 is used.
Financial loss
Risk occurrence can lead to financial losses. The loss created by a risk occurrence is controlled by the attribute Amount of damages (Simulation attribute type group). The amount of damages is specified with a constant or randomly distributed floating point number. Possible distributions: equal distribution, normal distribution, log-normal distribution, exponential distribution, Erlang distribution, triangular distribution, truncated normal distribution, and Weibull distribution. If the risk occurs, the amount of damages is determined via the distribution. If the attribute Amount of damages is not specified, but a value is available for Average amount of damages (attribute type group Governance, Risk & Compliance (GRC) Risk management > Quantitative assessment > Amount of damages) this value is used. If none of the two attributes is specified, no financial loss is recorded when the risk occurs.
Follow-up activities and counter-measures
Detecting a risk event can be followed by counter-measures or follow-up activities (for example, clean-up, corrections, or indemnities). These activities are assigned to risk objects as process models. Every time the risk occurs and is identified by a detective control, all assigned process models are triggered. Therefore, the assigned models must be part of the simulation model. This depends on the configuration for models included. Assigned processes containing the follow-up activities are executed in parallel to the main process. They receive different process instance numbers than the main process and do not affect its cycle time. If multiple controls detect the same risk, the follow-up activities are performed only for the first control.
Resource loss
A resource loss means the unexpected reduction of resource capacity or non-availability of resources. The reasons can be, for example, sickness or accidents for human resources, or errors, operational faults, or unexpected maintenance work for technical resources. Times of non-availability of resources can be defined with a schedule.