Abstract
We present rISk-arounD, an enterprise-wide framework for modeling risks and workarounds in conformity with ISO 9001. The mode of inquiry is the canonical action research (CAR), conducted in a metalworking company. Our contribution suggests that (1) risks and workarounds should be jointly considered to model uncertainty in organizations, (2) participative enterprise modeling can assist process improvement and regulatory compliance, and (3) it is also necessary to address informal “shadow” practices in enterprise models. Moreover, we discuss how to adopt CAR to promote a culture of participative enterprise modeling. This framework can help organizations in their transition to the new 2015 version of ISO 9001, which endorses process oriented approaches and risk-based thinking as top priorities.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
“Only those who will risk going too far can possibly find out how far one can go” (T. S. Eliot, Preface to Transit of Venus: Poems by Harry Crosby, 1931). In organizational practice, people can be tempted to work around the official procedures basing their decision on a risk-benefit analysis [1, 2]. When it happens, a breach occurs between the “formal” modeled system and the reality, which may hoist other, unforeseen risks. Therefore, managing uncertainty is a major concern of organizations and we argue that it can be addressed with participative enterprise modeling [3].
ISO 9001 is a worldwide standard to implement a quality management system [4]. Its revised version is expected to be published by the end of 2015 and one of its major changes is the inclusion of risk-based thinking [5]. ISO 9001 suggests a process approach and documented information to ensure process visibility, problem prevention, and system auditability [4]. The lack of adherence between the designed processes and the run-time processes is a frequent cause of nonconformity in quality audits, requiring measures to guarantee compliance by reducing process friction [6]. Risk-based thinking involves anticipation of undesired events that affect reality and its models of expected behavior [7], ultimately raising improvement opportunities [8].
The importance of risk management is growing and there are several reasons to explain the fact, for example (1) regulatory pressure; (2) customer requirements; (3) public image; and (4) management attitudes, that are becoming more professional to integrate risks in their strategies and operations. Moreover, risk is a key topic in the research agenda of information systems (IS), business process management (BPM), and enterprise modeling [8–10]. Risks are entangled in BPM [9], however, “there is still a lack of research which investigates the management of risks during process execution, the exploitation of post-execution data for the purpose of risk analysis and the enablement of an integrated formal reasoning of risks in process models” [10].
Workarounds are alternative procedures to the official process, which can result from a mismatch between people expectations and actual practice [11], receiving increased attention in IS [1, 2, 12]. According to [2], organizational employees utilize workarounds in business processes according to a risk-benefit analysis, being perceived as process improvements if the efficiency gains outweigh the exposure resulting from process violation. A recent study presented by [12] addresses the informal, unexpected, and undesired workarounds that the users of a multinational company had put in place. The authors suggest that canonical action research (CAR) is an appropriate approach to deal with the problem [12].
The literature about risks and workarounds is vast [8] and the two concepts are interrelated [2], however, they are typically studied independently [1, 8]. There is a lack of models built specifically for small and medium enterprises (SMEs), which often adopt rudimentary risk management practices and lack a risk-aware culture [13–15]. Moreover, there is a shortcoming of practical cases and insufficient research in run-time risk management [10], which can be affected by changes that process participants decide to perform to the formal process model. These open issues led us to set the goal of developing a guiding framework to deal with risks and workarounds [4, 5], fostering risk-based thinking in the scope of ISO 9001.
We organized the remainder of the paper as follows. Section 2 presents the literature review. Next, we present the research approach, that is the canonical action research [16]. Section 4 details our CAR cycle in a metalworking SME. In Sect. 5, we discuss the results according to the principles suggested by [17] to ensure rigor and relevance in CAR. Finally, we present the conclusions, the study limitations, and the opportunities for future research.
2 Literature Review
2.1 Risks and Workarounds
A definition for risk includes (1) a probability that the actual outcome of an event will differ from the expected outcome and (2) the impact associated with that outcome [18]. Kaplan [19] suggests a three-level hierarchy of risks. Level 3 is the most detailed and consists of the operational and compliance risks [20] that emerge from business processes (e.g., information security and privacy, regulatory issues). According to [19], level 3 risks are more predictable and related to standard operation procedures. Level 2 includes strategy risks; for example, environmental, customer relations, human resources, and IT related risks [19]. At level 1 are the global enterprise risks that may occur due to most improbable events, usually called “black swan”, which reveal the most adverse consequences for the firm’s survival [19]. They should also be tackled by managers, for example with scenario planning and meetings [19]. Alternatively, the risk model proposed by [21] separates the IS, recognizing (level 1) the organization; (level 2) the mission and business processes; and (level 3) the IS. Although the literature offers contributions for process oriented risk models [9, 13, 22], an enterprise-wide risk framework must consider distinct layers, for example the strategic and the cultural [19], at all levels of the organization [13]. Consideration for compliance risks and operational risks should be integrated during the design-time and at run-time of business processes [20]. Dealing with both types of risks involves the definition of objectives, business rules, and internal controls [19]. What if the process is not followed as designed?
Workarounds can be seen as a change or deviation from an existing (formal) work system to overcome the problems that are preventing the achievement of the desired goals [1]. In IS, workarounds may take place as a discrepancy between the information technologies (IT) expectations and the actual practices [11], resulting in the creation of alternative ones and “shadow applications” [23] by the users. On the one hand, workarounds may be used to solve misfits, deficiencies, or identifying opportunities to improve the IS [12]. On the other hand, workarounds may create difficulties for IS adoption, leading to redundancies in data and applications [23], potential nonconformity with policies, inefficiencies or hazards [1], becoming a source of emergent risks or an amplification of the initial risks. The IS may even be seen as “‘scapegoats’, as managers can blame the IS for not preventing workarounds” [24].
The studies presented by [1, 25] identify workarounds that are sporadic and disappear, while others can persist over time and become the standardized formal practice. In the latter case, people consider the alternative practice more appropriate for their needs, learn with the experience, and produce a change. The breach between formal practices supported by IT and real practices may increase, requiring a timely identification of these cases and the redesign of the IS. According to [26], workarounds should not be confused with errors and mistakes. In fact, workarounds depend on the organizational culture [27] and in the existence of open discussions that are able to exploit their potential for process improvement [26]. Although some models point to the need of identifying process configurations that minimize risks [9], they do not consider the full potential of workarounds for risk identification.
2.2 Risks and Workarounds in Enterprise Modeling
Enterprise modeling is “an activity where an integrated and negotiated model describing different aspects of the enterprise is created” [28], comprising sub-models that can focus on different dimensions, for example, people, processes, and IT. The objective of enterprise modeling is to develop a business or to ensure its quality [28], for example, for strategy development, business process (re-)redesign, procedure communication, and IS requirements identification, ensuring that the model fits reality [3]. Enterprise models deal with two types of uncertainty: “One uncertainty is in the values of key parameters, which are uncertain because of a lack of knowledge and a natural variability. The second uncertainty is in the structure of the model itself. Model uncertainty relates to whether the structure of the model fundamentally represents the system or decision of interest” [29].
Information systems include different interrelated dimensions, namely the context, people, process, IT, and information/data [30, 31]. Therefore, IS modeling is a complex endeavor that tries to simplify various aspects of reality, integrating social and technical aspects [32]. Risks and workarounds are two important parts of the organizational practice that affect the IS. As we recognize the important contributions that addressed each of these parts separately [1, 2, 8, 9, 12], we argue for the opportunity to achieve synergies in their combination.
Risk modeling has been studied in the context of SMEs, for example by [33] for ERP implementation. According to [33], risks must be modeled according to the different lifecycle phases of the project. Other authors studied risk management in the lifecycle of BPM from design to post-execution; for example [10], arguing that “most approaches [for design-time phase] do not provide principles or guidance to support risk-informed business process models” [10]. A model of IS risk was proposed by [8], considering the facets: (1) goals and expectations; (2) risk factors and other sources of uncertainty; (3) the operation of the work system whose risks are being managed; (4) the risk management (contingency management) effort; (5) the possible outcomes and their probabilities; (6) the impacts on other systems; and (7) the resulting financial gains or losses. In [34] a framework is presented for analyzing incident management systems, providing guidance for IS risk assessment factors in critical systems.
Workaround modeling has been addressed, for example, by [35], who compared the formal processes and the workarounds, including the dimensions of (1) motivation; (2) constraints; and (3) consequences. The Workaround Process Model and Notation (WPMN) is a solution proposed by [2] to combine workarounds in business process models. The model contains different constructs for the representation of workarounds, context analysis (risk-benefit, situational factors, business rules), and the workaround impact. WPMN has potential synergies with compliance and risk model proposals, for example [9, 22]. Nevertheless, we could not find in the literature an enterprise-wide framework with the purpose of integrating risks and workarounds, not restricted to the process level, addressing the different lifecycle phases of risk-based thinking.
Processes are only one of the dimensions of the IS and there is a need to consider a strategic dimension in risk approaches [19], as presented by [36] in the scope of IT risks. Moreover, there are problems in current business process models in what regards capturing all the information that is required to audit risks [37]. Similarly, dealing with workarounds requires understanding people motivation, risk analysis, the consequences for other process activities, and the context involved [2]. We acknowledge the integration of risks and workarounds in the work presented by [2], however, the authors do not address risks that emerge from the informal workflows. To overcome these difficulties, the study conducted by [12] selected activity theory as the focal theory for their research, characterized as a cross-disciplinary framework for analyzing forms of human practice.
3 Research Approach
We considered Action Research [16] and Design Science Research [38] as two suitable approaches, because both allow the design of a new artifact or solution and to test it in practice. Action research is an approach that simultaneously aims at improving a problematic situation in the target organization and contribute to the body of scientific knowledge [16, 17]. Since our work aimed at solving concrete organizational issues in a client setting [16], we considered that it was more aligned with the dual goal of action research.
There are multiple forms of action research [39], usually represented in a cyclic combination of phases. We followed one of the most used and well documented forms that is the canonical action research (CAR), characterized by five phases of Diagnosing, Action planning, Action taking, Evaluating, and Specifying learning [16].
Rigorous action research is seen as one of the solutions to improve the relevance of IS, by solving real world problems [40]. To ensure rigor and validity, there are five principles that we must consider in CAR [17]: Principle of the Researcher–Client Agreement; Principle of the Cyclical Process Model; Principle of Theory; Principle of Change through Action; and Principle of Learning through Reflection. The next section describes the findings of our CAR cycle. Afterwards, we discuss those results according to each of the five principles above, adopting the structure selected by [12] for the discussion of their CAR project.
4 Framework Development
“Thinking is easy, acting is difficult, and to put one’s thoughts into action is the most difficult thing in the world” (Johann Wolfgang Von Goethe).
4.1 Client-system Infrastructure
Our client is a small metalworking company founded in 1947. Its activity is conducted in the fields of mechanical engineering and industrial maintenance. Its market is mostly local, with the majority of their customers within a 100 km range. Quality is a priority to the company. ISO 9001 [4] certification is seen as a competitive advantage that distinguishes them from low cost players in the sector. Moreover, they have demanding customers regarding compliance to environmental and safety risks. The lack of resources that characterize SMEs [15] is a reality in our setting. However, the adoption of an enterprise-wide risk modeling is not an option; it is vital for the conformity to standards [5] and for the company survival.
4.2 Diagnosing the Setting
The CAR diagnosis started with semi-structured interviews [41] involving the top manager, the chief financial officer, and the quality manager. We also used data gathering techniques of document collection and observation [41] to understand the organizational processes and the current risk management practices.
According to the quality manager “a customized industrial IS is critical for our company’s future and to comply with our audits”. The top manager considered that flexibility and informality were competitive advantages; nevertheless, they also bear a higher possibility of nonconformity with the strategy and with formal practices. There were other concerns, namely (1) the lack of human resources, requiring that any methodologies be lightweight; (2) the need to redesign business processes and the underlying IT; and (3) the barriers for change that were constantly raised by the older staff. The company managers had no experience with enterprise modeling methods and tools. Their processes were designed and described in semi-structured word processor documents, which is usual in ISO 9001 certified SMEs.
We also conducted a literature review during this Diagnosing stage. Each publication was coded using the Mendeley free reference management tool and discussed with the company managers. It was during the discussion and the comparison with practice that workarounds emerged. One of the company’s problems were the misalignments between: (1) formal processes (quality procedures) and actual practice; (2) IT and process support (high volume of paper and disconnected support spreadsheets); (3) market demands and staff competences (most of them were in the company since its foundation and have low IT competences and a high resistance to change); (4) regulations and business processes; and (5) insufficient information quality for decision-making needs. According to the company managers, frequent workarounds multiplied the risks and potential nonconformity in quality audits.
Our comprehensive joint diagnosis provided the foundations to our action plan, presented in the next section.
4.3 Planning our CAR Action
We prepared an overall action plan with two main objectives. First, it was necessary to identify the main dimensions to address in risks and workarounds (agreed by their stakeholders), and provide support for communication and learning in the organization [42]. Although workarounds have been studied regarding IT and business processes [1, 12, 43], it is possible to workaround other dimensions of an IS, including organizational hierarchies (people), company policies and regulations that shape its context, or required information/data of a given system. Our model should be multidimensional. Second, we had the purpose of assisting SMEs in the ISO 9001 transition to the new 2015 version. Therefore, ISO 9001 principles and suggested approaches, for example the PDCA [4], should be a part of our proposal. It was also our intention to make the framework and related models suitable for audits, because they are frequent in ISO 9001-based quality management systems. Our solution required artifacts and routines [30, 44] to assist practitioners in its adoption. Moreover, we wanted to apply participative enterprise modeling in our action, not merely to model systems but to design the underlying framework itself.
Our overall plan for this CAR cycle is inspired in the ISO2 [45] approach, originally proposed for the joint development of IS and ISO 9001-based quality management systems. First, we conducted a literature review to create (1) a frame of reference about the problem domain. Then, we (2) diagnosed organizational practice to identify the company policies, initial risks, and potential workarounds. Next, we (3) defined the framework vision, followed by (4) its main components and the dynamic of the model for the purpose of creating change. The sequent step involved the (5) sourcing of tools such as risk matrices, process models and related procedures, and IT adaptations. Afterwards, it was time for (6) adoption in practice to respond to risks and workarounds. Finally, we (7) studied the changes that occurred with the introduction of the new framework and opportunities for future work.
The organization did not intend to buy an IT modeling platform and the mere description of risks would be a disappointment for the managers expectation. Our plan was to foster a culture of participative enterprise modeling [3, 27] in the organization, as a basis for risk-based thinking required by ISO 9001:2015 revision.
4.4 Action Taking: Proposing and Testing the rISk-arounD Framework
Figure 1 presents the framework that we built to deal with risks and workarounds. We named it the rISk-arounD framework.
The rISk-arounD Framework
The enclosing dashed line represents the dynamic of risk-based thinking in ISO 9001. Based on the sources of uncertainty (e.g., events, variability, mishaps) and certainty (e.g., quality principles, strategy, formal process maps) that are represented on the left of the model, the organization must identify the risks at three distinct levels (on the top of the figure), evaluate their local and broader impacts, including risks and opportunities to change (on the right), and respond with the focus on improvement (on the bottom). The internal part represents the aspects that must be addressed for dealing with risks and workarounds in IS [2, 6]. A workaround can be based in a risk-benefit evaluation [2] emerging from an existing friction in the business process [6]. Modeling must address five interrelated dimensions of (1) Context, (2) People, (3) Process, (4) IT, and (5) Information/data [30]. The dark circles specify the main literature references for each component of the framework. Table 1 presents practical examples of certainty/uncertainty models that can be used for each dimension.
Table 1 presents examples of models for the “formal” organization in the second column. Conversely, the rightmost column presents models of uncertainty (by risks/workarounds) that may influence the organizational goals. The examples were created, during our CAR cycle, in different formats including matrices (for black swan and risks affecting quality principles), organizational charts (e.g., alternative circuits of the official organigram), and process maps.
Figure 2 exemplifies an operational and compliance model. It is an extract of the organizational process map for the provisioning and metal component maintenance of our organization.
Modeling workaround risks at process level
Each process in the figure has two lanes as suggested by [2], to specify the formal process according to ISO 9001 requirements and the informal aspects, which represent the potential workarounds and its associated risks.
The risks identified at process level were included in a main risk list and each one evaluated from 1 to 5 as proposed by [19]. Finally, actions were defined to accept (e.g., check insurance for “black swans”; change process to adopt the workaround), mitigate (e.g., minimize risk/workaround probability), or avoid the risk/workaround. For the example in Fig. 2, (1) the product expedition now requires a quality report that is shipped with the product, after production manager’s validation and (2) the task inspection (on the right) becomes integrated in the IT platform used to record timesheets. In some cases, actions were aimed at eradicating workarounds (e.g., required fields in the IT platform), in other cases, the organization accepted them but acted to mitigate the risks (e.g., double checking quality control procedure).
4.5 Evaluating
The purpose of this CAR step is to evaluate the consequences of action taking in the organizational setting [16], and comparing them to project objectives and expectations. It was a joint evaluation conducted by researchers and practitioners.
The new models that were developed addressing distinct levels of uncertainty [19, 30] were considered by the client organization as an advance when compared to the previous practice of identifying risks based on the ISO 9001 (official) process maps. First, it was simpler to communicate risk-based thinking for the ISO 9001:2015 transition. The framework suggests that risks and workarounds are dynamic and require a continuous (cyclic) effort. Second, it goes beyond traditional business process flowcharts (1) addressing strategic and cultural aspects of enterprise-wide risk management, (2) framing informal processes in risk-based thinking, and (3) highlighting actions to address risks and also opportunities (e.g., reduce process friction to address the workaround practice).
Similarly to risks, it is required to anticipate workarounds and their possible consequences. Interestingly, it was an enjoyment to the CAR participants when they were asked to think, express, and deal with ways of “going around” the formal system. We found three main benefits: (1) increased transparency about the organizational practice; (2) anticipation of formal process risks that can trigger a workaround decision by process participants; and (3) reflection about the risks raised by the workaround execution. The combination of declarative and operational process modeling approaches can provide a more efficient representation of allowable workarounds.
The participants considered that the project exceeded their expectations and should continue involving other workers. Moreover, it was considered that the framework has the potential to contribute for adherence of process documentation (expected model) and practice (executed model), as required by ISO 9001 standard. Nevertheless, due to the participatory nature of the proposed approach, it is necessary to identify potential bias and treats to trustworthiness of the participants’ statements. For example, the team structure, the sense of hierarchy, and individual goals can influence the participants’ evaluation of risks and workarounds.
5 Discussion
Recalling the five principles suggested by [17] to frame our discussion:
-
Principle of the Researcher–Client Agreement. The client and the researchers agreed that CAR was an appropriated approach to create a new framework and address the organizational problem of risks and workarounds. The steps of CAR were explained to the company managers, ensuring that they followed them appropriately [16, 17], independently of the physical presence of the researchers in the setting. We established weekly goals to simplify team coordination, for example: “identify how model A can be integrated with model B”; “identify potential workarounds for process C”. Finally, the organization approved a scientific publication of our results.
-
Principle of the Cyclical Process Model.Based on the time constraints of our project, we considered that one CAR cycle was appropriate to propose and test the enterprise-wide framework. We also agreed that it was interesting to conduct a second cycle including process participants. Although we concluded that the guiding framework would be suitable for that second cycle, new challenges emerge to: (1) promote the open debate about workarounds that occur in the organization (and managers may not be aware of); (2) train process participants about rISk-arounD; (3) make them aware of the potential risks of workarounds; (4) allow them to suggest process improvements that may avoid, mitigate, or accept risks/workarounds; and (5) foster a culture of participative enterprise modeling in the entire organization.
-
Principle of Theory. Theory has an important role in CAR to guide the research and to allow discussion of the findings [46]. The creation of a theoretical frame of reference allowed us to promote a shared understanding about CAR and the recommendations for participative enterprise modeling. Moreover, it provided us the starting point to integrate and improve existing models that were independently built for risks and workarounds. It was an opportunity to compare the gaps between models and practices, according to the managers’ perspective and literature guidance.
Several studies adopted action research for enterprise modeling, providing contributions to understand the modeling process and the use of specific methods, for example [47]. However, few studies addressed the role of theory in CAR for the creation of high-level frameworks with the participation of organizational users. We advocate that theory can have a central role in participative enterprise modeling for:
-
Diagnosing. We provided a selection of articles about the problem domain to organizational managers, facilitating their active participation from early stages of the project. Interesting debates emerged when managers compared the papers’ conclusions with their own experience.
-
Action planning. The understanding of the problem from a theoretical viewpoint facilitated our plan. Practitioners understood the requirements of the approach and the need of a gradual approach to the problem. Moreover, they realized the difficulty to achieve immediate results in risk-based thinking because we could not find a framework that included all the components required for our models.
-
Action taking. Theory guided our actions in practice. We must be aware that researchers are not always present in the research setting, therefore, it is important to empower all the practitioners with the theoretical foundations to conduct (and document) action appropriately, reflecting about the theory and daily practice.
-
Evaluating. The outcomes of this research were constantly evaluated by researchers and practitioners according to the lens of the literature review previously conducted.
-
Specifying learning: Sharing a guiding framework among enterprise modeling participants is an opportunity to (1) promote organizational learning (e.g., “now I understand why model A has the component B”; “now I see why our risk list was scarce and ineffective for process Z: the majority of risks were hidden in multiple workarounds”) and (2) compare the advances with current practice. The opinion that managers had about scientific projects significantly improved after CAR, according to them, due to the possibility to combine their immediate interest with scientific advances.
-
Principle of Change through Action
Action taking addressed risks and workarounds in the processes of the organization. Therefore, we improved the organization readiness for ISO 9001:2015. The major changes occurred in the organizational risk plans, in process maps, and in IT improvement. The new risks that emerged from the models evaluation resulted in changes to the production and commercial modules of the company’s IT systems. Additional controls were included in IT and a new mobile app was developed to assist the component repair process illustrated in Figure 2.
-
Principle of Learning through Reflection. The framework is a result of joint reflection by researchers and practitioners. We learned about the benefits of participative enterprise modeling and deepened the analysis of our findings in the current discussion section.
We found advantages in a layered approach to address risks and workarounds, not strictly addressing business processes (level 3 in [19]; level 2 in [21]), usually evaluated at the operational level and according to its “formal” description of expected sequence. ISO 9001 involves cultural aspects [4, 27] aiming at a culture focused on customer satisfaction, improvement, and involvement of people in quality efforts. Enterprise-wide modeling must address informal business processes and the overall principles of the organization to capture the complexity of routines [44].
Dealing with risks and workarounds is a continuous effort, not limited to a single modeling project. Moreover, there are social aspects that advise a gradual implementation of the framework in daily practice. An open discussion about workarounds and risks is not straightforward: we are also dealing with compliance issues when we acknowledge that reality does not follow the legal or standard procedure. A possible behavior would be to deny workarounds and assume that organizations always act according to what they think, trusting that they are always capable of doing the most difficult thing in the world. We argue that workarounds are natural elements in the “ways of working” [27] of organizations and the rISk-arounD framework can contribute to finding improvement opportunities at different levels: global; organizational; operational and compliance. A culture of participative enterprise modeling can contribute to the progress of risk-based thinking.
6 Conclusions
We presented the development of an enterprise-wide framework to deal with risks and workarounds, capturing formal and (informal) “shadow” practices. The setting was an ISO 9001-certified metalworking SME that is preparing the transition for the new ISO 9001:2015 version. We discussed a scenario that aimed at (1) fostering a culture of participative enterprise modeling [3]; (2) with the creation of a guiding framework for risk-based thinking (and acting); (3) adopting it in practice with simple models. We used canonical action research that has synergies with participative enterprise modeling. It is necessary to consider five interrelated dimensions in an enterprise-wide risk framework, namely context, people, process, IT, and information/data. We confirmed the benefits of integrating workarounds in risk-based thinking to overcome the limitation of formal defined processes, which can bias the analysis of potential risks to the “visible” parts of the models.
To our knowledge, rISk-arounD is the first guiding framework in the scope of ISO 9001:2015 (planned to be released in late 2015) that integrates risks and workarounds. However, there are limitations to take into consideration. First, the framework is inspired in specific references, other models could be used. Second, we propose a high-level representation that was considered suitable for this SME, but the scenario may differ in organizations with increased modeling maturity. Nevertheless, our results can provide guidance in the initial steps of risk modeling. Third, the artifacts were built with simple tools, accessible to all the project participants, however, the representation and visualization of models that result from the framework can be improved with IT support. Forth, the project team only included managers but other process participants can participate. Fifth, the positive results in this socio-technical setting must be cautiously evaluated due to the potential risk of the Hawthorn effect, suggesting that the observed participants behavior could be “related only to the special social situation and social treatment they received” [48].
Future work can involve distinct sectors and more complex scenarios, for example in the highly regulated food industry, for which we already have planned interventions. It would be important to extend our study with additional standards, for example the ISO 31000. The rISk-arounD framework can be adopted to improve modeling methods and languages or to develop new models to deal with uncertainty. Although the rISk-arounD can provide methodical guidance on the steps and sources to integrated modeling of risks and workarounds, the development of new artifacts to assist organizational practice can improve the transferability of our results. A second CAR cycle will address these open issues and involve process participants in the reflection about their potential workarounds, risks, and consequences.
References
Alter, S.: Theory of workarounds. Commun. Assoc. Inf. Syst. 34, 1041–1066 (2014)
Röder, N., Wiesche, M., Schermann, M., Krcmar, H.: Workaround aware business process modeling. In: Proceedings of International Conference on Wirtschaftsinformatik, pp. 482–496 (2015)
Stirna, J., Persson, A., Sandkuhl, K.: Participative enterprise modeling: experiences and recommendations. In: Krogstie, J., Opdahl, A.L., Sindre, G. (eds.) CAiSE 2007 and WES 2007. LNCS, vol. 4495, pp. 546–560. Springer, Heidelberg (2007)
ISO: ISO 9001 Quality management system – requirements. International Organization for Standardization, Geneva (2008)
IAF: Transition planning guidance for ISO 9001:2015. ISO/TC 176/SC2. International Accreditation Forum (2015)
Antunes, A., Cunha, P.R., Barata, J.: MUVE IT: Reduce the Friction in Business Processes. Bus. Process Manag. J. 20, 571–597 (2014)
Sadgrove, M.K.: The Complete Guide to Business Risk Management. Ashgate (2015)
Alter, S., Sherer, S.A.: A general, but readily adaptable model of information system risk. Commun. Assoc. Inf. Syst. 14, 1–28 (2004)
Zur Mühlen, M., Rosemann, M.: Integrating Risks in Business Process Models. In: Proceedings of ACIS, pp. 62–72 (2005)
Suriadi, S., Weiß, B., Winkelmann, A., ter Hofstede, A.H.M., Adams, M., Conforti, R., Fidge, C., La Rosa, M., Ouyang, C., Pika, A., Rosemann, M., Wynn, M.: Current research in risk-aware business process management - overview, comparison, and gap analysis. Commun. Assoc. Inf. Syst. 34, 933–984 (2014)
Ferneley, E.H., Sobreperez, P.: Resist, comply or workaround? an examination of different facets of user engagement with information systems. Eur. J. Inf. Syst. 15, 345–356 (2006)
Malaurent, J., Avison, D.: Reconciling global and local needs: a canonical action research project to deal with workarounds. Inf. Syst. J. (2015). doi:10.1111/isj.12074
Popescu, M., Dascalu, A.: Considerations on integrating risk and quality management. Annals of “Dunarea de Jos” University of Galati, Fascicle I, pp. 49–54 (2011)
Aureli, S., Salvatori, F.: The current state of risk management in italian small and medium-sized enterprises. In: Proceedings of AMIS, pp. 15–36 (2013)
Islam, A., Tedford, D.: Risk determinants of small and medium-sized manufacturing enterprises (SMEs) - an exploratory study in New Zealand. J. Ind. Eng. Int. 8, 12 (2012)
Susman, G.I., Evered, R.D.: An assessment of the scientific merits of action research. Adm. Sci. Q. 23, 582–603 (1978)
Davison, R., Martinsons, M.G., Kock, N.: Principles of canonical action research. Inf. Syst. J. 14, 65–86 (2004)
Holton, G.A., Knight, F.: Defining risk. Financ. Anal. J. 60, 19–25 (2006)
Kaplan, R.S.: Risk management and the strategy execution system. Balanc. Scorec. Rep. 11, 1–6 (2009)
Zoet, M., Welke, R., Versendaal, J., Ravesteyn, P.: Aligning risk management and compliance considerations with business process development. In: Di Noia, T., Buccafurri, F. (eds.) EC-Web 2009. LNCS, vol. 5692, pp. 157–168. Springer, Heidelberg (2009)
NIST, N.I. of S. and T.: NIST SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach (2010)
Sadiq, W., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 149–164. Springer, Heidelberg (2007)
Handel, M.J., Poltrock, S.: Working around official applications. In: Proceedings of CSCW (2011)
Röder, N., Schermann, M.: Why managers tolerate workarounds - the role of information systems. In: Proceedings of AMCIS (2014)
Zhou, X., Ackerman, M., Zheng, K.: CPOE workarounds, boundary objects, and assemblages. In: Proceedings of CHI (2011)
Halbesleben, J.R.B., Wakefield, D.S., Wakefield, B.J.: Work-arounds in health care settings: Literature review and research agenda. Health Care Manage. Rev. 33, 2–12 (2008)
Gallear, D., Ghobadian, A.: An empirical investigation of the channels that facilitate a total quality culture. Total Qual. Manag. Bus. Excell. 15, 1043–1067 (2004)
Persson, A., Stirna, J.: An explorative study into the influence of business goals on the practical use of enterprise modelling methods and tools. In: Proceedings of ISD, pp. 275–287. Springer, New York (2001)
Holmes, K.J., Graham, J.A., McKone, T., Whipple, C.: Regulatory models and the environment: practice, pitfalls, and prospects. Risk Anal. 29, 159–170 (2009)
Barata, J., da Cunha, P.R.: Modeling the organizational regulatory space: a joint design approach. In: Grabis, J., Kirikova, M., Zdravkovic, J., Stirna, J. (eds.) PoEM 2013. LNBIP, vol. 165, pp. 206–220. Springer, Heidelberg (2013)
Barata, J., Cunha, P.R.: Five dimensions of information systems: a perspective from the IS and quality managers. In: Proceedings of EMCIS, Windsor, UK (2013)
Baxter, G., Sommerville, I.: Socio-technical systems: from design methods to systems engineering. Interact. Comput. 23, 4–17 (2011)
Ojala, M., Vilpola, I., Kouri, I.: Risks and risk management in ERP Project-cases in SME Context. In: Proceedings of 9th International Conference on Business Information Systems (BIS 2006), pp. 179–186 (2006)
Kim, J.K., Sharman, R., Rao, H.R., Upadhyaya, S.: Framework for analyzing critical incident management systems (CIMS). In: Proceedings of HICSS (2006)
Nadhrah, N., Michell, V.: A normative method to analyse workarounds in a healthcare environment: motivations, consequences, and constraints. In: Proceedings of ICISO, pp. 195–205 (2013)
Strecker, S., Heise, D., Frank, U.: RiskM: A multi-perspective modeling method for IT risk assessment. Inf. Syst. Front. 13, 595–611 (2010)
Carnaghan, C.: Business process modeling approaches in the context of process level audit risk assessment: an analysis and comparison. Int. J. Account. Inf. Syst. 7, 170–204 (2006)
Hevner, A.R., March, S.T., Park, J.: Design science in information systems research. MIS Q. 28, 75–105 (2004)
Baskerville, R., Wood-Harper, A.T.: Diversity in information systems action research methods. Eur. J. Inf. Syst. 7, 90–107 (1998)
Vries, E.: Rigorously relevant action research in information systems. Sprouts Work. Pap. Inf. Syst. 7, 1–24 (2007)
Myers, M.D., Newman, M.: The qualitative interview in IS research: examining the craft. Inf. Organ. 17, 2–26 (2007)
Bernus, P.: Enterprise models for enterprise architecture and ISO9000:2000. Annu. Rev. Control. 27, 211–220 (2003)
Yang, Z., Ng, B.Y., Kankanhalli, A., Luen Yip, J.W.: Workarounds in the use of IS in healthcare: a case study of an electronic medication administration system. Int. J. Hum. Comput. Stud. 70, 43–65 (2012)
Pentland, B.T., Feldman, M.S.: Designing routines: on the folly of designing artifacts, while hoping for patterns of action. Inf. Organ. 18, 235–250 (2008)
Barata, J., Cunha, P.R.: ISO2: A new breath for the joint development of IS and ISO 9001 management systems. In: Escalona, M., Aragón, G., Linger, H., Lang, M., Barry, C., Schneider, C. (eds.) Information Systems Development: Improving Enterprise Communication (Proceedings of ISD), pp. 499–510. Springer, Switzerland (2014)
Davison, R., Martinsons, M.G., Ou, C.X.J.: The roles of theory in canonical action research. MIS Q. 36, 763–786 (2012)
Luebbe, A., Weske, M.: Investigating process elicitation workshops using action research. In: Proceedings of BPM 2011 International Workshops, LNBIP 99, pp. 345–356. Springer, Heidelberg (2012)
French, J.R.P.: Field experiments: changing group productivity. In: Miller, J.G. (ed.) Experiments in Social Process: A Symposium on Social Psychology, pp. 81–96. McGraw-Hill, New York (1950)
Acknowledgements
The authors thank the three reviewers for their comments and ideas to improve the paper. This work has been partially funded by European Regional Development Fund (ERDF), within the National Strategic Reference Framework (NSRF) – Mais Centro.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 IFIP International Federation for Information Processing
About this paper
Cite this paper
Barata, J., da Cunha, P.R., Abrantes, L. (2015). Dealing with Risks and Workarounds: A Guiding Framework. In: Ralyté, J., España, S., Pastor, Ó. (eds) The Practice of Enterprise Modeling. PoEM 2015. Lecture Notes in Business Information Processing, vol 235. Springer, Cham. https://doi.org/10.1007/978-3-319-25897-3_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-25897-3_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25896-6
Online ISBN: 978-3-319-25897-3
eBook Packages: Computer ScienceComputer Science (R0)