Risk Extensions to the BPMN 1.1 Business Process Metamodel

Business process models have become a ubiquitous tool for documenting, designing, and managing the core functions of an enterprise. The range of information that can be represented in process modeling software toolkits has steadily expanded beyond simple workflow representations to include information regarding process objectives and measures of process performance, oversight and control policies, and supporting resources.

Business process models are also seen as an integral tool for corporate governance and risk management. Currently, however, most risk management and quantification techniques are only loosely coupled with process modeling. Risk management techniques such as Failure Mode and Effect Analysis (FMEA) use business process models as a starting point for identifying and locating possible risk exposures, but do not document the risks themselves in the process models, or use the process model relations explicitly in quantifying risks. To date, there have been few efforts made to formally integrate risk management concepts into a standard business process metamodel.

This paper attempts to remedy this situation by defining a set of metamodel extensions to standard process modeling languages that incorporate risk information directly in the process model. In particular, we shall define a set of extensions to the BPMN 1.1 process modeling specification standard [Object Management Group (OMG). Business Process Modeling Notation, V1.1, Doc.: formal/2008-01-17, available at

This report contains only the technical specification of the BPMN metamodel extensions. A fuller description of the definitions and use of these extensions, including graphical notation, connections to the existing literature, and a method for constructing risk-extended process models, can be found in Cope et al. ["Incorporating Risk into Business Process Models," IBM J. Res. Develop., Special Issue on Business Integrity Through Integrated Risk Management, 2009, to appear], to which this report serves as an appendix.

By: Eric Cope, Jochen M. Kuester, Dominik Etzweiler, Lea Deleris, Bonnie Ray

Published in: RZ3740 in 2009


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to reports@us.ibm.com .