A comprehensive investigation of the applicability of process mining techniques for enterprise risk management § Filip Caron a, *, Jan Vanthienen a , Bart Baesens a,b,c a Department of Decision Sciences and Information Management, Faculty of Business and Economics, KU Leuven, Naamsestraat 69, B-3000 Leuven, Belgium b Vlerick Leuven Gent Management School, Vlamingenstraat 38, B-3000 Leuven, Belgium c School of Management, University of Southampton, Highfield Southampton SO17 1 BJ, United Kingdom 1. Introduction The business environment of a contemporary organization is typically characterized by a multitude of uncertainties. Whereas several events related to such uncertainties may create opportu- nities for the organization, others will represent potential risks. Based on the results of the responses from 460 executives representing a variety of industries and firm sizes, described in [1], we can conclude that there is a demand for further strengthening enterprise-wide risk oversight. The respondents indicated that more than 60% of both the full boards, the audit committees, the CEOs and the internal auditors are making requests for more senior management involvement in risk oversight. There are two main drivers for these emerging calls: the positive correlation between enterprise-wide risk management and company performance [2] and the imposed regulatory requirements. Different risk management models have been proposed, all based on the basic concept of the standardized risk management approach presented in ISO 31000:2009. The respondents of the study presented in [1], overwhelmingly indicated that the Committee of Sponsoring Organizations of the Treadway Commis- sion’s Enterprise Risk Management framework (COSO ERM) was the most well-known risk management model for enterprise-wide risk management. Moreover, the framework is considered theoretically sound and has the ability to act as a common language. A multitude of techniques exist to implement the concepts presented in the risk management models: e.g. data mining techniques [3], business scorecard analysis [4], system dynamics [5] or simulation approaches [6]. However, to our knowledge the literature does not describe a process analytics based approach to cover all the components in the COSO ERM model. Recent evolutions have indicated the importance of an evaluation of the risk related to the organization’s processes. For example, the National Bank of Belgium as part of its prudential control task has requested an evaluation of the internal control system and a linking of the risks related to the different process elements (regulation CBFA 2009_26). Risk-aware business process management has been proposed in [7,8]. These approaches focus on the conceptualization and integration of process risks into process modeling and simulation. Recently another element of business process management, process mining, has gained a lot of research attention and resulted in interesting real world cases [9–11]. Process mining refers to the Computers in Industry 64 (2013) 464–475 A R T I C L E I N F O Article history: Received 28 June 2012 Received in revised form 30 January 2013 Accepted 5 February 2013 Available online 13 March 2013 Keywords: Enterprise risk management Process mining Business process analytics Business rules Process-aware information systems A B S T R A C T Process mining techniques and tools perfectly complement the existing set of enterprise risk management approaches. Enterprise risk management aims at minimizing the negative effects of uncertainty on the objectives, while at the same time promoting the potential positive effects. Process mining research has proposed a broad range of techniques and tools that could be used to effectively support the activities related to the different phases of risk management. This paper contributes to the process mining and risk management research by providing a full exploration of the applicability of process mining in the context of the eight components of the COSO Enterprise Risk Management Framework. The identified applications will be illustrated based on the risks involved in insurance claim handling processes. ß 2013 Elsevier B.V. All rights reserved. § Note from Editors: This paper originally formed part of a Special Issue on ‘‘Optimizing Enterprise Risk Management in Industry’’, guest-edited by Desheng Dash Wu (University of Toronto), David L. Olson (University of Nebraska) and John Birge (University of Chicago). Due to the lack of sufficient papers, it was decided to cancel/postpone this special issue. The Editors acknowledge the excellent work done by the guest editors in sourcing, reviewing and editing this paper. * Corresponding author at: Department of Decision Sciences and Information Management, Faculty of Business and Economics, KU Leuven, Naamsestraat 69, B-3000 Leuven, Belgium. Tel.: +32 16 32 65 58; fax: +32 16 32 66 24. E-mail addresses: Filip.Caron@econ.kuleuven.be (F. Caron), Jan.Vanthienen@econ.kuleuven.be (J. Vanthienen), Bart.Baesens@econ.kuleuven.be (B. Baesens). Contents lists available at SciVerse ScienceDirect Computers in Industry jo ur n al ho m epag e: ww w.els evier .c om /lo cat e/co mp in d 0166-3615/$ – see front matter ß 2013 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.compind.2013.02.001