A Pragmatic Risk Assessment Method Supported by
the Business Model Canvas
Diogo Proença
1,2
, Ahmad Nadali
1,2
and José Borbinha
1,2
1
Instituto Superior Técnico, Universidade de Lisboa, Lisbon, Portugal
2
INESC-ID, Lisbon, Portugal
{diogo.proenca, ahmad.nadali, raquel.bairrao, jlb}@tecnico.ulisboa.pt
Keywords: Risk Assessment, Digital Curation, Business Model Canvas.
Abstract: This paper presents a pragmatic risk assessment method based on best practice from the ISO 31000 family
of standards regarding risk management. The method proposed is supported by established risk management
concepts that can be applied to help a data repository to gain awareness of the risks and costs of the controls
for the identified risks. In simple terms the technique that supports this method is a pragmatic risk registry
that can be used to identify risks from a Business Model Canvas of an organization. A Business Model
Canvas is a model used in strategic management to document existing business models and develop new
ones. The risk assessment method is then applied to a Civil Engineering Laboratory to illustrate the benefits
of such a method.
1 INTRODUCTION
The purpose of this research is to make good use of
risk management concepts to raise awareness of
repository costs of digital curation. Costs are what
we have to give up for controls, which in turn are the
measures that we have to put in practice to minimize
loss or to maximize gain. In that sense, a control is
anything we are considering applying to either
minimize negative impacts or to take advantage of
opportunities to produce value and thus bring gains.
However, we must also agree that, in most of the
usual digital curation scenarios, it is usually very
difficult to estimate the absolute value of an asset.
For that reason, we are here ignoring the
measurement of value, and focusing only in the
identification of controls as the source of costs.
The technique behind this method analyses an
archive with the support of a risk registry and is
based on Business Model Canvas (BMC). A BMC
allows organizations to fill their business model in a
visual canvas that allows for easy understanding of
their business in nine building blocks. The
motivation behind it is to understand both what can
positively affect the value propositions of your
business (opportunities) and what can negatively
affect those same value propositions (risks).
The idea is to identify and understand the risks
and their impact (positive and negative) on each of
the nine building blocks of the BMC. We
demonstrate how the BMC technique can be used in
the method above to find risks and then controls for
those risks. This in turn makes it possible to estimate
the related costs as part of the overall costs of
curation. Digital curation “involves maintaining,
preserving and adding value to digital research data
throughout its lifecycle. The active management of
research data reduces threats to their long-term
research value and mitigates the risk of digital
obsolescence.” (DCC, 2014) The main steps done
are:
1. Formulation of related risk questions: for
each of the building blocks of BMC some questions
are provided to facilitate the identification of risks
for each of the building blocks.
2. Generic Risks and Controls for the Generic
BMC: after the formulation of the risk questions, the
next step is to identify the related risks, and then the
respective controls.
Generic risks and controls were identified after
analyzing the results of the DRAMBORA
(DCC/DPE, 2007) report. The risks and controls that
better align with the generic BMC model were
selected.
156
ProenÃ
˘
ga D., Nadali A. and Borbinha J.
A Pragmatic Risk Assessment Method Supported by the Business Model Canvas.
DOI: 10.5220/0005886501560162
In Proceedings of the Fifth International Symposium on Business Modeling and Software Design (BMSD 2015), pages 156-162
ISBN: 978-989-758-111-3
Copyright
c
2015 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
The result is a generic BMC, with an associated
generic registry of risk questions and common
related controls, relevant for the domain of digital
curation to cost evaluation. The pragmatic method
was applied to estimate costs of curation focusing on
risks and controls to three case studies: two data
archives and one web archive. However due to space
restrictions this paper focus on just one case. The
other cases are available at
http://4ctoolset.sysresearch.org.
In conclusion, our contributions here proposed
for the digital curation problem are:
• A pragmatic method for risk assessment,
based on the main references from the risk
management domain;
• A generic BMC for the business of an OAIS
repository: This BMC can serve as template
for organizations where digital curation has
an important role, which can make local
instances of it;
• A generic risk registry for scenarios of OAIS
repositories, created after analysing
DRAMBORA (DCC/DPE, 2007) and
comprising.
This paper is structured as followed. Section 2
presents the related work on the topic of the paper.
Section 3 details the method used to extract and
identify risks based on a BMC of an organization.
Section 4 presents the generic BMC for Digital
Curation based on the Open Archival Information
System (OAIS). Section 5 details the collection of
risks extracted from DRAMBORA. In Section 6, a
case study and the application of the method are
presented. The paper in finalized by presenting the
conclusions.
2 RELATED WORK
In this section we present the relevant related work
on the topic this paper addresses, namely risk
management and the business model canvas.
2.1 Risk Management
The main references on Risk Management (RM)
from the International Organization for
Standardization (ISO) are:
• ISO Guide 73: Vocabulary for risk
management (ISO, 2009);
• ISO 31000: Risk management principles and
guidelines (ISO/FDIS, 2009a);
• ISO 31004: Risk management—Guidance
for the implementation of ISO 31000
(ISO/TR, 2013);
• IEC 31010: Risk assessment techniques
(ISO/FDIS, 2009b).
According to those sources, organizations (that
find RM relevant to their governance) should define
an internal RM process taking as a starting point the
generic method proposed in ISO 31000 (ISO/FDIS,
2009a). IEC 31010 catalogues a set of techniques
for risk assessment (ISO/FDIS, 2009b).
Controls are measures implemented by
organizations to modify risk that enable the
achievement of objectives. Controls can modify risk
by changing any source of uncertainty (e.g. by
making it more or less likely that something will
occur) or by changing the range of possible
consequences and where they may occur.” (ISO/TR,
2013)
So, even if we are not following a specific RM
method as part of the governance framework of a
repository, we cannot avoid having to deal with the
identification of risks and controls. However, as a
complete RM methodology can be complex and
expensive to implement, we are here proposing a
simplified method that can be used at least for a
preliminary phase of costs estimation. If, after the
application of this method, the stakeholders of a
repository feel the RM principles are valuable for
the governance of their case, and it is worthy to
consider a proper and full RM method, then at least
these preliminary results can be reused for that
purpose.
The definitions for risk management are defined
in the ISO Guide 73. (ISO, 2009) Figure 1 provides
a view of Risk Management as a conceptual map.
2.2 Business Model Canvas
The Business Model Canvas (BMC) is a model used
in strategic management to document existing
business models and develop new ones.
(Osterwalder, 2009) A BMC comprises nine
building blocks that describe an organization, as
illustrated in the Figure 2.
The BMC is designed to “allow a group of
people to fill it in through brainstorming sessions
and thus create a relevant understanding of their
business model.” (Osterwalder, 2009) At the end of
such a process each block must have at least one
shared assumption about the business. It is even
possible to develop more than one BMC in order to
represent different, alternative views of the business.
A Pragmatic Risk Assessment Method Supported by the Business Model Canvas
157
Figure 1: Conceptual map showing controls as the cost
entities in a risk management perspective.
The BMC was first proposed in Osterwalder
thesis (“The Business Model Ontology—A
Proposition in a Design Science Approach”).
(Osterwalder, 2004) After that, several authors
developed or adopted this canvas approach for other
purposes, such as, the Lean canvas (LeanStack,
2014). In the meantime it has been suggested that
doing a BMC exercise is already in some sense
performing a risk assessment (Parrisius, 2013)
(McAfee, 2013).
Key
Partners
Key
Activities
Value
Propositions
Customer
Relationships
Customer
Segment
Key
Resources
Channels
Cost
Structure
Revenue
Streams
Figure 2: The generic structure of a Business Model
Canvas.
Some authors have gone even further and
proposed the hypothesis that the BMC concept can
even be extended to support a pragmatic risk
analysis. This is illustrated in (Schliemann, 2013)
where the author scopes the business model risk
canvas. The motivation behind it is to understand
both what can positively affect the value
propositions of your business (opportunities) and
what can negatively affect those same value
propositions (risks).
The idea is to identify and understand the risks
and their impact (positive and negative) on each of
the nine building blocks of the BMC, as well as the
risk appetite of the stakeholders upon which a
business depends. Stakeholders in this context can
be regulators and investors. There is a huge body of
knowledge from the risk management community on
how to assess and measure risk through analytical
tools but this new technique fills the need to
introduce risk assessment at a higher level, scoping
it visually in consideration for each of the building
blocks of the BMC.
When applying this technique to identify the
risks and their impact there should be a series of
risk-related questions for each of the nine building
locks of BMC. Simple examples of these questions
Figure 3: BPMN diagram of the pragmatic method to estimate costs of curation focusing on risks and controls.
Fifth International Symposium on Business Modeling and Software Design
158
are proposed in the original business model risk
canvas, but for real use these should be scoped for
the business in question.
3 A METHOD TO IDENTIFY
RISKS BASED ON A BMC
This section describes a method for estimating costs
of curation in two different scenarios:
• “Current” scenario, where the costs of
controls already exist in the repository as a
means to reduce the impact of a
consequence of a risk, change the likelihood
of an event, or reduce the exposure to a
vulnerability;
• “Future” scenario, where the costs of
controls do not yet exist, but where
repository managers are able to consider
alternative scenarios of repository
governance.
The foundations of this method draw from
relevant sources, such as the ISO 31000 standard
and the Business Model Canvas (BMC).
The core stages of the method are:
1. Define the Context: Define the requirements
of the main elements: the organisation
(mission, etc.); the assets (data and
services), and the external stakeholders—
and, for each of these elements define the
BMC for the scenario.
2. Execute a Pragmatic Risk Assessment: Use
a risk repository, or consult experts, in order
to identify relevant risks associated with the
BMC.
3. Recognize Actual Risk Treatment (the
“Current” scenario):
o Consolidate the risks identified
(mainly, to detect repetitions and
overlaps). Note: This is probably
the best stage to identify potential
positive impacts (if the
identification of positive impacts is
desired).
o Use internal information, and (if
necessary) also consult a risk
repository or experts, to identify the
controls to apply for the
consolidated risks.
o Estimate the costs for these controls
(the ideal is to calculate these costs
precisely, however, best estimates
can also be useful).
4. Simulate Alternative Risk Treatments (an
optional activity, to be executed as many
times as needed, to explore possible
alternative “Future” scenarios):
o Use internal information,
eventually also consulting a risk
repository or experts, and according
to the businesses strategic view and
governance rules, conceive
alternative scenarios for controls of
the identified risks. Note: This is
probably the best stage to explore
Figure 4: The generic BMC for OAIS.
A Pragmatic Risk Assessment Method Supported by the Business Model Canvas
159
opportunities to exploit positive
impacts (if the exploitation of
positive impacts is desired).
o Make your best estimate for the
costs of this new scenario.
Steps 1 to 4 are illustrated in Figure 3 in the form
of a business process diagram (expressed in the
BPMN – Business Process Modelling Notation
language).
4 GENERIC BMC FOR DIGITAL
CURATION BASED ON THE
OAIS
The purpose of this BMC is to represent a generic
Business Model that can be applied to Archives,
serving as a template that can be instantiated to
specific organizations. To develop the OAIS BMC
the recommended practice CCSDS 650.0-M-2 from
the Consultative Committee for Space Data Systems
(Magenta Book) was used. The objective of this
BMC is that organization which have archival as one
of its core services can use this BMC to build its
business model by instantiating it to their context.
Figure 4 depicts the generic BMC based on
OAIS. For details on the BMC please visit
http://4ctoolset.sysresearch.org, under OAIS
Template. The BMC uses definitions from OAIS
(CCSDS, 2012).
5 RISKS AND CONTROLS
REPOSITORY
Generic risks and controls were identified after
analysing the results of the DRAMBORA
(DCC/DPE, 2007) report. The Digital Repository
Audit Method Based on Risk Assessment
(DRAMBORA) represents an effort to conceive
criteria, means and methodologies for risk
assessment of digital repositories. The risks and
controls were selected and can be found at the
Holirisk tool in http://4ctoolset.sysresearch.org a
sample is provided in Table 1
Table 1: Generic risks and controls identification.
Id Generic risks Generic controls
R1 Business fails to
preserve essential
characteristics of
digital assets
Define main
characteristics of digital
content for information
preservation
Id Generic risks Generic controls
R2 Business policies
and procedures are
inefficient
Document and make
available business
policies and procedures
R3 Enforced cessation
of repository
operations
Plan for continuation of
preservation activities
beyond repository's
lifetime
R4 Activity allocates
insufficient
resources
Use mechanisms to
measure activity
efficiency in terms of
allocated resources,
procedures and policies
R5 Community
requirements
change substantially
Identify, monitor and
review the
understanding of the
community
requirements and of the
repository objectives
R6 Community
feedback not
received
Use mechanisms (e.g.
email, surveys) for
soliciting feedback from
repository users
community
R7 Community
feedback not acted
upon
Define policies to
acknowledge
community's feedback
R8 Loss of key
member(s) of staff
Appoint a sufficient
number of appropriately
qualified personnel
R9 Personnel suffer
skill loss
Implement mechanisms
to identify ongoing
personnel training
requirements
R10 Budgetary reduction Define a financial
preservation plan to
assure self-sustainability
of repository
R11 Software failure or
incompatibility
Install software updates
R12 Hardware failure or
incompatibility
Monitor hardware
performance
R13 Obsolescence of
hardware or
software
Maintain
hardware/software up to
date to meet repository
objectives
R14 Media degradation
or obsolescence
Allocate resources to
monitor media storage
lifetime and assess
potential value of
emerging technologies
R15 Local destructive or
disruptive
environmental
phenomenon
Implement physical
security measures (e.g.
video-record)
Fifth International Symposium on Business Modeling and Software Design
160
Id Generic risks Generic controls
R16 Non availability of
core utilities (e.g.
electricity, gas)
Define internal means to
nullify disruption of
service, monitor and
review contract
agreements of provider's
services
R17 Loss of other third-
party services
Document and review
service level contracts or
service commitments
with utility provider
R18 Loss of
authenticity/integrit
y of information
Monitor, record and
validate integrity of
received content
6 CASE STUDY: CIVIL
ENGINEERING LABORATORY
The Civil Engineering Laboratory is a public
Science and Technology institution, which is subject
to Government supervision. Its activity is developed
in the various fields of civil engineering and its main
assignments are the execution, supervision and
promotion of scientific research and technological
developments to achieve progress, innovation and
good practices in civil engineering. The institution is
also responsible for providing an unbiased and
suitable scientific and technical support to the
executive power, in its governing and regulatory
activities. The laboratory undertakes research in the
following areas:
• Usage of monitoring technologies to gather
observation data and automatic
communication systems;
• Risk analysis of dam construction and
operation;
• Characterisation and modelling of future
deterioration of dams and their foundations.
The BMC presented here (Figure 5) is an
instantiation of the generic BMC based on OAIS.
For some of the objects in the canvas there are
specific case-dependent instantiations of the object
between square brackets. For example, if there is an
object with Producers [Dam Owners] this means that
for that specific case the producers are the dam
owners. There are also objects in blue, this means
that these objects were not present in the generic
OAIS BMC and are specific for the case study
depicted by the BMC.
For the other object that do not have neither
square brackets nor are depicted in blue this means
that these are present in the respective case however
there is no need to provide an example as there is no
added value in doing so and the OAIS definitions
(from Section 4) cover their definition. The details
Figure 5: Civil Engineering Laboratory Business Model Canvas.
A Pragmatic Risk Assessment Method Supported by the Business Model Canvas
161
of the instantiation of the BMC for this case study
can be found at http:// 4ctoolset.sysresearch.org.
The risks were identified through the analysis of
the BMC for the case study and identified by their Id
from Table 1. Regarding the controls for the risks
identified, refer to Table 1. For a more detailed
analysis of the risks and controls for both the case
study visit the Holirisk tool in http://
4ctoolset.sysresearch.org in the page of the BMC for
this case study.
• Revenue Streams - Risks related to the
worth of a repository business and the
value it offers to the community: R10.
• Cost structure - Risks regarding the
cost to support the repository business:
R8; R13; R16; R18.
• Channels - Risks related to the
communication and dissemination of the
business provided by a repository: R6.
• Customer Segments - Risk that relates
with what the repository should deliver
within the community vision: R5.
• Customer Relationships - Risks
associated with the community that
makes use of the repository for their
research work: R7.
• Key Resources - Risks related to the
resources of infrastructure and personnel
which sustain the repository business:
R15; R3; R8; R9; R11; R12.
• Value Propositions - Risks regarding
the vision and value of a repository: R1;
R2.
• Key Partnerships - Selected risks
regarding the outsourcing services
repository may depend on to deliver the
preservation business: R13; R17.
Using Table 1 and the detailed risks and controls
from http:// 4ctoolset.sysresearch.org as well as the
list of consolidated risks we can identify potential
controls for the identified risks.
7 CONCLUSIONS
This paper proposed a pragmatic method for
identifying risks from a Business Model Canvas
which is based in two different scenarios, (1)
“Current” scenario, where the controls already exist
in the repository as a means to reduce the impact of
a consequence of a risk and; (2) “Future” scenario,
where the controls do not yet exist, but where
repository managers are able to consider alternative
scenarios of repository governance.
The foundations of this method make use of
relevant sources of literature, such as the ISO 31000
and the Business Model Canvas. The focus of this
paper was to present the method as a pragmatic
technique, and provide some example for a case
study. This paper also provided two tools to
accomplish the goals of the method proposed: (1) A
generic BMC, which can be used as a template for
organization to instantiate to their specific context
and (2) A risk registry for digital curation: a registry
of risks derived, and also common related controls.
ACKNOWLEDGEMENTS
This work was supported by national funds through
Fundação para a Ciência e a Tecnologia (FCT) with
reference UID/CEC/50021/2013, and by the project
4C, co-funded by the European Commission under
the 7th Framework Programme for research and
technological development and demonstration
activities (FP7/2007-2013) under grant agreement
no. 600471.
REFERENCES
CCSDS, 2012. Space data and information transfer
systems – Open archival information system –
Reference model – Magenta Book.
DCC, 2014. What is digital curation? [Online]. Available
from: http://www.dcc.ac.uk/digital-curation/what-
digital-curation
DCC/DPE, 2007. DCC and DPE Digital Repository Audit
Method Based on Risk Assessment, version 1.0.
ISO/FDIS, 2009a. ISO 31000: Risk Management—
Principles and guidelines.
IEC/FDIS, 2009b. ISO 31010: Risk management—Risk
assessment techniques.
ISO, 2009. ISO Guide 73: Risk management—Vocabulary.
ISO/TR, 2013. ISO 31004: Risk management—Guidance
for the implementation of ISO 31000.
LeanStack, 2014. Lean Canvas—1 Page Business Model.
McAfee, S., 2013. Why Do For-Profits Get All The Best
Resources?! 2 Tools Every Nonprofit Can Use to
Manage Risk.
Parrisius J., 2013. Business Modeling to Reduce Risk.
[Online]. Available from:
http://juliusparrisius.wordpress.com/2013/03/25/busin
ess-modeling-to-reduce-risk/
Osterwalder, A., 2009. Business Model Generation,
Alexander Osterwalder & Yves Pigneur.
Osterwalder A., 2004. The Business Model Ontology—A
Proposition in a Design Science Approach, University
of Lausanne.
Schliemann, M., 2013. BMI? Of course, but what about
the Model Risks?
Fifth International Symposium on Business Modeling and Software Design
162
