Business process reengineering and organizational performance : a case of Ethiopian banking sector

Abdurezak Mohammed Kuhil

17 March 2014

Since the late eighties, BPR has established itself as one of the attractive radical change management option for coping and adapting to the new competitive market environment and become popular both in the public and private organisations throughout the world . Cognizant of this fact, all Ethiopian public (government owned) institutions including the public financial institutions have embarked on large-scale change projects since 2004 in which Business process re-engineering(BPR) is a central element . This research examined whether implementation of Business Process Reengineering (BPR) projects have improved operational performance of the selected case public commercial banks in Ethiopia by collecting and analyzing both quantitative and qualitative comprehensive data set, using mixed research approach through questionnaires, interviews, observations and review of secondary sources of information. The operational performance measures utilized in this study are cost reduction, speed of service delivery, service quality, customer satisfaction as well as innovation. A total of 837 (84% response rate) questionnaires were returned from respondents of the selected branches and head offices. In addition, in-depth interviews were conducted with eight senior managers of the respective banks, who were also members of their respective banks reform team and were involved in the design and implementation of BPR. The third method that was used to collect qualitative data was personal observation of the selected bank branches in order to measure the speed of service delivery and convenience of the waiting places. The researcher measured the service delivery time of selected busy bank branches for five consecutive days, for half an hour spent in each branch. This study found that the introduction of BPR in the case banks was met with mixed reactions from employees and some managers. The main achievements of BPR were: service delivery time reduced dramatically as a result of the new process redesign and introduction of information and communication technology services(introduction of e-banking); introducing a single customer contact point through employee empowerment to make all the necessary decisions at that point of contact which resulted in improving the satisfaction of employees and customers. The challenge was that resistance from employees and some managers (labelled the initiative as “Blood pressure raiser” due to their assumptions it will result in employee lay off or the change brings increased workloads for some remaining employees without compatible rewards following the new process redesign. The study also revealed that telecom infrastructure and power interruption considered as main problem areas in providing banking services efficiently and effectively through branch net workings. The researcher recommends that for a better BPR design and implementation as well as sustainability of improvement gains in the banking sector, a forum should be established to discuss and share good practices and technology in the banking sector ; establish strong change management offices to continuously assist and monitor results; and continuously involve and communicate key stakeholders in the design and implementation of change initiatives. / Business Management / D.B.L.

Business process reengineering (BPR)

Ethiopian public commercial banks

Operational performance

658.4063

Organizational change -- Ethiopia

Reengineering (Management) -- Ethiopia

Banks and banking -- Ethiopia

Performance -- Management

Developing a financial view in an ERP system as part of a value based management initiative

De Kock, Jacques

12 1900

Thesis (MBA)--Stellenbosch University, 2000. / ENGLISH ABSTRACT: Modern companies need to compete on a global level to obtain sufficient capital from investors. That is why it is becoming increasingly important for companies to concentrate particularly on fulfilling the expectations of the investment community. With this in mind, companies have begun to optimise their operational business processes in order to gain a greater degree of efficiency and in doing so greater security. This movement started in the early nineties with intensive Business Process Reengineering (BPR) exercises. A key enabler for increased efficiency through Business Process Reengineering was the infrastructure provided by the development of integrated software packages called Enterprise Resource Planning (ERP) systems. BPR exercises are normally part and parcel of an ERP implementation project. After the implementation of an ERP system in any business, management will also be in a vastly better position to control the business operations through better information delivery. Most companies are still controlled and managed on the basis of historical financial figures such as profit. Traditional financial statements are increasingly being viewed with distrust due to the perceived ease with which they can be manipulated. As many investors value companies and their performance on the basis of expected "future free cash flows" (excess cash after investment in all positive NPV projects), many companies are now switching from profit-based management to the more comprehensive Value Based Management principles, that takes this into account. A key enabler of the Value Based Management approach is the development of a Balanced Scorecard (BSC) that contains the measures whereby the business should be controlled and measured. With the BSC, a business strategy is translated into a strategic measurement system that focuses on more than just the traditional financial aspects by including measures in other areas of a business, such as customer satisfaction or internal efficiencies. In the BSC financial view the primary indicator of business success is Economic Value Created (EVe). Eve is a true indicator of shareholder wealth created and takes the cost of capital into account. EVC performance becomes the ultimate barometer of business success. Value Based Management companies that invested heavily in the implementation of ERP systems want a good return but normally don't know how best to achieve this. They are wondering how to best make use of the wealth of information that is suddenly at their disposal. In driving shareholder value they are faced by the following questions: • How to translate investor expectations into business strategy and how to link this strategy to day to day operations. • How to use the acquired ERP system in support of this Value Based Management approach to enable maximum return on the investment. In this study project a real South African company, XX Automotive (fictitious name), that recently implemented SAP R/3 as an ERP system is covered as an example to illustrate how these questions can be answered. In Part I, this study project begins by describing all the elements and basic principles of a Value Based Management System such as a Balanced Scorecard (BSC) with EVC as prime measure. Part II illustrates how the XX Automotive financial strategy is translated into a Balanced Scorecard with Economic Value Created (EVC) as main financial measure and how these defined measures were represented by SAP reports that were specifically developed for this purpose. The Balanced Scorecard represented by the SAP reports serves only as a one way measurement system. The next critical step is to determine how to influence the results. The information that populates the SAP reports in XX Automotive's Balanced Scorecard is generated all over the business by the end users in their respective departments. The influence on EVC through business actions by these individual units is discussed in depth as it provides the keys that illustrate how the value of EVC can be impacted positive or negatively by each. Giving individuals the power to influence EVC through incentive schemes is crucial for long term success. It is illustrated how improving EVC became the new business focus at XX Automotive and how each individual employee can visually see his role in influencing the outcome. Meeting the value-based "Expected EVC Improvement" targets will generate target level bonus payments. Each XX Automotive employee is encouraged to think and act like an owner because he is going to be paid like one. / AFRIKAANSE OPSOMMING: Moderne maatskappye moet op globale skaal kompeteer vir genoegsame kapitaal vanaf beleggers. Daarom word dit al hoe meer belangrik vir maatskappye om te konsentreer daarop om aan die verwagtinge van die beleggers gemeenskap te voldoen. Met dit in gedagte, het maatskappye begin om hulle operasionele besigheidsprossesse te optimeer om sodoende 'n beter vlak van effektiwiteit te bereik en daardeur groter sekuriteit aangaande hul eie voorbestaan te verseker. Hierdie beweging het in die negentigerjare begin met intensiewe besigheidsherontwerp, die sogenaamde 'Business Process Reengineering' (BPR) oefeninge. 'n Belangrike katalisator vir verbeterde effektiwiteit deur BPR is die infrastruktuur wat voorsien is deur die ontwikkeling van geintegreerde besigheidssagtewarepakkette nl. 'Enterprise Resource Planning' (ERP) stelsels. Met 'n ERP implementeringsprojek word gewoonlik intensiewe BPR gedoen. Nadat 'n ERP pakket geimplimenteer is behoort bestuur ook in 'n baie beter posisie te wees om besigheidsoperasies te beheer deur die verbeterde inligting verkry uit die ERP sagteware. Dit word ook duidelik dat die meerderheid van maatskappye steeds beheer en bestuur word op die basis van historiese finansiële maatstawwe soos wins in die inkomstestaat. Weens die feit dat baie beleggers maatskappye waardeer op grond van hul sogenaamde "future free cash flows" (oorblywende kontant na investering in alle NPV positiewe projekte), skakel maatskappye oor van 'n winsgebaseerdebestuurstelsel na die meer omvattende' Value Based Management' stelsel, waarvan 'Economic Value Created' (EVC) die hoofkomponent is. 'n Belangrike skakel in die 'Value Based Management' initiatief is die ontwikkeling van 'n 'Balanced Scorecard', 'n bestuurskonsep waarin die maatstawwe opgesluit lê waarmee die besigheid beheer en bestuur moet word. 'Value Based Management' gedrewe maatskappye wat groot investerings gemaak het in die implementering van ERP sagteware wil 'n goeie opbrengs op die belegging hê maar weet gewoonlik nie wat die beste manier is om dit te doen nie. Hulle wonder hoe om die maksimum voordeel te trek uit die skatkis van besigheidsinligting wat skielik tot hulle beskikking is. In 'n strewe om beleggers waarde te verbeter kom hulle voor die volgende vraagstukke te staan: • Hoe om beleggers verwagtinge om te skakel in besigheids strategie en hoe om hierdie strategie te skakel met daaglikse besigheids operasies. • Hoe om die ERP stelsel te gebruik ter ondersteuning van die 'Value Based Management' prinsiep om die maksimum opbrengs op belegging te kry. In hierdie studieprojek word 'n Suid Afrikaanse maatskappy, XX Automotive (fiktiewe naam), gedek wat onlangs SAP R/3 as 'n ERP stelsel geimplimenteer het as 'n voorbeeld gebruik om te illustreer hoe hierdie vrae in die praktyk beantwoord kan word. In Deel I van hierdie studieprojek word al die elemente en basiese beginsels van die 'Value Based Management' sisteem bespreek. Deel II illustreer hoe die XX Automotive finansiële strategie omgesit is in 'n 'Balanced Scorecard' met Economic Value Created (EVC) as die hoof maatstaf en hoe al die finansiële maatstawwe in die Balanced Scorecard deur middel van SAP verslae, wat spesifiek vir hierdie doel ontwikkel is, weergegee word. Die 'Balanced Scorecard', soos voorgestel deur die verslae in SAP, vorm net 'n metings instrument. Wat van groter belang is, is om te bepaal hoe die resultate beinvloed kan word. Die bestuursinligting waaruit die SAP verslae in die XX Automotive 'Balanced Scorecard' bestaan word gevorm deur die besigheidseindgebruiker op die SAP stelsel elke keer wanneer 'n besigheidstransaksie uitgevoer word. Die invloed op EVC deur individuele besigheidseenhede word in diepte bespreek aangesien dit deurslaggewend is ter illustrasie van hoe die EVC waarde positief of negatief geraak word deur hul besigheids aksies. Om individue die mag te gee om die waarde van EVC te beinvloed deur middel van 'n aansporingstelsel is kritiek vir lang termyn sukses. Elke XX Automotive werknemer word aangespoor deur 'n bonus stelsel om soos 'n aandeelhouer op te tree aangesien hy soos een vergoed sal word.

Reengineering (Management)

Strategic planning

Dissertations -- Business management

Business process reengineering

Enterprise resource planning

Value based management

Balanced scorecard

Theses -- Business management

An ebXML-based Collaborative Commerce Business Process Model -A Global Logistics Example / 以ebXML為基礎之協同商務企業流程模式-以國際物流業為例

吳慧茹, Wu, Huei-Ru

Unknown Date

對企業而言，Internet和電子商務的興起提供了一個全新的商業交易方式。許多企業企圖融合新的資訊科技與企業流程，讓他們可以跨越企業間的藩籬進而互相分享價值鏈中的決策、工作流與資訊。然而，當企業嘗試著以其內部的資訊系統與交易夥伴溝通時，卻發現到處都是問題。雖然XML 提供了一個多功能的且健全的資料交換格式，但仍然不夠，必須有一個流程整合的標準來進行企業間交易流程的塑模(modeling)、部署(deploying)、執行(executing)以及管理(managing)。在本篇研究中，將探討企業對企業間協同流程的整合，並且發展一個以ebXML為基礎的協同商務企業流程模式。基於UN/CEFACT Modeling Methodology (UMM)此一致性的塑模方法論，本研究以邏輯化且系統化的方式來發現並詳細表達出國際物流業的跨企業交易流程，並以ebXML流程分析表格(ebXML Business Process Analysis Worksheets)為流程塑模輔助工具，進行國際物流業流程分析結果的記錄與表達。 基於此一ebXML為基礎之流程模式，本研究開發了一個企業間流程整合的雛形系統，藉以證明此企業流程模式是可行的，同時提出一個即時有效率的企業間電子商務可行方案。 / Internet technology and electronic commerce (EC) have brought up a complete overhaul on the information and communication technology infrastructure to do business in a new manner where companies try to leverage new technologies to enable a set of complex cross-enterprise business processes allowing entire value chains to share decision-making, workflow, capabilities, and information with each other. However, companies often have problems in making their internal information technology (IT) systems communicate with their partners. Although eXtensible Markup Language (XML) represents the most versatile and robust format for exchanging business information, there is also a need for process integration standard that enables processes to be modeled, deployed, executed, and managed. In this research, business-to-business collaboration process integration issues have been studied and an ebXML-based Collaborative Commerce Business Process Model is developed. According to a consistent modeling methodology, UN/CEFACT Modeling Methodology (UMM), we identify and specify the inter-enterprise business processes of the global logistics industry in a logical and systematical way. The ebXML Business Process Analysis Worksheets is used as modeling aids to record and represent analysis results of global logistics industry. Based on the ebXML-based business process model, we develop a B2B process integration prototype system which shows that the business process model is feasible and suggests a possible solution for real-time and efficient B2B electronic commerce.

國際物流

企業間流程整合

企業流程模式

ebXML

Global Logistics

B2B Process Integration

Business Process Model

UMM

Une méthodologie de modélisation par processus multiples et incrémentiels : application pour l'évaluation des performances de la Supply Chain

Féniès, Pierre

05 December 2006

L'étude de la littérature montre que l'aide à la décision pour la Supply Chain (SC) ignore l'évaluation des flux financiers. Cette thèse propose une approche transdisciplinaire permettant l'évaluation des flux physiques et financiers de la SC. Nous proposons une méthodologie de modélisation par processus multiples et incrémentiels ainsi qu'un environnement de modélisation qui ont pour but d'évaluer flux physiques et financiers d'une SC. L'évaluation de la performance est réalisée par un modèle générique décisionnel combinant modèles du contrôle de gestion et couplages de modèles de simulation et d'optimisation. La mise en oeuvre de ces modèles se matérialise par une suite logicielle appelé Advanced Budgeting and Schedeling (ABS) qui constitue, par l'intégration des flux financiers dans l'aide à la décision, une évolution dans les logiciels pour la SC. Nous concevons deux ABS, l'un pour une SC industrielle d'une multinationale, l'autre pour la SC du Nouvel Hôpital d'Estain.

Supply Chain Management

Supply Chain

Business Process Management

Activity Based Costing

Flux Financier

ABS

méthodologie de modélisation

房貸業務授信流程分析之研究：以某銀行為例

俞秀鴻

Unknown Date

我國銀行業於1991年開放新民營銀行設立，使得整體銀行的服務水準得以提升，新金融商品的開發更加快速，但利率自由化，以及各銀行採取價格競爭策略爭取客戶之作法，使得存放款利差日益縮小，各項經營風險隨之提高。金融機構惡性競爭不僅導致銀行授信品質日益惡化，同時也壓縮了銀行的獲利能力。近年來台灣經濟的不景氣與金融環境快速的變化，金融業的競爭優勢將取決於對市場、顧客及競爭同業能否做出最佳及最具差異化之決策。然而金融業收入之穩定來源，取決於企業流程作業之有效性，企業需要檢視其作業流程以消除無效率及無附加價值的作業，以降低成本、提升作業效率及效能。本研究應用企業流程資訊有機體分析架構(Tsaih and Lin 2006)，透過重現、系統化分析個案公司之房貸業務授信循環流程，並於評估流程實作後，提出相對應之作業流程及管理資訊之改善建議與管理議題，以提供個案公司做為未來管理房貸授信風險決策之參考。 / The deregulation of the Taiwan Banking industry started in 1991 has enhanced the quality of the financial service as well as speeded up the development of new financial products. The deregulation not only leads to the liberation of interest rate but also opens up the price competition between banks in order to attract customer and keep continuous sales growth. Such effect has depressed the spread of interest rate and instigated various operating risks. The cutthroat competition between banks results in deterioration of credit granting quality and reducetion in profitability. Due to the economic recession in Taiwan and the fast changing of financial environment in the recent years, the competitive advantages of the financial industry are determined by whether a bank is capable of making the best and differentiated reactions to market, customers and its competitors. The stability of the income generation to the financial industry depends mostly on the effectiveness and efficiency of the business processes. It is essential for an organization to oversee its business process to reduce less efficient, non-value-adding activities and costs. This study, based on an application to the Process-Wide Information Organism approach (Tsaih and Lin. 2006), investigates the mortgage loan business process of the subject company. By reconstructing and analyzing the practice of granting a mortgage loan, this study is able to provide corresponding suggestions with respect to process improvements and related managerial implications to the subject company.

銀行業

企業流程

房貸授信

流程改善

banking industry

business process

mortgage loan

process improvement

Business process management in an intrapreneurial software organisation / Ulrike Janke

Janke, Ulrike

January 2006

Business process management (BPM) is a philosophical approach to organisation-wide management in which the focus is on the processes through which it operates, and in particular the streamlining and optimising of these processes, for which software solutions may be used. CTexT is an intrapreneurial software organisation that has been experiencing problems with software development due to a lack of formal processes relating to customer support, versioning, configuration, quality, risk and project management. The objective of the study is to determine whether the implementation of an electronic BPM system can effectively solve CTexT's development problems and thereby improve its overall software development capacity. More specifically, the focus is on i) the effect of the resulting standardisation on creativity and innovation, and ii) implementation matters, such as the type of processes that can be subjected to an electronic system, and how CTexT can overcome the time and cost constraints of such a system. The study investigates these questions by means of a literature investigation in combination with interviews with knowledgeable respondents from other innovative and software organisations. Interviews with six employees from CTexT determine the relevance of these findings and highlight critical areas for process improvement. Since BPM systems improve organisational efficiencies and are generally employed in larger corporate contexts marked by transactional and repetitive activities where they enforce administrative rules, the conclusion is drawn that a BPM system will not be suitable for an intrapreneurial organisation, and that it is likely to cause more disruption to the creative environment than improve its operations. It is further shown that although a BPM system is theoretically applicable to software development, it generally does not seem to be applied practically in the industry, and the suitability of this process as manageable through a BPM system is seriously questioned. Instead, the research points to improvement through the application of software development methodologies and a holistic approach towards BPM. The investigation at CTexT confirms that its development problems relate to flawed methodologies and that remedies should therefore focus on improving its methodologies and controlling certain aspects of the software development life cycle by means of suitable software tools. / Thesis (M.B.A.)--North-West University, Potchefstroom Campus, 2007

Business process management

BPM

BPM philosophy

BPMS

CTexT

Development

Intrapreneurial

Research and Development

Software

Software development

Software development methodologies

WfMS

Workflow

Workflow solutions

Designing the management systems for offices

Alfadhl, Seiam S.

January 2011

An initial review of literature concerned with commercial and industrial office design indicated the need to research and develop a method for the design of the management systems of offices with the purpose of improving the operational effectiveness and alignment to strategy. In particular the literature review indicated that the application of lean methods, in non-manufacturing areas is comparatively rare. A critical review of the literature identified that Value Stream Mapping has been used to map mechanistic task activities, however, a need was identified for a new generation of Value Stream Mapping to map mixed mechanistic and organic task activities. To complement the literature survey and discover if there were significant variables (e.g. task uncertainty, interdependence, task complexity, mechanistic / organic structures, risk, task analysability etc) influencing office design, pilot studies were carried out in a mechanistic and organic office. Several additional variables were identified. From the pilot studies combined with the literature review a conceptual model was formulated which provides guidelines for managers enabling them to design the management systems fully taking all the variables into account. The conceptual model was then tested using a multiple case study design of two small consulting type offices that exhibited mixed mechanistic and organic characteristics. This resulted in an improved version of the model which was then further validated. This validation based upon the opinions of office managers focused mainly on identifying the practical usefulness of the model from an industrial perspective. Following the validation a final form of the model has been proposed in this research. It remains for future researchers to fully test the model by applying it in a wider range of offices. This study makes an explicit contribution to the redesign of offices as well as the utilisation of Value Stream Mapping to the mechanistic and the organic task activities within commercial and industrial offices.

338.0068

Verification of Data-aware Business Processes in the Presence of Ontologies

Santoso, Ario

14 November 2016

The meet up between data, processes and structural knowledge in modeling complex enterprise systems is a challenging task that has led to the study of combining formalisms from knowledge representation, database theory, and process management. Moreover, to ensure system correctness, formal verification also comes into play as a promising approach that offers well-established techniques. In line with this, significant results have been obtained within the research on data-aware business processes, which studies the marriage between static and dynamic aspects of a system within a unified framework. However, several limitations are still present. Various formalisms for data-aware processes that have been studied typically use a simple mechanism for specifying the system dynamics. The majority of works also assume a rather simple treatment of inconsistency (i.e., reject inconsistent system states). Many researches in this area that consider structural domain knowledge typically also assume that such knowledge remains fixed along the system evolution (context-independent), and this might be too restrictive. Moreover, the information model of data-aware processes sometimes relies on relatively simple structures. This situation might cause an abstraction gap between the high-level conceptual view that business stakeholders have, and the low-level representation of information. When it comes to verification, taking into account all of the aspects above makes the problem more challenging. In this thesis, we investigate the verification of data-aware processes in the presence of ontologies while at the same time addressing all limitations above. Specifically, we provide the following contributions: (1) We propose a formal framework called Golog-KABs (GKABs), by leveraging on the state of the art formalisms for data-aware processes equipped with ontologies. GKABs enable us to specify semantically-rich data-aware business processes, where the system dynamics are specified using a high-level action language inspired by the Golog programming language. (2) We propose a parametric execution semantics for GKABs that is able to elegantly accommodate a plethora of inconsistency-aware semantics based on the well-known notion of repair, and this leads us to consider several variants of inconsistency-aware GKABs. (3) We enhance GKABs towards context-sensitive GKABs that take into account the contextual information during the system evolution. (4) We marry these two settings and introduce inconsistency-aware context-sensitive GKABs. (5) We introduce the so-called Alternating-GKABs that allow for a more fine-grained analysis over the evolution of inconsistency-aware context-sensitive systems. (6) In addition to GKABs, we introduce a novel framework called Semantically-Enhanced Data-Aware Processes (SEDAPs) that, by utilizing ontologies, enable us to have a high-level conceptual view over the evolution of the underlying system. We provide not only theoretical results, but have also implemented this concept of SEDAPs. We also provide numerous reductions for the verification of sophisticated first-order temporal properties over all of the settings above, and show that verification can be addressed using existing techniques developed for Data-Centric Dynamic Systems (which is a well-established data-aware processes framework), under suitable boundedness assumptions for the number of objects freshly introduced in the system while it evolves. Notably, all proposed GKAB extensions have no negative impact on computational complexity.

Verifikation

Data-aware

Geschäftsprozess

Ontologien

Inkonsistenz

Kontext

Golog

Wissensbasis

Verification

Data-aware

Business Process

Ontologies

Inconsistencies

Context

Golog

Knowledge Base

ddc:004

rvk:ST 265

Analýza procesní zralosti organizace / Examination of an organization's process maturity

Havlín, Petr

January 2010

This diploma thesis is dedicated to the examination of maturity levels of the rescue service of the central bohemian region. Furthermore to using the results of the examination to formulate recomandations in order to ease possible effort of the management to introduce approaches of the process management into the organization. Levels of maturity are examined by the factors identified by Mike Hammer in his PEMM (Process and Enterprise Maturity Model) model. Whole document is logically divided into four parts. The first part consists of detail description of the organization from three different angles. Purpose of the organization, strategic goals of the management and the organizational structure. Second part includes global and detail business process models created by the MMABP (Methodology for Modelling and Analysis of Business Process) by prof. Ing. Václav Řepa Csc. The models are created in the BPMN (Business Process Modelling Notation) and Eriksson-Penker notation. There are also included process interfaces and object lifecycles in the second part. Third part is where the comparison of described reality and the PEMM model factors of maturity is being made. All the maturity levels of the factors are argumented here as well. In the last part of this document, there is a presentation of the recomandations concluded from the previous comparison.

Gestionnaire contextualisé de sécurité pour des « Process 2.0 » / Contextualized security management for “Process 2.0”

Ouedraogo, Wendpanga Francis

29 November 2013

Compte tenu de l’environnement économique globalisé et de plus en plus concurrentiel, les entreprises et en particulier les PME/PMI, pour rester compétitif,doivent développer de nouvelles stratégie de collaborations (intra et inter-entreprises) et se restructurer pour rendre leur organisation et le système d’information agile. Alors que jusqu'à présent le Web 2.0 permettait de collaborer sur les données elles-mêmes, nous proposons de passer à une logique de « process 2.0 » permettant de rechercher / composer sémantiquement des services existants pour collaborer directement en partageant des fonctionnalités et non plus seulement des données. Couplé au développement du Cloud Computing, facilitant l’hébergement, une telle stratégie permettrait de coupler plus fortement les niveaux SaaS et PaaS. Toutefois, ceci pose d’évidents problèmes de gestion des contraintes de sécurité. Le développement de stratégies de sécurité est usuellement basé sur une analyse systématique des risques afin de les réduire en adoptant des contre-mesures. Ces approches sont lourdes, complexes à mettre en œuvre et sont souvent rendues caduques car les risques sont évalués dans un monde « fermé », ce qui n’est pas le cas d’une approche par composition de services métier réutilisable où le contexte d’utilisation des différents services au niveau métier et plateforme est inconnu a priori. Dans ce type d’approche, le contexte au niveau métier évoque à la fois les fonctionnalités apportées par chaque service, l’organisation (Qui fait à quoi ?) et l’enchainement de ces services ainsi que les types de données (d’ordre stratégique ou pas,..) que manipulent ces services. Au niveau plateforme, le contexte dépend de l’environnement (privé, public,..) dans lequel les services vont s’exécuter. C’est donc sur la base de l’analyse du contexte que l’on peut définir les contraintes de sécurités propres à chaque service métier, pouvoir spécifier les politiques de sécurités adéquates et mettre en œuvre les moyens de sécurisation adaptés. En outre, il est aussi nécessaire de pouvoir propager les politiques de sécurités sur tout le processus afin d’assurer la cohérence et une sécurité globale lors de l’exécution du processus. Pour répondre à ces enjeux, nous proposons d’étudier la définition des politiques de sécurité à base de « patrons » apportant une réponse graduée en fonction de la confiance que l’on a sur l’environnement. Ainsi des patrons de sécurité qui répondent à des besoins de sécurité métiers et à des besoins de sécurité plateforme seront définis et permettront d’exprimer l’ensemble des politiques de sécurité. La sélection et de mise en œuvre de ces politiques de sécurités se feront à partir de patrons de contexte. Notre proposition simple à appréhender par des non spécialistes, permettra, par des transformations de modèles, d’intégrer ces politiques au niveau technologique afin de garantir un niveau de qualité de protection constant quel que soit l’environnement de déploiement. / To fit the competitive and globalized economic environment, companies and especially SMEs / SMIs are more and more involved in collaborative strategies, requiring organizational adaptation to fit this openness constraints and increase agility (i.e. the ability to adapt and fit the structural changes). While the Web 2.0 allows sharing data (images, knowledge, CV, micro-blogging, etc...) and while SOA aims at increasing service re-using rate and service interoperability, no process sharing strategies are developed. To overcome this limit, we propose to share processes as well to set a "process 2.0" framework allowing sharing activities. This will support an agile collaborative process enactment by searching and composing services depending on the required business organization and the service semantics. Coupled with the cloud computing deployment opportunity, this strategy will lead to couple more strongly Business, SaaS and PaaS levels. However, this challenges security constraints management in a dynamic environment. The development of security policies is usually based on a systematic risks analysis, reducing them by adopting appropriate countermeasures. These approaches are complex and as a consequence difficult to implement by end users. Moreover risks are assessed in a "closed" and static environment so that these methods do not fit the dynamic business services composition approach, as services can be composed and run in different business contexts (including the functionalities provided by each service, the organization (Who does what?), the coordination between these services and also the kind of data (strategic or no...) that are used and exchanged) and runtime environment (public vs private platform…). By analyzing these contextual information, we can define specific security constraints to each business service, specify the convenient security policies and implement appropriate countermeasures. In addition, it is also necessary to be able to propagate the security policies throughout the process to ensure consistency and overall security during the process execution. To address these issues, we propose to study the definition of security policies coupling Model Driven Security and Pattern based engineering approach to generate and deploy convenient security policies and protection means depending on the (may be untrusted) runtime environment. To this end, we propose a set of security patterns which meet the business and platform related security needs to set the security policies. The selection and the implementation of these security policies will be achieved thank to context-based patterns. Simple to understand by non-specialists, these patterns will be used by the model transformation process to generate these policies in a Model@Runtime strategy so that security services will be selected and orchestrated at runtime to provide a constant quality of protection (independent of the deployment).

Informatique

Informatique dans les nuages

Sécurité informatique

Patron de sécurité

Processus métier

Services Web

Information Technology

Cloud Computing

Security

Security Patterns

Business process

Web Services

005.807 2