A method of calculating the cost of reducing the risk exposure of non-compliant process instances

A method is introduced to measure the risk of being non-compliant and the cost of reducing the risk by performing internal audits with the help of automated audit tools. Risk exposure of a business process is defined in terms of the prevalence of non-compliant process instances that are subject to penalty. The risk exposure can be reduced by detecting the non-compliant process instances in advance with the help of manual audits and automated auditing tools. The cost of this hybrid approach, however, should be kept less than the reduction amount of risk exposure. Copyright 2009 ACM.