A systematic review of goal-oriented requirements management frameworks for business process compliance

Legal compliance has been an active topic in Software Engineering and Information Systems for many years. However, business analysts and others recently started exploiting Requirements Engineering techniques, and in particular goal-oriented approaches, to model and reason about legal documents in system design and business process management. Many contributions involve extracting legal requirements, providing law-compliant business processes, as well as managing and maintaining compliance. In this paper, we report on a systematic literature review focusing on goal-oriented legal compliance of business processes. 88 papers were selected out of nearly 800 unique papers extracted from five search engines, with manual additions from the Requirements Engineering Journal and four relevant conferences. We grouped these papers in eight categories based on a set of criteria and then highlight their main contributions. We found that the main areas for contributions have been in extracting legal requirements, modeling them with goal modeling languages, and integrating them with business processes. We identify gaps and opportunities for future work in areas related to prioritization to improve compliance, templates for generating law-compliant processes, general links between legal requirements, goal models, and business processes, and semi-automation of legal compliance and analysis.

[1]  Robert Winter,et al.  Regulatory Compliance in Information Systems Research - Literature Analysis and Research Agenda , 2009, BMMDS/EMMSAD.

[2]  Guido Governatori,et al.  Compliance aware business process design , 2008 .

[3]  Marwane El Kharbili,et al.  Towards a Framework for Semantic Business Process Compliance Management , 2008 .

[4]  Eugene H. Spafford,et al.  A distributed requirements management framework for legal compliance and accountability , 2009, Comput. Secur..

[5]  John Mylopoulos,et al.  A Meta-Model for Modelling Law-Compliant Requirements , 2009, 2009 Second International Workshop on Requirements Engineering and Law.

[6]  Luigi Logrippo,et al.  Governance Requirements Extraction Model for Legal Compliance Validation , 2009, 2009 Second International Workshop on Requirements Engineering and Law.

[7]  Frank Leymann,et al.  Compliant Business Process Design Using Refinement Layers , 2010, OTM Conferences.

[8]  Silvia Mara Abrahão,et al.  A systematic review of the use of requirements engineering techniques in model-driven development , 2010, MODELS'10.

[9]  Daniel Amyot,et al.  Towards a Framework for Tracking Legal Compliance in Healthcare , 2007, CAiSE.

[10]  Daniel Amyot,et al.  Compliance Analysis Based on a Goal-oriented Requirement Language Evaluation Methodology , 2009, 2009 17th IEEE International Requirements Engineering Conference.

[11]  Annie I. Antón,et al.  Developing Production Rule Models to Aid in Acquiring Requirements from Legal Texts , 2009, 2009 17th IEEE International Requirements Engineering Conference.

[12]  Helena Halas,et al.  Organizational aspect of trusted legally valid long-term electronic archive solution , 2008 .

[13]  John Mylopoulos,et al.  From Laws to Requirements , 2008, 2008 Requirements Engineering and Law.

[14]  Annie I. Antón,et al.  Analyzing goal semantics for rights, permissions, and obligations , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[15]  John Mylopoulos,et al.  Towards a framework for law-compliant software requirements , 2009, 2009 31st International Conference on Software Engineering - Companion Volume.

[16]  Jan Vanthienen,et al.  Designing Compliant Business Processes with Obligations and Permissions , 2006, Business Process Management Workshops.

[17]  John Mylopoulos,et al.  Designing Law-Compliant Software Requirements , 2009, ER.

[18]  Annie I. Antón,et al.  Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[19]  Eric Dubois,et al.  Using Goal-Oriented Requirements Engineering for Improving the Quality of ISO/IEC 15504 based Compliance Assessment Frameworks , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[20]  Annie I. Antón,et al.  Addressing Legal Requirements in Requirements Engineering , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[21]  Annie I. Antón,et al.  A Method for Identifying Software Requirements Based on Policy Commitments , 2010, 2010 18th IEEE International Requirements Engineering Conference.

[22]  Abdelwahab Hamou-Lhadj,et al.  Towards a compliance support framework for global software companies , 2007, ICSE 2007.

[23]  Annie I. Antón,et al.  Evaluating existing security and privacy requirements for legal compliance , 2009, Requirements Engineering.

[24]  Annie I. Antón,et al.  Checking Existing Requirements for Compliance with Law Using a Production Rule Model , 2009, 2009 Second International Workshop on Requirements Engineering and Law.

[25]  Fabio Massacci,et al.  Legal Patterns Implement Trust in IT Requirements: When Legal Means are the "Best" Implementation of IT Technical Goals , 2009, 2009 Second International Workshop on Requirements Engineering and Law.

[26]  Luigi Logrippo,et al.  Requirements and compliance in legal systems: a logic approach , 2008, 2008 Requirements Engineering and Law.

[27]  Dimitris Karagiannis A Business Process-Based Modelling Extension for Regulatory Compliance , 2008, Multikonferenz Wirtschaftsinformatik.

[28]  Marwane El Kharbili,et al.  A Semantic Framework for Compliance Management in Business Process Management , 2009, BPSC.

[29]  Daniel Amyot,et al.  Making Business Processes Law Compliant , 2010 .

[30]  Fuyuki Ishikawa,et al.  Modeling, Analyzing and Weaving Legal Interpretations in Goal-Oriented Requirements Engineering , 2009, 2009 Second International Workshop on Requirements Engineering and Law.

[31]  Annie I. Antón,et al.  Prioritizing Legal Requirements , 2009, 2009 Second International Workshop on Requirements Engineering and Law.

[32]  Annie I. Antón,et al.  Identifying Commitment-Based Software Requirements to Thwart Unfair and Deceptive Practices , 2009, 2009 Second International Workshop on Requirements Engineering and Law.