Formalizing and appling compliance patterns for business process compliance

Today’s enterprises demand a high degree of compliance of business processes to meet diverse regulations and legislations. Several industrial studies have shown that compliance management is a daunting task, and organizations are still struggling and spending billions of dollars annually to ensure and prove their compliance. In this paper, we introduce a comprehensive compliance management framework with a main focus on design-time compliance management as a first step towards a preventive lifetime compliance support. The framework enables the automation of compliance-related activities that are amenable to automation, and therefore can significantly reduce the expenditures spent on compliance. It can help experts to carry out their work more efficiently, cut the time spent on tedious manual activities, and reduce potential human errors. An evident candidate compliance activity for automation is the compliance checking, which can be achieved by utilizing formal reasoning and verification techniques. However, formal languages are well known of their complexity as only versed users in mathematical theories and formal logics are able to use and understand them. However, this is generally not the case with business and compliance practitioners. Therefore, in the heart of the compliance management framework, we introduce the Compliance Request Language (CRL), which is formally grounded on temporal logic and enables the abstract pattern-based specification of compliance requirements. CRL constitutes a series of compliance patterns that spans three structural facets of business processes; control flow, employed resources and temporal perspectives. Furthermore, CRL supports the specification of compensations and non-monotonic requirements, which permit the relaxation of some compliance requirements to handle exceptional situations. An integrated tool suite has been developed as an instantiation artefact, and the validation of the approach is undertaken in several directions, which includes internal validity, controlled experiments, and functional testing.

[1]  J. Leon Zhao,et al.  Constraint-centric workflow change analytics , 2011, Decis. Support Syst..

[2]  Ying Liu,et al.  A static compliance-checking framework for business process models , 2007, IBM Syst. J..

[3]  Stefano Filippi,et al.  State of the Art in the Field , 2010 .

[4]  Peter Dadam,et al.  On enabling integrated process compliance with semantic constraints in process management systems , 2012, Inf. Syst. Frontiers.

[5]  B. Rost,et al.  International Accounting Standards Board , 2010 .

[6]  Wahyuni,et al.  REKOMENDASI PENGEMBANGAN IT GOVERNANCE MENGGUNAKAN COBIT ( CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY ) VERSI 3.0 PADA INSTITUSI PENDIDIKAN (STUDI KASUS : UNIVERSITAS KOMPUTER INDONESIA) , 2011 .

[7]  Guido Governatori,et al.  Designing for Compliance: Norms and Goals , 2011, RuleML America.

[8]  Willem-Jan van den Heuvel,et al.  Using Patterns for the Analysis and Resolution of Compliance Violations , 2012, Int. J. Cooperative Inf. Syst..

[9]  B.H.C. Cheng,et al.  Real-time specification patterns , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[10]  John Mullins,et al.  A Calculus for Generation, Verification and Refinement of BPEL Specifications , 2008, Electron. Notes Theor. Comput. Sci..

[11]  A. E. Gammal Towards a comprehensive framework for business process compliance , 2012 .

[12]  Roger Villemaire,et al.  Specifying and Validating Data-Aware Temporal Web Service Properties , 2009, IEEE Transactions on Software Engineering.

[13]  Todd M. Hines,et al.  International Financial Reporting Standards , 2007 .

[14]  Avner Landver,et al.  The ForSpec Temporal Logic: A New Temporal Property-Specification Language , 2002, TACAS.

[15]  Jörg Becker,et al.  Pattern Specification and Matching in Conceptual Models - A Generic Approach Based on Set Operations , 2010, Enterp. Model. Inf. Syst. Archit. Int. J. Concept. Model..

[16]  Ahmed M. Elgammal,et al.  Towards a Comprehensive Design-time Compliance Management: A Roadmap , 2010 .

[17]  Chitta Baral,et al.  Non-monotonic Temporal Logics for Goal Specification , 2007, IJCAI.

[18]  Jan Vanthienen,et al.  Designing Compliant Business Processes with Obligations and Permissions , 2006, Business Process Management Workshops.

[19]  Ahmed M. Elgammal,et al.  On the Formal Specification of Business Contracts and Regulatory Compliance , 2010 .

[20]  Gail-Joon Ahn,et al.  Injecting RBAC to secure a Web-based workflow system , 2000, RBAC '00.

[21]  Mike P. Papazoglou,et al.  Enforcing compliance on business processes through the use of patterns , 2011, ECIS.

[22]  Gregor Engels,et al.  Pattern-Based Modeling and Formalizing of Business Process Quality Constraints , 2011, CAiSE.

[23]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[24]  George S. Avrunin,et al.  Property specification patterns for finite-state verification , 1998, FMSP '98.

[25]  Ivan Markovic,et al.  A Framework for Querying in Business Process Modelling , 2008, Multikonferenz Wirtschaftsinformatik.

[26]  Yoshinori Sato,et al.  Automated Certification for Compliant Cloud-based Business Processes , 2011, Bus. Inf. Syst. Eng..

[27]  Rik Eshuis,et al.  Symbolic model checking of UML activity diagrams , 2006, TSEM.

[28]  Catriel Beeri,et al.  Querying business processes , 2006, VLDB.

[29]  Ahmed Awad,et al.  An Iterative Approach for Business Process Template Synthesis from Compliance Rules , 2011, CAiSE.

[30]  Dirk Fahland,et al.  Where Did I Misbehave? Diagnostic Information in Compliance Checking , 2012, BPM.

[31]  P. Sarbanes,et al.  Sarbanes-Oxley Act of 2002 , 2002 .

[32]  Rafael Accorsi,et al.  Automatic Information Flow Analysis of Business Process Models , 2012, BPM.

[33]  Guido Governatori,et al.  Justice Delayed Is Justice Denied: Logics for a Temporal Account of Reparations and Legal Compliance , 2011, CLIMA.

[34]  Shazia Wasim Sadiq,et al.  Modeling Control Objectives for Business Process Compliance , 2007, BPM.

[35]  Jian Yu,et al.  Pattern Based Property Specification and Verification for Service Composition , 2006, WISE.

[36]  Thomas A. Henzinger,et al.  Real-Time Logics: Complexity and Expressiveness , 1993, Inf. Comput..

[37]  Xiang Fu,et al.  WSAT: A Tool for Formal Analysis of Web Services , 2004, CAV.

[38]  Xin Zhou,et al.  Regulations Expressed As Logical Models (REALM) , 2005, JURIX.

[39]  Henry Muccini,et al.  CHARMY: A Framework for Designing and Verifying Architectural Specifications , 2009, IEEE Transactions on Software Engineering.

[40]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[41]  Paolo Falcarin,et al.  Synthesizing Service Composition Models on the Basis of Temporal Business Rules , 2008, Journal of Computer Science and Technology.

[42]  Daniel Geist The PSL/Sugar Specification Language A Language for all Seasons , 2003, CHARME.

[43]  Mike P. Papazoglou,et al.  On the Formal Specification of Regulatory Compliance: A Comparative Analysis , 2010, ICSOC Workshops.

[44]  John Hall,et al.  Interpreting Regulations with SBVR , 2013, RuleML.

[45]  Wil M. P. van der Aalst,et al.  DECLARE: Full Support for Loosely-Structured Processes , 2007, 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2007).

[46]  Mike P. Papazoglou,et al.  Capturing Compliance Requirements: A Pattern-Based Approach , 2012, IEEE Software.

[47]  Mathias Weske,et al.  Specification, Verification and Explanation of Violation for Data Aware Compliance Rules , 2009, ICSOC/ServiceWave.

[48]  Mike P. Papazoglou,et al.  Root-Cause Analysis of Design-Time Compliance Violations on the Basis of Property Patterns , 2010, ICSOC.

[49]  Andreas Schaad,et al.  Modeling of Task-Based Authorization Constraints in BPMN , 2007, BPM.

[50]  Shazia Wasim Sadiq,et al.  Compliance checking between business processes and business contracts , 2006, 2006 10th IEEE International Enterprise Distributed Object Computing Conference (EDOC'06).

[51]  Birgit Pfitzmann,et al.  From Regulatory Policies to Event Monitoring Rules: Towards Model-Driven Compliance Automation , 2006 .

[52]  Martin Bichler,et al.  Design science in information systems research , 2006, Wirtschaftsinf..

[53]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[54]  Stefan Kühne,et al.  Business process modeling with continuous validation , 2010 .

[55]  Volker Gruhn,et al.  Specification patterns for time-related properties , 2005, 12th International Symposium on Temporal Representation and Reasoning (TIME'05).

[56]  Thomas E. Hartman The cost of being public in the era of Sarbanes-Oxley , 2004 .

[57]  Thomas F. Gordon,et al.  Constructing Legal Arguments with Rules in the Legal Knowledge Interchange Format (LKIF) , 2008, Computable Models of the Law, Languages, Dialogues, Games, Ontologies.

[58]  Wil M. P. van der Aalst,et al.  A Declarative Approach for Flexible Business Processes Management , 2006, Business Process Management Workshops.

[59]  Ahmed Awad,et al.  BPMN-Q: A Language to Query Business Processes , 2007, EMISA.

[60]  Giuseppe Contissa,et al.  Modelling temporal legal rules , 2011, ICAIL.

[61]  Xiang Fu,et al.  Analysis of interacting BPEL web services , 2004, WWW '04.

[62]  Guido Governatori,et al.  BIO logical agents: Norms, beliefs, intentions in defeasible logic , 2008, Autonomous Agents and Multi-Agent Systems.

[63]  F A Mei Guo Treadway Wei Yuan Hui,et al.  Internal Control: Integrated Framework , 2014 .