论文信息 - Are we done with business process compliance: state of the art and challenges ahead

Are we done with business process compliance: state of the art and challenges ahead

Literature on business process compliance (BPC) has predominantly focused on the alignment of the regulatory rules with the design, verification and validation of business processes. Previously, surveys on BPC have been conducted with specific context in mind; however, the literature on BPC management research is largely sparse and does not accumulate a detailed understanding on existing literature and related issues faced by the domain. This survey provides a holistic view of the literature on existing BPC management approaches and categorises them based on different compliance management strategies in the context of formulated research questions. A systematic literature approach is used where search terms pertaining keywords were used to identify literature related to the research questions from scholarly databases. From initially 183 papers, we selected 79 papers related to the themes of this survey published between 2000 and 2015. The survey results reveal that mostly compliance management approaches centre around three distinct categories, namely design-time ($$28\%$$28%), run-time ($$32\%$$32%) and auditing ($$10\%$$10%). Also, organisational and internal control-based compliance management frameworks ($$21\%$$21%) and hybrid approaches make ($$9\%$$9%) of the surveyed approaches. Furthermore, open research challenges and gaps are identified and discussed with respect to the compliance problem.

[1] Boudewijn F. van Dongen,et al. Process Mining and Verification of Properties: An Approach Based on Temporal Logic , 2005, OTM Conferences.

[2] Michael Wooldridge,et al. On the Logic of Normative Systems , 2007, IJCAI.

[3] Moe Thandar Wynn,et al. Normative requirements for regulatory compliance: An abstract formal framework , 2015, Information Systems Frontiers.

[4] José Miguel Pérez-Álvarez,et al. Compliance validation and diagnosis of business data constraints in business processes at runtime , 2015, Inf. Syst..

[5] L. Spira,et al. Risk Management: The Reinvention of Internal Control and the Changing Role of Internal Audit , 2003 .

[6] Christos Faloutsos,et al. Auditing Compliance with a Hippocratic Database , 2004, VLDB.

[7] Alessio Lomuscio,et al. Towards verifying contract regulated service composition , 2008, 2008 IEEE International Conference on Web Services.

[8] Marek J. Sergot,et al. A logic-based calculus of events , 1989, New Generation Computing.

[9] Audun Jøsang,et al. Discretionary enforcement of electronic contracts , 2002, Proceedings. Sixth International Enterprise Distributed Object Computing.

[10] Guido Governatori,et al. Representing business contracts in RuleML , 2005, Int. J. Cooperative Inf. Syst..

[11] Gregor Engels,et al. A Pattern-driven Development Process for Quality Standard-conforming Business Process Models , 2006, Visual Languages and Human-Centric Computing (VL/HCC'06).

[12] Mathias Weske,et al. Efficient Compliance Checking Using BPMN-Q and Temporal Logic , 2008, BPM.

[13] Maria Zhdanova,et al. Monitoring Security Compliance of Critical Processes , 2014, 2014 22nd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing.

[14] Jörg Becker,et al. Generalizability and Applicability of Model-Based Business Process Compliance-Checking Approaches — A State-of-the-Art Analysis and Research Roadmap , 2012 .

[15] Marta Indulska,et al. Emerging Challenges in Information Systems Research for Regulatory Compliance Management , 2010, CAiSE.

[16] Antonio J. Alencar,et al. A method for validating the compliance of business processes to business rules , 2010, SAC '10.

[17] Elisa Bertino,et al. A roadmap for comprehensive online privacy policy management , 2007, CACM.

[18] Farhad Arbab,et al. Towards Using Reo for Compliance-Aware Business Process Modeling , 2008, ISoLA.

[19] Guido Governatori,et al. The Making of SPINdle , 2009, RuleML.

[20] Jan Vanthienen,et al. Business Rules for Compliant Business Process Models , 2006, BIS.

[21] Antonio Ruiz Cortés,et al. On the Identification of Data-Related Compliance Problems in Business Processes , 2010 .

[22] Moe Thandar Wynn,et al. How to guarantee compliance between workflows and product lifecycles? , 2014, Inf. Syst..

[23] Wil M. P. van der Aalst,et al. DECLARE: Full Support for Loosely-Structured Processes , 2007, 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2007).

[24] Stefanie Rinderle-Ma,et al. A systematic review on security in Process-Aware Information Systems - Constitution, challenges, and future directions , 2014, Inf. Softw. Technol..

[25] Jan Vanthienen,et al. Designing Compliant Business Processes with Obligations and Permissions , 2006, Business Process Management Workshops.

[26] Ying Liu,et al. A static compliance-checking framework for business process models , 2007, IBM Syst. J..

[27] Guido Governatori,et al. A conceptually rich model of business process compliance , 2010, APCCM.

[28] Moe Thandar Wynn,et al. Modeling Obligations with Event-Calculus , 2014, RuleML.

[29] Mathias Weske,et al. Specification, Verification and Explanation of Violation for Data Aware Compliance Rules , 2009, ICSOC/ServiceWave.

[30] Vito Pirrelli,et al. Semantic Mark-up of Italian Legal Texts Through NLP-based Techniques , 2004, LREC.

[31] Yves Pigneur,et al. Compliance Management in Multi-actor Contexts , 2009 .

[32] Schahram Dustdar,et al. Monitoring, Prediction and Prevention of SLA Violations in Composite Services , 2010, 2010 IEEE International Conference on Web Services.

[33] Michael Schrefl,et al. Behavior-consistent specialization of object life cycles , 2002, TSEM.

[34] Nenad Stojanovic,et al. Using Control Patterns in Business Processes Compliance , 2007, WISE Workshops.

[35] Philippe Schnoebelen,et al. Systems and Software Verification, Model-Checking Techniques and Tools , 2001 .

[36] Peter Dadam,et al. On enabling integrated process compliance with semantic constraints in process management systems , 2012, Inf. Syst. Frontiers.

[37] Qing Li,et al. Unified Modeling Language , 2009 .

[38] H. Cooper. Organizing knowledge syntheses: A taxonomy of literature reviews , 1988 .

[39] Slim Turki,et al. Compliance in e-Government Service Engineering: State-of-the-Art , 2010, IESS.

[40] Wil M. P. van der Aalst,et al. Data-Flow Anti-patterns: Discovering Data-Flow Errors in Workflows , 2009, CAiSE.

[41] Donald Nute,et al. Defeasible Deontic Logic , 2010 .

[42] Claudia Soria,et al. Automatic semantics extraction in law documents , 2005, ICAIL '05.

[43] Sherif Sakr,et al. An Anti-Pattern-based Runtime Business Process Compliance Monitoring Framework , 2016 .

[44] Guido Governatori,et al. On compliance checking for clausal constraints in annotated process models , 2012, Inf. Syst. Frontiers.

[45] Mustafa Hashmi. A Methodology for Extracting Legal Norms from Regulatory Documents , 2015, 2015 IEEE 19th International Enterprise Distributed Object Computing Workshop.

[46] Radboud Winkels,et al. Suggesting Model Fragments for Sentences in Dutch Laws , 2010 .

[47] Guido Governatori,et al. No Time for Compliance , 2015, 2015 IEEE 19th International Enterprise Distributed Object Computing Conference.

[48] Maike Gilliot,et al. Automating Privacy Compliance with ExPDT , 2008, 2008 10th IEEE Conference on E-Commerce Technology and the Fifth IEEE Conference on Enterprise Computing, E-Commerce and E-Services.

[49] Marco Montali,et al. Monitoring Business Constraints with Linear Temporal Logic: An Approach Based on Colored Automata , 2011, BPM.

[50] Evelina Lamma,et al. Expressing and Verifying Business Contracts with Abductive , 2007 .

[51] Manfred Reichert,et al. Modeling the Resource Perspective of Business Process Compliance Rules with the Extended Compliance Rule Graph , 2014, BMMDS/EMMSAD.

[52] Miguel Mira da Silva,et al. A Conceptual Model for Integrated Governance, Risk and Compliance , 2011, CAiSE.

[53] Maria E. Orlowska,et al. Towards a Methodology for Deriving Contract-Compliant Business Processes , 2006, Business Process Management.

[54] Moe Thandar Wynn,et al. Current Research in Risk-aware Business Process Management - Overview, Comparison, and Gap Analysis , 2014, Commun. Assoc. Inf. Syst..

[55] Wei-Tek Tsai,et al. Model-Based Monitoring and Policy Enforcement of Services , 2009, 2009 Congress on Services - I.

[56] Russell S. Peak,et al. Streamlining Product Lifecycle Processes: A Survey of Product Lifecycle Management Implementations, Directions, and Challenges , 2005, J. Comput. Inf. Sci. Eng..

[57] Nenad Stojanovic,et al. Towards A Formal Framework for Business Process Compliance , 2008, Multikonferenz Wirtschaftsinformatik.

[58] Paul Johannesson,et al. An Ontological Approach to Unified Contract Management , 2003, EJC.

[59] Tyrone Grandison,et al. Compliance with data protection laws using Hippocratic Database active enforcement and auditing , 2007, IBM Syst. J..

[60] Marwane El Kharbili,et al. Towards a Framework for Semantic Business Process Compliance Management , 2008 .

[61] Marwane El Kharbili,et al. Business Process Compliance Checking: Current State and Future Challenges , 2008, MobIS.

[62] Yacine Rezgui,et al. A rule-based semantic approach for automated regulatory compliance in the construction sector , 2015, Expert Syst. Appl..

[63] Mustafa Hashmi,et al. Enabling Reasoning with LegalRuleML , 2016, RuleML.

[64] Guido Governatori,et al. Norm Compliance in Business Process Modeling , 2010, RuleML.

[65] Shazia Wasim Sadiq,et al. Modeling Control Objectives for Business Process Compliance , 2007, BPM.

[66] Mike P. Papazoglou,et al. Formalizing and appling compliance patterns for business process compliance , 2016, Software & Systems Modeling.

[67] John Mylopoulos,et al. GaiusT: supporting the extraction of rights and obligations for regulatory compliance , 2013, Requirements Engineering.

[68] Ioan Alfred Letia,et al. Compliance checking of integrated business processes , 2013, Data Knowl. Eng..

[69] David J. DeWitt,et al. Limiting Disclosure in Hippocratic Databases , 2004, VLDB.

[70] Lokman I. Meho,et al. Modeling the information-seeking behavior of social scientists: Ellis's study revisited , 2003, J. Assoc. Inf. Sci. Technol..

[71] Guido Governatori,et al. Norms modeling constructs of business process compliance management frameworks: a conceptual evaluation , 2017, Artificial Intelligence and Law.

[72] Marco Montali,et al. A Framework for the Systematic Comparison and Evaluation of Compliance Monitoring Approaches , 2013, 2013 17th IEEE International Enterprise Distributed Object Computing Conference.

[73] Stefanie Rinderle-Ma,et al. Integration of Process Constraints from Heterogeneous Sources in Process-Aware Information Systems , 2011, EMISA.

[74] Marco Montali,et al. Compliance monitoring in business processes: Functionalities, application, and tool-support , 2015, Inf. Syst..

[75] Trevor J. M. Bench-Capon,et al. Isomorphism and legal knowledge based systems , 1992, Artificial Intelligence and Law.

[76] Kees M. van Hee,et al. Auditing 2.0: Using Process Mining to Support Tomorrow's Auditor , 2010, Computer.

[77] Marco Montali,et al. An Operational Decision Support Framework for Monitoring Business Constraints , 2012, FASE.

[78] Daniel Jackson,et al. Software Abstractions - Logic, Language, and Analysis , 2006 .

[79] Boudewijn F. van Dongen,et al. Towards Robust Conformance Checking , 2010, Business Process Management Workshops.

[80] Stefan Strecker,et al. RiskM: A multi-perspective modeling method for IT risk assessment , 2011, Inf. Syst. Frontiers.

[81] Huib Aldewereld,et al. Regulatory compliance of business processes , 2014, AI & SOCIETY.

[82] Ahmed Mahmoud Hany Aly Awad,et al. A compliance management framework for business process models , 2010 .

[83] Paolo Falcarin,et al. Synthesizing Service Composition Models on the Basis of Temporal Business Rules , 2008, Journal of Computer Science and Technology.

[84] Guido Governatori,et al. Regorous: a business process compliance checker , 2013, ICAIL.

[85] Peter Dadam,et al. On Enabling Data-Aware Compliance Checking of Business Process Models , 2010, ER.

[86] Akhil Kumar,et al. Visual Modeling of Business Process Compliance Rules with the Support of Multiple Perspectives , 2013, ER.

[87] Jian Yu,et al. Pattern Based Property Specification and Verification for Service Composition , 2006, WISE.

[88] Guido Governatori,et al. Business Process Regulatory Compliance is Hard , 2015, IEEE Transactions on Services Computing.

[89] Trevor J. M. Bench-Capon,et al. Isomorphism and argumentation , 2009, ICAIL.

[90] Mike P. Papazoglou,et al. Root-Cause Analysis of Design-Time Compliance Violations on the Basis of Property Patterns , 2010, ICSOC.

[91] Frank Leymann,et al. Business Process Compliance through Reusable Units of Compliant Processes , 2010, ICWE Workshops.

[92] Allen O’Neill,et al. An action framework for compliance and governance , 2014 .

[93] Paul Johannesson,et al. Business Contract Obligation Monitoring through Use of Multi Tier Contract Ontology , 2003, OTM Workshops.

[94] Charles Goodhart,et al. The Basel Committee on Banking Supervision , 2011 .

[95] Daniel Amyot,et al. Towards a Framework for Tracking Legal Compliance in Healthcare , 2007, CAiSE.

[96] Frank Leymann,et al. Taming Compliance with Sarbanes-Oxley Internal Controls Using Database Technology , 2006, 22nd International Conference on Data Engineering (ICDE'06).

[97] Yurdaer N. Doganata,et al. Effect of Using Automated Auditing Tools on Detecting Compliance Failures in Unmanaged Processes , 2009, BPM.

[98] Guido Governatori,et al. Designing for Compliance: Norms and Goals , 2011, RuleML America.

[99] Paola Mello,et al. Monitoring business constraints with the event calculus , 2013, ACM Trans. Intell. Syst. Technol..

[100] Truls Pedersen,et al. NORMC: a Norm Compliance Temporal Logic Model Checker , 2012, STAIRS.

[101] Sherif Sakr,et al. Querying Graph-Based Repositories of Business Process Models , 2010, DASFAA Workshops.

[102] Michael Schrefl,et al. Behavior Consistent Inheritance in UML , 2000, ER.

[103] Francesco Olivieri,et al. Compliance by design: Synthesis of business processes by declarative specifications , 2014 .

[104] Martin Gogolla,et al. USE: A UML-based specification environment for validating UML and OCL , 2007, Sci. Comput. Program..

[105] Aditya K. Ghose,et al. Process SEER: A Tool for Semantic Effect Annotation of Business Process Models , 2009, 2009 IEEE International Enterprise Distributed Object Computing Conference.

[106] Heiko Ludwig,et al. Defining and Monitoring Service-Level Agreements for Dynamic e-Business , 2002, LISA.

[107] Frank Leymann,et al. An Integrated Solution for Runtime Compliance Governance in SOA , 2010, ICSOC.

[108] Mike P. Papazoglou,et al. On the Formal Specification of Regulatory Compliance: A Comparative Analysis , 2010, ICSOC Workshops.

[109] Henry Prakken,et al. Dyadic Deontic Logic and Contrary-to-Duty Obligations , 1997 .

[110] Barry I. Pershkow. Sarbanes‐Oxley: investment company compliance , 2002 .

[111] María Teresa Gómez López,et al. Explaining the Incorrect Temporal Events during Business Process Monitoring by Means of Compliance Rules and Model-Based Diagnosis , 2013, 2013 17th IEEE International Enterprise Distributed Object Computing Conference Workshops.

[112] Monica Palmirani,et al. Legal text analysis of the modification provisions: a pattern oriented approach , 2009, ICAIL.

[113] Henning Herrestad,et al. Norms and formalization , 1991, ICAIL '91.

[114] John Mylopoulos,et al. Business Process-Based Regulation Compliance: The Case of the Sarbanes-Oxley Act , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[115] Dirk Fahland,et al. Where Did I Misbehave? Diagnostic Information in Compliance Checking , 2012, BPM.

[116] Anna Perini,et al. Nòmos 3: Legal Compliance of Roles and Requirements , 2014, ER.

[117] Nancy Herther,et al. Research evaluation and citation analysis: key issues and implications , 2009, Electron. Libr..

[118] Paolo Giorgini,et al. Modeling and Verifying Security Policies in Business Processes , 2014, BMMDS/EMMSAD.

[119] Maria E. Orlowska,et al. Translating business contract into compliant business processes , 2006, 2006 10th IEEE International Enterprise Distributed Object Computing Conference (EDOC'06).

[120] Ali Selamat,et al. A systematic literature review of software requirements prioritization research , 2014, Inf. Softw. Technol..

[121] Aditya K. Ghose,et al. Auditing Business Process Compliance , 2007, ICSOC.

[122] Oliver Kopp,et al. Verifying Business Rules Using an SMT Solver for BPEL Processes , 2009, BPSC.

[123] Michael Wooldridge,et al. Robust normative systems and a logic of norm compliance , 2010, Log. J. IGPL.

[124] Jonathan Springer,et al. THE BENEFITS OF STATIC COMPLIANCE TESTING FOR SCA NEXT , 2011 .

[125] Shin-ya Nishizaki,et al. Real-Time Model Checking for Regulatory Compliance , 2012, IAIT 2012.

[126] Gregor Engels,et al. Activity diagram patterns for modeling quality constraints in business processes , 2005, MoDELS'05.

[127] Ulrich Ultes-Nitsche,et al. The SH-Verification Tool — Abstraction-Based Verification of Co-operating Systems , 1998, Formal Aspects of Computing.

[128] Moe Thandar Wynn,et al. 2 Motivating Scenario : A Complaints Handling Process , 2013 .

[129] Rove Luiza de Oliveira Chishman,et al. Automatic Information Extraction from Texts with Inference and Linguistic Knowledge Acquisition Rules , 2013, 2013 IEEE/WIC/ACM International Joint Conferences on Web Intelligence (WI) and Intelligent Agent Technologies (IAT).

[130] Luigi Logrippo,et al. Requirements and compliance in legal systems: a logic approach , 2008, 2008 Requirements Engineering and Law.

[131] Rik Eshuis,et al. Symbolic model checking of UML activity diagrams , 2006, TSEM.

[132] Javier Vázquez-Salceda,et al. From human regulations to regulated software agents’ behavior , 2008, Artificial Intelligence and Law.

[133] Jianwen Su,et al. Towards Formal Analysis of Artifact-Centric Business Process Models , 2007, BPM.

[134] Mihaela Sighireanu,et al. Efficient on-the-fly model-checking for regular alternation-free mu-calculus , 2003, Sci. Comput. Program..

[135] M. Rosemann,et al. Integrating Risks in Business Process Models , 2005 .

[136] Mathias Weske,et al. Visualization of Compliance Violation in Business Process Models , 2009, Business Process Management Workshops.

[137] Boudewijn F. van Dongen,et al. Replaying history on process models for conformance checking and performance analysis , 2012, WIREs Data Mining Knowl. Discov..

[138] Dirk Fahland,et al. Diagnostic Information for Compliance Checking of Temporal Compliance Requirements , 2013, CAiSE.

[139] Harald C. Gall,et al. Generation of Business Process Models for Object Life Cycle Compliance , 2007, BPM.

[140] Marwane El Kharbili. Business Process Regulatory Compliance Management Solution Frameworks: A Comparative Evaluation , 2012, APCCM.

[141] Eric Dubois,et al. Using Goal-Oriented Requirements Engineering for Improving the Quality of ISO/IEC 15504 based Compliance Assessment Frameworks , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[142] Nandan Parameswaran,et al. Rules and Ontology in Compliance Management , 2007, 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2007).

[143] Guido Governatori,et al. An Algorithm for Business Process Compliance , 2008, JURIX.

[144] Barbara Kitchenham. Procedures for Performing Systematic , 2004 .

[145] Nenad Stojanovic,et al. Pattern-Based Design and Validation of Business Process Compliance , 2007, OTM Conferences.

[146] Marwane El Kharbili,et al. Policy-Based Semantic Compliance Checking for Business Process Management , 2008, MobIS Workshops.

[147] Akhil Kumar,et al. Towards Visually Monitoring Multiple Perspectives of Business Process Compliance , 2015, CAiSE Forum.

[148] John Mylopoulos,et al. Automating the Extraction of Rights and Obligations for Regulatory Compliance , 2008, ER.

[149] Donald Nute,et al. Defeasible Logic , 1994, INAP.

[150] Philippe Schnoebelen,et al. Systems and Software Verification , 2001, Springer Berlin Heidelberg.

[151] Pearl Brereton,et al. Performing systematic literature reviews in software engineering , 2006, ICSE.

[152] M. Weske,et al. Towards Resolving Compliance Violations in Business Process Models , 2009 .

[153] Jan Vanthienen,et al. Declarative business process modelling: principles and modelling languages , 2015, Enterp. Inf. Syst..

[154] Frank Leymann,et al. Maintaining Compliance in Customizable Process Models , 2009, OTM Conferences.

[155] Guido Governatori,et al. Logic of Violations: A gentzen systems for reasoning with contrary-to-duty obligations , 2006 .

[156] David A. Duce,et al. Towards semantic methodologies for automatic regulatory compliance support , 2011, PIKM '11.

[157] Wil M. P. van der Aalst,et al. Identifying Commonalities and Differences in Object Life Cycles Using Behavioral Inheritance , 2001, ICATPN.

[158] Roy Oberhauser,et al. Ontology-based Representation of Compliance Requirements for Service Processes , 2007, SBPM.

[159] Guido Governatori,et al. The Journey to Business Process Compliance , 2009, Handbook of Research on Business Process Modeling.

[160] Xin Zhou,et al. Regulations Expressed As Logical Models (REALM) , 2005, JURIX.

[161] Frank Dignum,et al. Norm compliance checking , 2013, AAMAS.

[162] Akhil Kumar,et al. Conceptual model for online auditing , 2011, Decis. Support Syst..

[163] Frank Leymann,et al. Runtime Prediction of Service Level Agreement Violations for Composite Services , 2009, ICSOC/ServiceWave Workshops.

[164] Annie I. Antón,et al. Addressing Legal Requirements in Requirements Engineering , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[165] Alberto Martelli,et al. Rule-based Policy Specification : State of the Art and Future Work , 2004 .

[166] Michael Rosemann,et al. Business Process Risk Management and Internal Control: A proposed Research Agenda in the context of Compliance and ERP systems , 2006 .

[167] Kalina Bontcheva,et al. Developing Language Processing Components with GATE (a User Guide) , 2003 .

[168] Wil M. P. van der Aalst,et al. Process Mining and Security: Detecting Anomalous Process Executions and Checking Process Conformance , 2005, WISP@ICATPN.

[169] Laura Giordano,et al. Verifying Business Process Compliance by Reasoning about Actions , 2010, CLIMA.

[170] Shazia Wasim Sadiq,et al. Compliance checking between business processes and business contracts , 2006, 2006 10th IEEE International Enterprise Distributed Object Computing Conference (EDOC'06).

[171] John F. Roddick,et al. Evolution and change in data management — issues and directions , 2000, SGMD.

[172] Rodrigo Costas,et al. Users, narcissism and control – tracking the impact of scholarly publications in the 21st century , 2012 .

[173] Guido Governatori,et al. Dealing with contract violations: formalism and domain specific language , 2005, Ninth IEEE International EDOC Enterprise Computing Conference (EDOC'05).

[174] Jian Yu,et al. Guiding the Service Composition Process with Temporal Business Rules , 2007, IEEE International Conference on Web Services (ICWS 2007).

[175] Miriam A. Cherry. Whistling in the Dark? Corporate Fraud, Whistleblowers, and the Implications of the Sarbanes-Oxley Act for Employment Law , 2004 .

[176] Michael Fellmann,et al. State-of-the-art of Business Process Compliance Approaches: A Survey (Extended Abstract) , 2014, EMISA.