ArticlePDF Available

Abstract and Figures

The ever-increasing obligations of regulatory compliance are presenting a new breed of challenges for organizations across several industry sectors. Aligning control objectives that stem from regulations and legislation with business objectives devised for improved business performance is a foremost challenge. The organizational as well as IT structures for the two classes of objectives are often distinct and potentially in conflict. In this chapter, we present an overarching methodology for aligning business and control objectives. The various phases of the methodology are then used as a basis for discussing state-of-the-art in compliance management. Contributions from research and academia as well as industry solutions are discussed. The chapter concludes with a discussion on the role of BPM as a driver for regulatory compliance and a presentation of open questions and challenges.
Content may be subject to copyright.
Managing Regulatory Compliance in
Business Processes
Shazia Sadiq and Guido Governatori
S. Sadiq
School of Information Technology and Electrical Engineering, e University of eensland,
Brisbane, QLD, Australia
e-mail: shazia@itee.uq.edu.au
G. Governatori
Soware Systems Research Group, NICTA, Australia
email: guido.governatori@nicta.com.au
Abstract
e ever-increasing obligations of regulatory compliance are presenting a new breed of
challenges for organizations across several industry sectors. Aligning control objectives
that stem from regulations and legislation with business objectives devised for improved
business performance is a foremost challenge. e organizational as well as IT structures
for the two classes of objectives are oen distinct and potentially in conict. In this chapter,
we present an overarching methodology for aligning business and control objectives. e
various phases of the methodology are then used as a basis for discussing state-of-the-art
in compliance management. Contributions from research and academia as well as industry
solutions are discussed. e chapter concludes with a discussion on the role of BPM as a
driver for regulatory compliance and a presentation of open questions and challenges.
1 Introduction
Compliance is dened as ensuring that business processes, operations, and practice are in
accordance with a prescribed and/or agreed set of norms. Compliance requirements may stem
from legislature and regulatory bodies (e.g., Sarbanes-Oxley, Basel II, HIPAA), standards and
codes of practice (e.g., SCOR, ISO9000), and also business partner contracts. e market value for
compliance-related soware and services was estimated as over
$
32 billion in 2008 (Hagerty et al.,
2008). e boost in business investment is primarily a consequence of regulatory mandates that
emerged as a result of events, which led to some of the largest scandals in corporate history such
as Enron, WorldCom (USA), HIH (Australia), and Societ
´
e Generale (France). In spite of mandated
deadlines, there is evidence that many organizations are still struggling with their compliance
1
1 Introduction
initiatives. us, compliance is an important objective of many organizations and, therefore,
plays a major role in the strategic alignment of BPM initiatives RosemannVomBrocke
Compliance is historically viewed as a burden, although there are indications that businesses
have started to see the regulations as an opportunity to improve their business processes and
operations. Industry reports (BPM Forum, 2006) indicate that up to 80% of companies expect to
reap business benets from improving their compliance regimens.
In general, a compliance regimen must include three interrelated but distinct perspectives on
compliance, namely, corrective, detective, and preventative.
Corrective measures can be undertaken for a number of reasons, ranging from the introduction
of a new regulation impacting upon the business, to breech reporting, to the organization coming
under surveillance and scrutiny by a control authority, or, in the worst case, to an enforceable
undertaking. Corrective measures undertaken in a proactive manner, position the organization
favorably with regulators or other control authorities.
Detective measures are undertaken under two main approaches. First is retrospective reporting,
wherein traditional audits are conducted for “aer-the-fact” detection, through manual checks
by consultants and/or through IT forensics and business intelligence (BI) tools. A second and
more recent approach is to provide some level of automation through automated detection. e
bulk of existing soware solutions for compliance follow this approach. e proposed solutions
hook into a variety of enterprise system components (e.g., SAP HR, LDAP Directory, Groupware,
etc.) and generate audit reports against hard-coded checks performed on the requisite system.
ese solutions oen specialize in certain class of checks, for example, the widely supported
checks that relate to Segregation of Duty violations in role management systems. However, this
approach still resides in the space of “aer-the-fact” detection, although the assessment time is
reduced and correspondingly the time to remediation and/or mitigation of control deciencies
is also improved.
A major issue with the above approaches (in varying degrees of impact) is the lack of
sustainability. Even with automated detection facility, the hard-coded check repositories can
quickly grow to a very large scale, making it extremely dicult to evolve and maintain them
for changing legislatures and compliance requirements. In addition to external pressures, there
is oen a company internal push toward quality-of-service initiatives for process improvement,
which have similar requirements.
In this chapter, we promote the use of sustainable approaches for compliance management,
which we believe should fundamentally have a preventative focus, thus achieving compliance
by design (Sadiq et al., 2007). at is, compliance should be embedded into the business practice,
rather than be seen as a distinct activity. In particular, we argue that a compliance-by-design
approach that capitalizes on Business Process Management (BPM) techniques has the potential
to include also detective and corrective measures, leading to a holistic and eective compliance
regimen.
e fundamental feature of the compliance-by-design approach is the ability to capture com-
pliance requirements through a generic requirements modeling framework, and subsequently
facilitate the propagation of these requirements into business process models and enterprise
applications.
e biggest challenges in this regard is aligning control objectives that stem from regulations
and legislation, with business objectives devised for improved business performance (KPMG
2
2 Scenario and Background
Advisory, 2005). e organizational as well as IT structures for the two classes of objectives are
oen distinct and potentially in conict.
is chapter is dedicated to developing an understanding of the issues and challenges found
in achieving the alignment between business and control objectives.
To this end, we will rst introduce a guiding scenario in order to establish basic terms and
concepts. We then present an overarching methodology for compliance management that
focuses on aligning business and control objectives. e methodology demonstrates the use of
Business Process Management and related technologies as a driver for managing compliance
and is primarily intended to achieve compliance by design. Using the methodology as a basis for
discussion, we will then provide a discussion on recent developments in compliance management
services and solutions covering contributions from both academia as well as industry. We further
present a brief case study targeted at two specic phases of the methodology. e analysis of
current solutions as well as the case study indicate that a process-driven approach to compliance
management is a highly eective way to address this complex problem. e chapter concludes
with a discussion on open questions and challenges toward eective compliance management.
2 Scenario and Background
Consider the following example. In 2006, a new legislative framework was put in place in
Australia for anti-money laundering. e rst phase of reforms for the Anti-Money Laundering
and Counter-Terrorism Financing Act 2006 (AML/CTF) covers the nancial sector including
banks, credit unions, building societies, and trustees, and extends to casinos, wagering service
providers, and bullion dealers. e AML/CTF act imposes a number of compliance obligations
or control objectives, which include the following:
Customer due diligence (identication, verication of identity, and ongoing monitoring
of transactions)
Reporting (suspicious maers, threshold transactions, and international funds transfer
instructions)
Record keeping
Establishing and maintaining the AML/CTF program
AML/CTF is a
principles-based1
regulation, and hence, businesses need to determine the exact
manner in which they will fulll the obligations. is leads to the design of so-called internal
controls
2
devised by a particular nancial organization. For example, consider an account-
opening process as depicted in Fig 1. An internal control may mandate the “scanning of all
new customer accounts against blocked entity datasets” in response to the obligation to provide
1
“e AML/CTF Act is a principles-based piece of legislation. It sets out broad obligations which reporting entities
and others aected by the legislation must meet, but leaves the methods of meeting those obligations to be
decided by those on whom the obligations fall” (AUSTRAC, 2006).
2
“Internal control is broadly dened as a process eected by an entity’s board of directors, management, and other
personnel designed to provide reasonable assurance regarding the achievement of objectives in the following
categories: eectiveness and eciency of operations; reliability of nancial reporting; and compliance with
applicable laws and regulations” (COSO, 1994).
3
2 Scenario and Background
customer due diligence during the account-opening process. is would require an additional
check to be conducted aer entering new customer information.
!
Figure 1: Example account-opening process
For a principles-based approach such as AML/CTF, the design of the internal controls typically
reects the
risk appetite
of the organization. Eective risk management begins with a clear
understanding of an organization’s appetite for risk and is essentially the process of identifying
vulnerabilities and threats to the organization in achieving its business objectives. When
establishing and implementing its system of risk management, a company will consider a
number of risks such as nancial reporting risks (the risk of a material error in the nancial
statements), operational, environmental, sustainability, strategic, external, ethical conduct,
reputation or brand, technological, product or service quality, and human capital, as well as
risks of noncompliance (ASX, 2006).
In order to handle the risk, the organization may choose one or more well-known strategies
such as
avoid risk
, for example, if possible, choose not to implement processes and/or remove
the source of the risk;
mitigate risk
, for example, dene and implement controls;
transfer risk
,
for example, share or outsource risk (insurance); and/or
accept risk
, for example, formally
acknowledge existence of risk and monitor it.
e approach to risk management has a profound impact on how an organization would design
and implement internal controls in response to compliance obligations.
Controls management
thus becomes a balancing act between compliance obligations, business objectives, and risks.
In the next section, we present a methodology for compliance management that aims to
provide a means of aligning business and control objectives by using BPM and related technolo-
gies as drivers.
4
3 Methodology for Compliance Management
3 Methodology for Compliance Management
Previously, we have argued that
compliance by design
is a preferred approach for compliance
management due to its preventative focus. In light of the heavy social, economic, and environ-
mental costs of noncompliance, a priori embedding of requisite checks and triggers into the
enterprise applications is clearly desirable but also extremely dicult, given that the business
and technology landscape of today’s organizations is disparate and distributed.
BPM is recognized as a means to enforce corporate policy. Regulatory mandates also provide
policies and guidelines for business practice. One may argue why a separate requirements
modeling facility is required to capture compliance requirements for business processes. We
identify the following reasons against this argument:
Firstly, the source of these two objectives will be distinct, both from an ownership and
governance perspective, as well as from a timeline perspective. Whereas businesses can be
expected to have some form of business objectives, control objectives can be dictated by external
sources and at dierent times.
Secondly, the two have diering concerns, namely, business objectives and control objectives.
us, the use of business process languages to model control objectives may not provide a
conceptually faithful representation. Compliance is in essence a normative notion, and thus
control objectives are fundamentally descriptive, that is, indicating
what
needs to be done (in
order to comply). Business process specications are fundamentally prescriptive in nature, that
is, detailing
how
business activity should take place. ere is evidence of some developments
toward descriptive approaches for BPM, but these works were predominantly focused on
achieving exibility in business process execution (e.g., Pesic and van der Aalst, 2006; Sadiq
et al., 2005).
irdly, there is likelihood of conicts, inconsistencies, and redundancies within the two
specications. e intersection of the two, thus, needs to be carefully studied.
In summary, we present in Fig. 2, the interconnect between process management and controls
management. e two are formulated by dierent stakeholders and have dierent lifecycles.
e design of control will impact the way a business process is executed. On the other hand, a
(re)design of a business process causes an update of the risk assessment, which may lead to a
new/updated set of controls.
!
Figure 2: Interconnection of process management and controls management
Additionally, business process monitoring will assess the design of internal controls and
5
3 Methodology for Compliance Management
serve as an input to internal controls certication.
Given the scale and diversity of compliance requirements and additionally given the fact
that these requirements may frequently change, business process compliance is indeed a large
and complex problem area with several challenges. Given further that business and control
objectives are (or should be) designed separately, but must converge at some point, we present
below a list of essential requirements and where relevant corresponding techniques and methods
that need to be met/developed in order to tackle this overall problem.
3.1 Control Directory Management
Regulations and other compliance directives are complex and vague and require interpretation.
Oen in legalese, these mandates need to be translated by experts. For example, the COSO
framework (COSO, 1994) is recognized by regulatory bodies as a de facto standard for realizing
controls for nancial reporting. A company-specic interpretation results in the following
(textual) information being created:
hcontrol objective,risk,internal controli
For example
Control objective: Prevent unauthorized use of purchase order process;
Risk:
Unauthorized creation of purchase orders and payments to
nonexisting suppliers;
Internal Control:
e creation and approval of purchase orders must be under-
taken by two separate purchase ocers.
e above example is typical of the well-known segregation-of-duty constraint (one individual
does not participate in more than one key trading or operational function) mandated by Sarbanes-
Oxley 404.
However, business will typically deal with a number of regulations/standards at one time.
us there is a need to provide a structured means of managing the various interpretations
within regional industry sector and organizational contexts.
We identify this as a need for a
controls directory
. Control directory management could be
supported by database technology, and/or could present some interesting content management
challenges, but will be an essential component in the overall solution. ere is some evidence
in industry reports that solution vendors are producing repositories of control objectives (and
associated parameters) against the major regulations, see, for example, SAP GRC Repository and
SAI Global GRC Knowledge and Information Services. Keeping abreast of frequently changing
regulations is a clear challenge in the maintenance of such knowledge bases.
3.2 Ontological Alignment
Due to the diversity of stakeholders in compliance management initiatives, any eort towards
providing compliance management solutions demands a common understanding of compliance
management concepts and practice. For example, interpretation of regulations from legal
/nancial experts comes in the form of textual descriptions (see example in the previous section).
Establishing an agreement on terms and usage between these descriptions and the business
6
3 Methodology for Compliance Management
processes and constituent activities/transactions is a dicult but essential aspect of the overall
methodology.
!
Control!Objective!
Internal!Control!
Process!
Task!
Property!
Risk!
1:N!
M:N!
1:N!
M:N!
Figure 3: Relationships between process modeling and control modeling concepts
In Fig. 3, we present the relationships between the basic process modeling and control
modeling concepts. Clearly, the relationship between process task and internal controls is much
deeper than shown, as it would require alignment between embedded concepts, for example,
task identication, particular data items, roles and performers, etc. However, it is evident that
several controls may be applicable on a task, and one control may impact on multiple tasks as
well.
What tools and techniques are utilized to provide an eective alignment between the two
conceptual spaces is an important question at hand. Some recent work (Abdullah et al., 2012)
reports on research undertaken to develop an ontology to create a shared conceptualization of
the compliance management domain, namely CoMOn (Compliance Management Ontology).
e ontology concepts are extracted from interviews and surveys of compliance management
experts and practitioners, and rened through synthesis with leading academic literature related
to compliance management. A semiotic framework has been utilized to conduct a rigorous
evaluation of CoMOn through a series of eight case studies spanning a number of industry
sectors. e consensus achieved through the evaluation positions CoMOn as a comprehensive
domain ontology for Compliance Management.
3.3 Modelling Controls
e motivation to model controls is multifaceted. Firstly, a generic requirements modeling
framework for compliance by design will provide a substantial improvement over current
aer-the-fact detection approaches. Secondly, it will allow for an analysis of compliance rules,
thereby providing the ability to discover hidden dependencies, and view in holistic context,
while maintaining a comprehensible working space. irdly, a precise and unambiguous
(formal) specication will facilitate the systematic enrichment of business processes with
control objectives.
A fundamental question in this regard is the
appropriate formalism
to undertake the task.
In the next section, we will deliberate further on this question and provide a discussion of
complementary approaches in this regard.
Note, however, that modeling controls in a precise and unambiguous manner is a necessary
rst step, but cannot completely address compliance by design methodology. Process model
enrichment as explained in the next section, constitutes a second essential step.
7
3 Methodology for Compliance Management
3.4 Process Model Enrichment
In this context, we use the term process model enrichment as the ability to enhance enterprise
models (business processes) with compliance requirements. is can be provided as process
annotation. Process annotations have been proposed by a number of researchers, for example,
the notion of control tags (Sadiq et al., 2007), integrating risks on EPCs (zur M
¨
uhlen and
Rosemann, 2005), and semantic annotations (Governatori, Homann et al., 2009). e resultant
visualization of controls on the process model facilitates a beer understanding of the interaction
between the two specications for both stakeholders (process owners as well as compliance
ocers).
Consider, for example, the account-opening process presented in Figure 1 An annotation
at the activity “Enter New Customer” to indicate the need for “scanning of all new customer
accounts against blocked entity data-sets” will assist in identifying the obligations relevant to
AML/CTF. Figure 4 depicts a fragment of the process model presented in Figure 1 and shows an
example of process annotation and resultant process redesign.
!
!
!
Figure 4: Example process annotation and resultant redesign
However, the visualization is only a rst step. e new checks introduced within the process
model can in turn be used to analyze the model for measures such as
compliance degree
(Lu
et al., 2007), which can provide a quantication of the eort required to achieve a compliant
process model. Eventually, process models may need to be modied to include the compliance
requirements.
In large organizations, the process portfolio may consist of hundreds of process models that
may span several business units. A diagnostic facility (Governatori, Homann et al., 2009) can
empower the organizations to undertake a compliance assessment at a large scale, and then
continue with compliance enforcement based on the measured compliance degree (or gap) and
associated risks.
Sections 3.1–4.2 as presented above are focused on providing
design time
support for compli-
ance management. Although model-driven enforcement and monitoring is a main objective
of the presented methodology, it is not always possible to achieve. Below, we present a brief
8
3 Methodology for Compliance Management
summary of issues and techniques for run time support for compliance management.
3.5 Compliance Enforcement
Enforcement of controls is a key component in the overall methodology. Given that the techno-
logy landscape of today’s organizations is highly diverse and disparate, translation of designed
internal controls onto the IT infrastructure, and subsequently, into business transactions is
clearly a signicant challenge. A number of complementary technologies can be identied in
this regard.
Records management (e.g., incident logging, data retention systems, etc.)
Integration technologies (e.g., enterprise application integration, master data manage-
ment)
Testing/simulation (e.g., what-if scenario analysis)
Control automation (e.g., rule engines)
Model-driven business process execution (as envisaged in the ideal BPM vision) is of course
a candidate in the above, and arguably provides the most eective means to enforcement of
compliance-related controls. Unfortunately, the current state of enterprise systems does not
reect the ideal BPM vision, and hence, compliance enforcement is provided through a variety
of tools and technologies.
3.6 Compliance Monitoring
e support provided in the design of compliant processes through process annotation and
analysis and resultant process changes can eventually lead to a
model-driven enforcement of
compliance controls
(where process management systems are in place). However, it is na
¨
ıve to
assume that all organizations have the complete implementation of the BPM life cycle, and hence
the process models and underlying applications may be disconnected. In this case, it is important
to provide support for compliance through run-time monitoring. is has been the agenda for
several vendors in this space targeting the so-called-automated detection, described earlier. In
general, event monitoring is a well studied research topic (see, e.g.,
www.complexevents.com
)
and, although has not been widely/explicitly associated with the compliance issue, notably
excepting Giblin et al. (2006), its usage in fraud detection and security is closely related.
Although, this chapter is primarily targeted at approaches conducive to achieving compliance
by design by adopting a preventative approach facilitated by business process models, several
works on formal modeling of control objectives (Governatori and Rotolo, 2006, 2010) have
taken into account the violations and resultant reparation policies that may surface at runtime.
Similarly, in (Conforti et al., 2011) a real-time risk detection method for business processes has
been proposed.
9
4 State of the Art
SOURCES TOTAL Relevant %
(Journals) Articles
CAIS 659 16 2.4
BPMJ 336 5 1.5
JAIS 158 2 1.3
JI&M 502 4 0.8
CACM 2178 17 0.8
JISR 199 1 0.5
EJIS 382 2 0.5
MISQ 281 1 0.4
SOURCES TOTAL Relevant %
(Conferences) Articles
BPM 189 7 3.7
ACIS 906 28 3.1
CAiSE 346 9 2.6
ICIS 959 14 1.5
PACIS 1025 14 1.4
AMCIS 3822 46 1.2
HICSS 4517 49 1.1
ECIS 1489 17 1.1
ER 400 2 0.5
Table 1: Sources and Frequency of Publication
4 State of the Art
Governance, risk, and compliance (GRC) is an emerging area of research that holds challenges
for various communities including information systems; business soware development; legal,
cultural, and behavioral studies; and corporate governance. In (Abdullah, Indulska et al.,
2009), GRC challenges emerging from industry have been related to existing activity in IS
research between 2001–2010. As expected in an emerging research domain, the majority of the
publications were found to be in the case study or exploratory paper category – 188 (81%) of
the 328 articles are case study/exploratory articles and 40 (17.2%) are solution articles. Table 1
presents a snap shot of research contributions from notable IS journal and conferences. See
(Abdullah, Indulska et al., 2009) for more details on methodology and results of the literature
review)
However, there are four (1.7%) articles that matched both types of articles. e results suggest
that research on GRC solutions has being initiated but remains still in the early exploratory
stages.
In this chapter, we have focused on compliance management from an information systems
perspective, in particular the modeling and analysis of compliance requirements. In this sec-
tion, we report on the contributions from research and academia in the area of compliance
management. e primary focus of the discussion is on preventative approaches to compliance
or those that facilitate compliance by design, and hence the discussion is structured around
issues relating to Sections 4.1–4.2, that is
Modelling Controls
and
Process Model Enrichment
. A
case study supported by a prototype implementation of these two phases of the methodology is
subsequently presented in Section 5.
4.1 Modelling Controls
Both process modeling and modeling of normative requirements are well-studied elds in-
dependently, but until recently, the interactions between the two have been largely ignored
(Desai, Mallya et al., 2005; Padmanabhan et al., 2006). In particular, zur M
¨
uhlen, Indulska
et al. (2007) provide a valuable representational analysis to understand the synergies between
process modeling and rule modeling. Similarly Cheng et al. (2011) provide a basic framework
10
4 State of the Art
for business process and rule integration using BPMN and SBVR as examples. It is obvious
that the modeling of controls will be undertaken as rules, although the question of appropriate
formalism is still under study. A plethora of proposals exist both in the research community
on formal modeling of rules and in the commercial arena through business rule management
systems.
Historically, formal modeling of normative systems has focused on how to capture the logical
properties of the notions of the normative concepts (e.g., obligations, prohibitions, permissions,
violations, etc.) and how these relate to the entities in an organization and to the activities
to be performed. Deontic logic is the branch of logic that studies normative concepts such
as obligations, permissions, prohibitions, and related notions. Standard deontic logic (SDL)
is the starting point for logical investigation of the basic normative notions and oers a very
idealized and abstract conceptual representation of these notions, but at the same time, it
suers from several drawbacks, given its high level of abstraction (Sartor, 2005). Over the years,
many dierent deontic logics have been proposed to capture the dierent intuitions behind
these normative notions and to overcome drawbacks and limitations of SDL. One of the main
limitations in this context is its inability to reason with violations and the obligations arising in
response to violations (Carmo and Jones, 2002). Very oen, normative statements pertinent to
business processes, and in particular contracts, specify conditions about when other conditions
in the document have not been fullled; that is, when some (contractual) clauses have been
violated. Hence, any formal representation to be conceptually faithful has to be able to deal
with these kinds of situations.
As we have discussed before, compliance is a relationship between two sets of specications:
the normative specications that prescribe what a business has to do and the process modeling
specication describing how a business performs its activities. Accordingly, to properly verify
that a process/procedure complies with the norms regulating the particular business, one has to
provide conceptually sound representations of the process on one side and the norms on the
other, and then check the alignment of the formal specications of the process and the formal
specications for the norms.
In the following paragraph, we present an account of the various proposals for formal model-
ing regulations in the context of business process compliance. Governatori (2005), Governatori,
Milosevic et al. (2006) and Governatori and Rotolo (2010) have proposed FCL (formal contract
language) as a candidate for control modeling, which has proved eective due to its ability to
reason with violations and exceptions. FCL has been obtained from the combination of defeas-
ible logic (for the ecient and natural treatment of exceptions, which are a common feature in
normative reasoning) (Antoniou et al., 2001) and a deontic logic of violations (Governatori and
Rotolo, 2006). In FCL a norm is represented by a rule, where a rule is an expression of the form
r:a1, . . . , anc
where
r
is the name of the rule (unique for each rule)
a1, . . . , an
are the conditions of applicability
of the norm/rule or
premises
(represented by proposition in the logic) and
c
, the
conclusion
of
the rule, is the
normative eect
of the norm/rule (again
c
is an expression or proposition of the
logic).
e propositions of the logic are built from a nite set of atomic propositions, and the
11
4 State of the Art
following operators:
¬
(negation), [O] (obligation), [P] (permission),
(violation/reparation).
e formation rules are as follows:
Every atomic proposition is a proposition;
If pis an atomic proposition, then ¬pis a proposition;
If
p
is a proposition, then [O]
p
is an obligation proposition and [P]
p
is a permission pro-
position. Obligation propositions and permission propositions are deontic propositions;
If
p1, . . . , pn
are obligation propositions and
q
is a deontic proposition, then
p1· · · ⊗pnq
is a reparation chain.
A simple proposition corresponds to a factual statement. e deontic operators are then indexed
by the subject of the normative position corresponding to the operator. us [O
s
]
Send Invoice
means that the supplier
s
has the obligation to send the invoice to the purchaser, and [P
p
]
Charge
Penalty
means that the purchaser
p
is entitled (permied) to charge a penalty to the supplier.
For obligations FCL supports both maintenance obligations (e.g., “the supplier must keep
condential the personal information provided by the customer”) and achievement obligations
(e.g. “a customer has to pay for the services received from the provider”), and for achievement
obligations both pre-emptive and non-pre-emptive obligations – see (Governatori and Rotolo,
2010) for full details. A reparation chain, for example:
[Os]ProvidesGoodsTimely [Os]OerDiscount [Pp]ChargePenalty
captures obligations and normative positions arising in response to violations of obligation.
us the expression above means that the suppliers have the obligation to send the goods in a
timely manner, but in case they do not comply with this (i.e., they violate the obligation do so)
then they have the “secondary” obligation to oer a discount for the merchandise, and in case
that they fail to fulll this obligation (i.e., we have a violation of the possible reparation of the
“primary” obligation), then, nally, the purchaser can charge the supplier with the penalty.
As usual in normative reasoning, there are two types of rules: denitional rules and normative
rules. A denitional rule gives the conditions that assert a factual statement or to introduce
new terms. A normative rule allows us to conclude obligations, permissions and prohibitions
3
.
According to the above distinction in denitional rules, the conclusion is a proposition, and in
normative rules, the conclusion is either a deontic proposition or a reparation chain. In both
cases, the premises are propositions and deontic propositions, but not reparation chains. For
example the denitional rule
Customer(x),Spending (x)>1000 PremiumCustomer (x)
species that, typically, a premium customer is a customer who has spent over 1000 dollars;
while the following is an example of a normative rule:
Restaurant,[P]SellAlcohol [OM]ShowLicense[OAPNP]PayFine.
e rule above means that if a restaurant has a license to sell alcohol (i.e., it is permied to sell it,
[P]
SellAlcohol
), then it has a maintenance obligation to expose the license ([
OM
]
ShowLicense
),
3
Note that obligations allow us to capture prohibitions; a prohibition is an obligation plus negation, for example
the prohibition to smoke can be understood as the obligation not to smoke.
12
4 State of the Art
if it does not then it has to pay the ne ([
OAPNP
]
PayFine
). e obligation to pay the ne is
non-pre-emptive (this means it cannot be paid before the violation). Notice that FCL allows
deontic expression (but not reparation chains) to appear in the body of rules.
FCL oers two reasoning modules: (1) a normalizer to make explicit rules that can be derived
from explicitly given rules by merging their normative conclusions, to remove redundancy
and identify conicts rules, and (2) an inference engine to derive conclusions given some
propositions as input.
Finally, FCL is agnostic about the nature of the literals it uses. ey can represent tasks
(activities executed in a process) or propositions representing state variables. For full description
of FCL and its feature see (Governatori, 2005; Governatori and Rotolo, 2010).
ere have been some other notable contributions from research on the maer of control
modeling. Goedertier and Vanthienen (2006) present a logical language PENELOPE, which
provides the ability to verify temporal constraints arising from compliance requirements on
eected business processes. K
¨
uster et al. (2007) provide a method to check compliance between
object life cycles that provide reference models for data artifacts, for example, insurance claims
and business process models. Giblin et al. (2006) provide temporal rule paerns for regulatory
policies, although the objective of this work is to facilitate event monitoring rather than the
usage of the paerns for support of design time activities. Furthermore, Agrawal et al. (2006)
have presented a workow architecture for supporting Sarbanes–Oxley internal controls, which
includes functions such as workow modeling, active enforcement, workow auditing, as well
as anomaly detection.
ere has been some complementary work in the analysis of formal models representing
normative notions. For example, Farrell et al. (2005) study the performance of business contract
on the basis of their formal representation. Desai, Narendra et al. (2008) seek to provide
support for assessing the correctness of business contracts represented formally through a set
of commitments. e reasoning is based on value of various states of commitment as perceived
by cooperative agents. Research on closely related issues has also been carried out in the eld
of autonomous agents (Alberti et al., 2006).
4.2 Process Model Enrichment
As discussed previously, modeling the controls is only the rst step toward compliance by design.
e second essential step is the enrichment of process models with compliance requirements
(i.e., the modeled controls). Clearly, this cannot take place without a formal controls model (as
proposed by above-mentioned works), or at least some machine-readable specication of the
controls.
ere have recently been some eorts toward support for business process modeling against
compliance requirements. In particular, the works of zur M
¨
uhlen and Rosemann (2005) and
Neiger et al. (2006) provide an appealing method for integrating risks in business processes.
e proposed technique for “risk-aware” business process models is developed for EPCs (event
process chains) using an extended notation. Sadiq et al. (2007) propose an approach based on
control tags to visualize internal controls on process models. Liu et al. (2007) takes a similar
approach of annotating and checking process models against compliance rules, although the
visual rule language, namely BPSL, is general purpose and does not directly address the notions
13
5 Case Study
representing compliance requirements.
4.3 Summary
Although this chapter has primarily focused on preventative approaches to compliance, it is
important to identify the role of detective approaches as well, where a wide range of supporting
technologies are present. ese include several commercial solutions such as business activity
monitoring, BI, etc. Noteworthy in research literature with respect to compliance monitoring
is the synergy with process mining techniques (van der Aalst et al., 2003; van Dongen et al.,
2005) that provide the capability to discover run-time process behavior (and deviations) and
can thereby assist in detection of compliance violations.
In terms of the compliance services and solutions, a number of compliance service/solution
providers are currently available, including large consulting rms providing business services
and advisory as well as soware vendors. Soware services are emerging from large corporations
with products such as IBM Lotus workplace for business controls and reporting, Microso Oce
Solutions Accelerator for Sarbanes–Oxley, SAP GRC Solution, as well as niche vendors such as
OpenPages, Paisley Consulting, mas Inc., and several others (Caldwell and Eid, 2008).
Soware solutions and tools for compliance are typically found under the umbrella of other
technologies such as BI, business rules management, etc. As such, compliance vendors are not
easily identied directly. Further, while many vendors provide sophisticated functionality of
some aspect of the overall end-to-end methodology (as presented in Section 3), these solutions
are of a piecemeal nature, for example, a business controls and reporting tool designed to help
users manage processes, controls, and information, subject to Sarbanes-404.
5 Case Study
In this section we rst introduce the architecture for a business process compliance checker based
on the methodology developed by Governatori and Sadiq (2009) and presented in this chapter. As
we have already discussed that to check whether a business process is compliant with a relevant
regulation, we need an annotated business process model (process model enrichment) and the
formal representation (modeling controls) of the regulation. e annotations are aached to
the tasks of the process, and it can be used to record the data, resources and other information
related to the single tasks in a process. For the formal representation of the regulation we use
FCL (Governatori, 2005; Governatori and Rotolo, 2010) as briey introduced in the previous
section.
Compliance is not just about the tasks to be executed in a process but also on what the
tasks do, the way they change the data and the state of artifacts related to the process, and
the resources linked to the process. Accordingly, process models must be enriched with such
information. Sadiq et al. (2007) proposed to enrich process models with semantic annotations.
Each task in a process model can have aached to it a set of semantic annotations. In our
approach the semantic annotations are literals in the language of FCL, representing the eects
of the tasks. e approach can be used to model business process data compliance (Hashmi
et al., 2012).
Figure 5 depicts the logical outline of the architecture. Given an annotated process and the
formalisation of the relevant regulation, we can use the algorithms proposed by Governatori
14
5 Case Study
Recommendations
What-if analysis
Status report
Compliance checker
Obligations
Input
Annotated
process model
.
.
.
Logical state
representation
Formalisation
Legalese Rule
1
Rule
2
Rule
3
Rule
4
Rule
5
Rule
6
Rule
7
Rule
8
Rule
9
...
Compliance rule
base & checker
Recommendation sub-system
I*(e
1
)
I*(e
3
)
I*(e
4
)
I*(e
2
)
T
2
Post
2
T
1
Post
1
T
4
Post
4
T
3
Post
3
T
5
Post
5
T
6
Post
6
T
7
Post
7
Figure 5: Architecture of Compliance Checker
and Rotolo (2008, 2010) to determine whether the annotated process model is compliant. e
process runs as follows:
Generate an execution trace of the process.
Traverse the trace:
for each task in the trace, cumulate the eects of the task using an update semantics
(i.e., if an eect in the current task conicts with previous annotation, update using
the eects of the current tasks).
use the set of cumulated eects to determine which obligations enter into force at
the current tasks. is is done by a call to an FCL reasoner.
add the obligations obtained from the previous step to the set of obligations carried
over from the previous task.
determine which obligations have been fullled, violated, or are pending; and if
there are violated obligations check whether they have been compensated.
repeat for all traces.
A process is
compliant
if and only if all traces are compliant (all obligations have been fullled
or if violated they have been compensated). A process is
weakly compliant
if there is at least
one trace that is compliant.
We now describe the implementation of a prototype, called BPCC based on the above archi-
tecture, which has been tested an evaluated with an industry scale real life case study, reported
in (Governatori and Shek, 2012).4
4For more information about BPCC see http://www.nicta.com.au/research/projects/bpc.
15
5 Case Study
BPCC is implemented on top of Eclipse. For the representation of process models, it uses
the Eclipse Activiti BPMN 2.0 plugin, extended with features to allow users to add semantic
annotations to the tasks in the process model. BPCC is process model agnostic, this means that
while the current implementation is based on BPMN all BPCC needs is to have a description
of the process and the annotations for each task. A module of BPCC take the description of
the process and generates the execution traces corresponding to the process. Aer the traces
are generated, it implements the algorithm outlined in the previous section, where it uses the
SPINdle rule engine (Lam and Governatori, 2009) for the evaluation of the FCL rules. In case a
process is not compliant (or if it is only weakly compliant) BPCC reports the traces, tasks, rules
and obligations involved in the non compliance issues (see Figure 6).
BPCC was tested against the 2012 Australian Telecommunications Customers Protection Code
(C628-2012). e code is eective from September 1st 2012. e code requires telecommunication
operators to provide annual aestation of compliance with the code staring from April 1st
2013. e evaluation was carried out in May-June 2012. Specically, the section of the code
on complaint handling has been manually mapped to FCL. e section of the code contains
approximately 100 commas, in addition to approximately 120 terms given in the Denitions
and Interpretation section of the code. e mapping resulted in 176 FCL rules, containing 223
FCL (atomic) propositions, and 7 instances of the superiority relation. Of the 176 rules 33 were
used to capture denitions of terms used in the remaining rules. Mapping the section of the
code required all features of FCL: all types of obligations apart punctual obligations were used,
reparation chains, permissions, defeasibility to easily capture exceptions, and obligations and
permissions in the body of rules.
e evaluation was carried over in cooperation with an industry partner subject to the code.
e industry partner did not have formalised business processes. us, we worked with domain
experts from the industry partner (who had not been previously exposed to BPM technology,
but who were familiar with the industry code) to draw process models for the activities covered
by the code. e evaluation was carried out in two steps. In the rst part we modelled the
processes they were. BPCC was able to identify several areas where the existing processes were
not compliant with the new code. In some cases the industry partner was already aware of some
of the areas requiring modications of the existing processes. However, some of the compliance
issues discovered by the tools were novel to the business analysts and were identied as genuine
non-compliance issues that need to be resolved. In the second part of the experiment, the
existing processes were modied to comply with the code based on the issues identied in
the rst phase. In addition a few new business process models required by the new code were
designed. As result we generated and annotated 6 process models. 5 of the 6 models are limited
in size and they can be checked for compliance in seconds. e largest process contains 41 tasks,
12 decision points, xor splits, (11 binary, 1 ternary). e shortest path in the model has 6 tasks,
while the longest path consists of 33 tasks (with 2 loops), and the longest path without loop is
22 task long. e time taken to verify compliance for this process amounts approximately to 40
seconds on a MacBook Pro 2.2Ghz Intel Core i7 processor with 8GB of RAM (limited to 4GB in
Eclipse).
A few other compliance prototypes have been proposed: MoBuCom (Maggi et al., 2011),
Compass (Elgammal et al., 2012) and SeaFlows (Ly et al., 2012). MoBuCom and Compass are
based on Linear Temporal Logic (LTL) and mostly address “structural compliance” (i.e., that
16
5 Case Study
Figure 6: Example of non-compliant report in BPCC
17
6 Discussion and Outlook
the tasks are executed in the relative order dened by a constraint model). e use of LTL
implies that the model on which these tools are based on is not conceptually relative to the
legal domain, and thus fails to capture nuances of reasoning with normative constrains such
as violations, dierent types of obligations, violations and their compensation. For example,
obligations are represented by temporal operators. is raises the problem of how to represent
the distinction between achievement and maintenance obligations. A possible solution is to
use always for maintenance and sometimes for achievement, but this leaves no room for the
concept of permission (the permission is dual of obligation, and always and sometimes are the
dual of each other). In addition using temporal operators to model obligations makes it hard to
capture data compliance (Hashmi et al., 2012), i.e., obligations that refer to literals in the same
task. SeaFlow is based on rst-order logic, and it is well know that rst oder logic is not suitable
to capture normative reasoning (Herrestad, 1991). On the other hand FCL and consequently
BPCC comply with the guidelines set up in (Gordon et al., 2009) for a rule language suitable for
representation of legal knowledge and legal reasoning.
6 Discussion and Outlook
As the importance of GRC grows for various industries, there is an evident need to provide
supporting tools and methods to enable organizations seeking corporate social responsibility
to achieve their objectives. e challenges that reside in this topic warrant systematic ap-
proaches that motivate and empower business users to achieve a high degree of compliance
with regulations, standards, and corporate policies.
One of the biggest challenges facing the compliance industry is the measurement of adequacy
of controls (KPMG Advisory, 2005), that is, achieving a balance between control and business
objectives. is has been a driver of the research presented in this chapter. e methodology
presented in Sect. 3 provides a systematic means of aligning business and control objectives.
However, several open issues still remain. In (Abdullah et al., 2010), an industry driven research
agenda for GRC has been presented, which highlights the main challenges and potential areas of
future research. e agenda is aligned with the main message of this chapter and is summarized
as below.
First and foremost, there is an urgent need for proper benchmarking studies to help address
the challenge of high cost. Particularly for SMEs, there is high cost and great diculty in
measuring the adequacy of controls for principles based regulations where the onus is on the
organization to design an appropriate compliance regimen. Benchmarking and best practice
studies will allow improvement of controls eectiveness, a reduction of costs, and an improved
potential to deal with resistance to change through demonstrating methods used by others.
Such additional knowledge can further help alleviate the perception of legislation weaknesses
in principles based regulations and consequently promote regulation acceptance.
In a related manner, there is also a need for investigation of process reference models
relating to various regulations. A focus on the development of such reference models and
the study of the impact of the use of such models in organizations (i.e. impact on compliance
management spending, frequency of breaches, etc) is largely missing in Information Systems
research. e development of proven reference models, however, may signicantly lessen the
18
6 Discussion and Outlook
cost of compliance management in organizations.
e culture of compliance is ingrained in the daily rituals of each of the rm’s employees,
including senior management, who must learn to lead by example. ere is a clear lack of
Information Systems research on organisational behaviour. In particular we see a need for
investigation of how IT and IS tools can be used to incentivize employees to ‘do the right thing’
and adapt their practices. ere is also a need for the development of relevant IT and IS tools
that can help facilitate employee training for compliance management, promote communication
among sta and increase organizational capacity to manage its compliance knowledge base.
How the compliance (and risk) factor interrelates with the operations of business units
is understudied, with only a small number of researchers working on the conceptualisation
of compliance and risk requirements per se let alone their inter-relationships with business
processes and business activities. A comprehensive and well-grounded conceptual model for
compliance and risk is needed.
Further to the point above, tools and methods are needed to annotate, enhance, analyse and
simulate business models with compliance and risk modeling elements. is will facilitate beer
coordination between an organization’s compliance and business functions and help employees
understand compliance value and business relevance.
Although reporting and monitoring tools of high sophistication are available, there is lile
development towards tools that provide specialized solutions in monitoring and analysing
compliance related data (partly due the absence of generic conceptual models for GRC), thus
causing big problems for organisations required to create evidence of compliance. Accordingly,
we see a need for aordable IT and IS tools that facilitate compliance management self-audits
and compliance monitoring activities in general. Furthermore, there is also a clear need for tools
that facilitate the identication of non-compliance processes with respect to a given regulation.
Frequency of change, as well as inconsistency and overlaps in regulations is beyond the realm
of IS research, studies to understand the impact of regulation changes (inconsistencies and
overlaps) can promote beer understanding of the cost of compliance and allow business to
lobby for regulatory reform where needed. Multi disciplinary research is warranted in order to
cover legal, business and IT aspects. From an Information Systems perspective, there is a need
for solutions that can lter out updates that are not relevant to a given organization or industry
sector, thus reducing the amount of information that the organization has to process in order to
update or assess their compliance management initiatives.
In conclusion, future research endeavors in this area should strive toward compliance manage-
ment frameworks that provide a close integration of the three perspectives, namely, preventative,
detective, and corrective. Such a framework can allow organizations to beer respond to the
changing regulatory demands and also reap the benets of process improvement.
Acknowledgements
NICTA is funded by the Australian Government as represented by the Department of Broadband,
Communications and the Digital Economy and the Australian Research Council through the
ICT Centre of Excellence program.
19
References
References
Abdullah, NS, M Indulska and S Sadiq (2009). “A study of compliance management in information
systems research”. In S Newell, EA Whitley, N Pouloudi, J Wareham, and L Mathiassen,
eds. 17th European Conference on Information Systems (ECIS 2009), pp. 1711–1721.
Abdullah, NS, S Sadiq and M Indulska (2010). “Emerging Challenges in Information Systems
Research for Regulatory Compliance Management”. In B Pernici, ed.
22nd International
Conference on Advanced Information Systems Engineering
(CAiSE 2010). LNCS 6051, pp. 251–
265. Springer, Heidelberg.
Abdullah, NS, S Sadiq and M Indulska (2012). “A Compliance Management Ontology: Developing
Shared Understanding through Models”. In J Ralyt
´
e, X Franch, S Brinkkemper, and S Wrycza,
eds.
24th International Conference on Advanced Information Systems Engineering
(CAiSE
2012). LNCS 7328, pp. 429–444. Springer, Heidelberg.
Agrawal, R, CM Johnson, J Kiernan and F Leymann (2006). “Taming Compliance with Sarbanes-
Oxley Internal Controls Using Database Technology”. In L Liu, A Reuter, KY Whang, and
J Zhang, eds.
Proceedings of the 22nd International Conference on Data Engineering
(ICDE
2006), p. 92. IEEE Computer Society.
Alberti, M, M Gavanelli, E Lamma, F Chesani, P Mello and P Torroni (2006). “Compliance
verication of agent interaction: a logic-based soware tool”.
Applied Articial Intelligence
.
20(2-4): 133–157.
Alonso, G, P Dadam, and M Rosemann, eds. (2007).
5th International Conference on Business
Process Management (BPM 2007). LNCS 4714. Springer, Heidelberg.
Antoniou, G, D Billington, G Governatori and MJ Maher (2001). “Representation Results for
Defeasible Logic”. ACM Transactions on Computational Logic. 2(2): 255–287.
ASX (2006).
Australian securities exchange principles of good governance, recommendation 7.1
.
url:http://www.asx.gov.au (visited on 1st June 2008).
AUSTRAC (2006).
Australian transaction reports and analysis centre supervisory framework
.url:
http://www.austrac.gov.au/files/supervisory framework.pdf
(visited on
1st June 2008).
BPM Forum (2006).
CEE: the future. Building the compliance enabled enterprise
. Report produced
by global uency in partnership with: AXS-One, chief executive magazine and IT compliance
institute.
Caldwell, F and T Eid (2008).
Magic quadrant for enterprise governance, risk and compliance
platforms. Gartner Research, G00158295, June 2008.
Carmo, J and AJ Jones (2002). “Deontic Logic and Contrary To Duties”. In Gabbay, D, and F
Guenther, eds.
Handbook of Philosophical Logic, 2nd Edition
. Vol. 8, pp. 265–343. Springer,
Berlin.
Cheng, R, S Sadiq and M Indulska (2011). “Framework for Business Process and Rule Integration:
A Case of BPMN and SBVR”. In W Abramowicz, ed.
14th International Conference on Business
Information Systems (BIS 2011). LNBIP 87, pp. 13–24. Springer, Heidelberg.
Conforti, R, G Fortino, M La Rosa and AHM ter Hofstede (2011). “History-Aware, Real-Time
Risk Detection in Business Processes”. In R Meersman, TS Dillon, P Herrero, A Kumar,
M Reichert, L Qing, BC Ooi, E Damiani, DC Schmidt, J White, M Hauswirth, P Hitzler, and
MK Mohania, eds.
On the Move to Meaningful Internet Systems: OTM 2011 – Confederated
20
References
International Conferences: CoopIS, DOA-SVI, and ODBASE 2011
(OTM Conferences). LNCS
7044, pp. 100–118. Springer, Heidelberg.
COSO (1994).
COSO: Internal Control, An Integrated Framework. e Commiee of Sponsoring
Organisations of the Treadway Commission
. e Commiee of Sponsoring Organisations
of the Treadway Commission.
Desai, N, AU Mallya, AK Chopra and MP Singh (2005). “Interaction Protocols as Design Ab-
stractions for Business Processes”.
IEEE Transactions on Soware Engineering
. 31(12): 1015–
1027.
Desai, N, NC Narendra and MP Singh (2008). “Checking correctness of business contracts via
commitments”. In L Padgham, DC Parkes, J M
¨
uller, and S Parsons, eds.
7th International
Joint Conference on Autonomous Agents and Multiagent Systems
(AAMAS 2008), pp. 787–
794. IFAAMAS.
Eder, J, and S Dustdar, eds. (2006).
Business Process Management Workshops
. LNCS 4103. Springer,
Heidelberg.
Elgammal, A, O T
¨
uretken and WJ van den Heuvel (2012). “Using Paerns for the Analysis
and Resolution of Compliance Violations”.
International Journal of Cooperative Information
Systems. 21(1): 31–54.
Farrell, ADH, MJ Sergot, M Sall
´
e and C Bartolini (2005). “Using the event calculus for tracking
the normative state of contracts”.
International Journal of Cooperative Information Systems
.
14(2-3): 99–129.
Giblin, C, S M
¨
uller and B Ptzmann (2006).
From Regulatory Policies to Event Monitoring Rules:
Towards Model Driven Compliance Automation
. IBM Research Report. Zurich Research
Laboratory. Oct. 2006.
Goedertier, S and J Vanthienen (2006). “Designing Compliant Business Processes with Obliga-
tions and Permissions”. In Eder and Dustdar (2006), pp. 5–14.
Gordon, TF, G Governatori and A Rotolo (2009). “Rules and Norms: Requirements for Rule
Interchange Languages in the Legal Domain”. In Governatori, Hall and Paschke (2009),
pp. 282–296.
Governatori, G (2005). “Representing Business Contracts in RuleML”.
International Journal of
Cooperative Information Systems. 14(2-3): 181–216.
Governatori, G, J Hall, and A Paschke, eds. (2009).
International Symposium on Rule Interchange
and Applications (RuleML 2009). LNCS 5858. Springer, Heidelberg.
Governatori, G, J Homann, SW Sadiq and I Weber (2009). “Detecting Regulatory Compliance
for Business Process Models through Semantic Annotations”. In D Ardagna, M Mecella,
and J Yang, eds.
Business Process Management Workshops
. LNBIP 17, pp. 5–17. Springer,
Heidelberg.
Governatori, G, Z Milosevic and S Sadiq (2006). “Compliance checking between business pro-
cesses and business contracts”. In PCK Hung, ed.
10th International Enterprise Distributed
Object Computing Conference (EDOC 2006), pp. 221–232. IEEE Computing Society.
Governatori, G and A Rotolo (2006). “Logic of Violations: A Gentzen System for Reasoning with
Contrary-To-Duty Obligations”. Australasian Journal of Logic. 4: 193–215.
Governatori, G and A Rotolo (2008). “An Algorithm for Business Process Compliance”. In
E Francesconi, G Sartor, and D Tiscornia, eds.
Legal Knowledge and Information Systems
.
Frontieres in Articial Intelligence and Applications 189, pp. 186–191. IOS Press.
21
References
Governatori, G and A Rotolo (2010). “A Conceptually Rich Model of Business Process Com-
pliance”. In S Link, and A Ghose, eds.
7th Asia-Pacic Conference on Conceptual Modelling
(APCCM 2010). CRPIT 110, pp. 3–12. ACS.
Governatori, G and S Sadiq (2009). “e Journey to Business Process Compliance”. In Cardoso, J,
and W van der Aalst, eds. Handbook of Research on BPM, pp. 426–454. IGI Global.
Governatori, G and S Shek (2012). “Rule Based Business Process Compliance”. In
Proceedings of
the RuleML2012@ECAI Challenge. CEUR Workshop Proceedings 874, article 5.
Hagerty, J, J Hackbush, D Gaughan and S Jacobson (2008).
e governance, risk management, and
compliance spending report, 2008–2009: Inside the $32B GRC Market
. AMR Research, Boston,
USA, 25th Mar. 2008.
Hashmi, M, G Governatori and MT Wynn (2012). “Business Process Data Compliance”. In A
Bikakis, and A Giurca, eds.
6th International Symposium on Rules on the Web: Research and
Applications (RuleML 2012). LNCS 7438, pp. 32–46. Springer, Heidelberg.
Herrestad, H (1991). “Norms and formalization”. In
ird International Conference on Articial
Intelligence and Law (ICAIL 1991), pp. 175–184. ACM.
KPMG Advisory (2005).
e Compliance Journey: Balancing Risk and Controls with Business
Improvement.
K
¨
uster, JM, K Ryndina and H Gall (2007). “Generation of Business Process Models for Object
Life Cycle Compliance”. In Alonso, Dadam and Rosemann (2007), pp. 165–181.
Lam, HP and G Governatori (2009). “e Making of SPINdle”. In Governatori, Hall and Paschke
(2009), pp. 315–322.
Liu, Y, S M
¨
uller and K Xu (2007). “A static compliance-checking framework for business process
models”. IBM Systems Journal. 46(2): 335–362.
Lu, R, S Sadiq and G Governatori (2007). “Compliance Aware Business Process Design”. In
AHM ter Hofstede, B Benatallah, and HY Paik, eds.
Business Process Management Workshop
.
LNCS 4928, pp. 120–131. Springer, Heidelberg.
Ly, LT, S Rinderle-Ma, K G
¨
oser and P Dadam (2012). “On enabling integrated process compliance
with semantic constraints in process management systems - Requirements, challenges,
solutions”. Information Systems Frontiers. 14(2): 195–219.
Maggi, FM, M Montali, M Westergaard and WMP van der Aalst (2011). “9th International
Conference on Business Process Management”. In Rinderle-Ma, S, F Toumani, and K Wolf,
eds. (BPM 2011). LNCS 6896, pp. 132–147. Springer, Heidelberg.
Neiger, D, L Churilov, M zur Muehlen and M Rosemann (2006). “Integrating risks in business
process models with value focused process engineering”. In J Ljungberg, and M Andersson,
eds.
Proceedings of the Fourteenth European Conference on Information Systems
(ECIS 2006),
pp. 1606–1615.
Padmanabhan, V, G Governatori, S Sadiq, RM Colomb and A Rotolo (2006). “Process Modelling:
e Deontic Way”. In M Stumptner, S Hartmann, and Y Kiyoki, eds.
irds Asia-Pacic
Conference on Conceptual Modelling
(APCCM 2006), pp. 75–84. Australian Computer Science
Communications.
Pesic, M and WMP van der Aalst (2006). “A Declarative Approach for Flexible Business Processes
Management”. In Eder and Dustdar (2006), pp. 169–180.
Sadiq, SW, ME Orlowska and W Sadiq (2005). “Specication and validation of process constraints
for exible workows”. Information Systems. 30(5): 349–378.
22
References
Sadiq, S, G Governatori and K Naimiri (2007). “Modelling of Control Objectives for Business
Process Compliance”. In Alonso, Dadam and Rosemann (2007), pp. 149–164.
Sartor, G (2005). Legal Reasoning. Dordrecht: Springer.
van der Aalst, WMP, BF van Dongen, J Herbst, L Maruster, G Schimm and AJMM Weijters (2003).
“Workow mining: A survey of issues and approaches”.
Data and Knowledge Engineering
.
47(2): 237–267.
van Dongen, BF, AKA de Medeiros, HMW Verbeek, AJMM Weijters and WMP van der Aalst
(2005). “e ProM Framework: A New Era in Process Mining Tool Support”. In G Ciardo,
and P Darondeau, eds.
26th International Conference Applications and eory of Petri Nets
2005 (ICATPN 2005). LNCS 3536, pp. 444–454. Springer, Heidelberg.
zur M
¨
uhlen, M, M Indulska and G Kemp (2007). “Business Process and Business rule Model-
ing Languages for Compliance Management: A Representational Analysis”. In
ER 2007:
Tutorials, Poster, Panels, and Industrial Contribution. CRPIT 83, pp. 127–132.
zur M
¨
uhlen, M and M Rosemann (2005). “Integrating Risks in Business Process Models”. In
Proceedings of 16th Australasian Conference on Information Systems.
23
... Example 1.1. Consider the example of the provision prescribing to report to Community Service (CS) if there is a situation where a child has been sexually abused and the initiating person has continuing or imminent contact with the 25 victim and there where some coercion or the victim is in a situation of inferiority, then the situation has to be reported immediately to Community Services (CS). Otherwise, the normal procedure is to file a formal report to CS. ...
... Defeasible Logic, a "skeptical" nonmonotonic logic (meaning that it does not support contradictory conclusion), was originally proposed by Donald Nute [22]. Since then it has been significantly used in the legal domain or closely 160 related areas, such as modelling regulations [23], e-contracting [17,24], business processes compliance [25,26] and automatic negotiation system [27]. The modelling of regulations in DL also offers support for "Decision support", "Explanation", "Anomaly detection", "Hypothetical reasoning" and "Debugging" tasks. ...
... Another beauty of the algorithm is that not only unnecessary reasonings and query executions can be avoided, but also the inference processes for multiple candidate rules can be done in one traversal of a sorted candidate rule graph. if ∃r ∈ CQ and r ∈ g then 10 Go to next r in g; 11 if there are fact literals f ∈ A(r) then if ∃r ∈ CQ and r ∈ g then 25 Go to next r in g; ...
Article
Full-text available
A rule based knowledge system consists of three main components: a set of rules, facts to be fed to the reasoning corresponding to the data of a case, and an inference engine. In general, facts are stored in (relational) databases that represent knowledge in a first-order based formalism. However, legal knowledge uses defeasible deontic logic for knowledge representation due to its particular features that cannot be supported by first-order logic. In this work, we present a unified framework that supports efficient legal reasoning. In the framework, a novel inference engine is proposed in which the Semantic Rule Index can identify candidate rules with their corresponding semantic rules if any, and an inference controller is able to guide the executions of queries and reasoning. It can eliminate rules that cannot be fired to avoid unnecessary computations in early stages. The experiments demonstrated the effectiveness and efficiency of the proposed framework.
... A central problem to this approach is that business rules are created by human modelers, mostly collaboratively and incrementally (Nelson et al., 2008). As suggested by a wealth of recent research, modeling errors can frequently occur in this setting (Batoulis et al., 2017;Corea & Delfmann, 2018;Sadiq & Governatori, 2015;Smit et al., 2017). For example, in a recent case study with a large insurance company, Batoulis et al. (2017) found that 27% of rules had modeling errors. ...
... This shows that it is important to assess errors from a decision perspective, as otherwise, the process execution can also be expected to be flawed (Hasić et al., 2020(Hasić et al., , 2018. It is therefore essential for companies to monitor consistent decision-making during process execution as a driver for innovative and sustainable development of WFMS, e.g., by re-modeling business rules and improving operations (Corea & Delfmann, 2018;Hashmi et al., 2018;Sadiq & Governatori, 2015). ...
Article
Due to the increasing amounts of process data, monitoring company processes is currently evolving into a data-intensive analytics problem. In this report, we present the results of an experiment analyzing the cognitive effects of different visualization techniques for inconsistency metrics in the scope of monitoring data-intensive processes. Our results indicate that a ranked overview of metrics is associated with better understanding efficiency and less mental effort compared to other visualization techniques.
... Rules and regulations can also be defined on their own semantic modalities and models. Therefore, in order to study and solve the problem of compliance to business processes [12][13] [26][27], it should be possible to somehow integrate modalities and semantic models. It has already been stated that the semantics in the Semantic Logicthat is, the proposed logic -support this. ...
Preprint
Full-text available
Underlying computational model has an important role in any computation. The state and transition (such as in automata) and rule and value (such as in Lisp and logic programming) are two comparable and counterpart computational models. Both of deductive and model checking verification techniques are relying on a notion of state and as a result, their underlying computational models are state dependent. Some verification problems (such as compliance checking by which an under compliance system is verified against some regulations and rules) have not a strong notion of state nor transition. Behalf of it, these systems have a strong notion of value symbols and declarative rules defined on them. SARV (Stateless And Rule-Based Verification) is a verification framework that designed to simplify the overall process of verification for stateless and rule-based verification problems (e.g. compliance checking). In this paper, a formal logic-based framework for creating intelligent compliance checking systems is presented. We define and introduce this framework, report a case study and present results of an experiment on it. The case study is about protocol compliance checking for smart cities. Using this solution, a Rescue Scenario use case and its compliance checking are sketched and modeled. An automation engine for and a compliance solution with SARV are introduced. Based on 300 data experiments, the SARV-based compliance solution outperforms famous machine learning methods on a 3125-records software quality dataset.
... Regulatory compliance standards are becoming more stringent, posing new problems for businesses in many organisations. Sadiq and Governatori [87] described compliance as a process of ensuring that organisations follow a set of prescribed and/or agreed-upon guidelines. In this way, legislative and regulatory authorities may impose compliance obligations (e.g., ISO 9000). ...
Article
Full-text available
The development of high-rise buildings is a current trend in developed cities to answer the challenges of population growth, adding aesthetic value, and optimal use of land. Lagos particularly is one of the fastest growing cities in the world with Gross Domestic Product (GDP) and Internally Generated Revenue (IGR) in Nigeria, which suggests the need for multiple complex buildings, and the need for their maintenance cannot be overemphasised. This maintenance aspect requires tremendous work due to the complexity attached and several strategies springing up. Different studies reveal that both performance measurements and factors are essential aspects in evaluating maintenance management. Thus, this study seeks to explore performance elements that could improve maintenance. Personnel attitude, maintenance policy, maintenance review, and maintenance implementation were measured relative to computerised maintenance management system (CMMS) performance. With a random sampling technique, a sample of 134 Facility Management (FM) practitioners involved in high-rise office buildings was used to assess the effects of CMMS deployment. Results were analysed by Partial Least Squares Structural Equation Modelling (PLS-SEM). Findings from this study highlighted an indirect effect size and a large predictive relevance of personnel attitude as a critical factor for a smooth maintenance execution procedure of 12.59% and a standard operating procedure (SOP) of 15.64% on maintenance implementation to contribute 28.36% to performance. This paper uncovers the place of personnel attitude in determining effective maintenance.
... Regulators and government officials rely on corporate regulations to enact penalties with varying severity levels to establish corrective, detective, and preventative controls (Sadiq & Governatori, 2015). In this subsection, we present two field factors that influence executives' disposition to the severity of penalties. ...
Article
Full-text available
Employing Bourdieu’s practice theory, this paper explores factors that influence corporate executives’ behaviour towards corporate governance regulation. Drawing insights from a weak institutional environment (Nigeria) and relying on a qualitative research methodology (semi-structured interviews with 31 executives), this research uncovers how nine nuanced situational and cultural field factors determine executives’ regulatory response to the severity of punishment, the certainty of penalties, and the cost-benefit compliance considerations. The study further explains how sequential rationalisation between the severity and certainty of punishment contributes to the regulatory apathy that executives exhibit. Theoretically, this study demonstrates how practice theory components (habitus, capital, and field) blend to establish executives’ regulatory practice.
... Although several studies focused on compliance support systems, they mainly addressed governance or processes rather than the use of systems (e.g. Abdullah, Indulska, and Sadiq 2016;Kim, Fox, and Sengupta 2007;Papazafeiropoulou and Spanaki 2016;Sadiq and Governatori 2010). The impact of IT system utilisation has been rarely addressed by the studies on compliance and/or its support systems (Kim 2020b). ...
Article
Under today’s complex and ever-changing regulatory environment, only forcing employees into compliance by wielding control or imposing punishment does not automatically lead to improved compliance awareness and performance. Based on the adaptive structuration theory and theory of planned behaviour, this study investigated the effect of Compliance Support Systems (CSS) appropriation on compliance intention. A two-stage survey was conducted to see whether the continuous use of CSS enhances users’ intention to comply with laws and regulations. This approach comes under longitudinal research because it seeks to discover the causality between variables by observing research subjects at different times. The PLS-SEM analysis verified the direct and indirect impact of compliance behavioural beliefs and social pressure on compliance intention. In particular, the two factors were found to affect CSS appropriation by way of CSS quality and compliance knowledge. The proposed structural model was developed to compare the gaps of perception in different measurement times. Therefore, the findings highlight a significant role of CSS appropriation in raising compliance intention and provide practical insights by presenting the factors that enhance employees’ positive and voluntary engagement in compliance behaviour.
... and Kramer M.R. [18]; M. Sukhoterina [19]; Jamali D. [20], Frolova L. [25]. The novelties and subtleties of compliance were studied by: P. Pererva [10]; A. Dziuba [11]; N. Ovsyuk [12]; T. Momot and I. Kolyada [13]; Shazia S. and Guido G. [14]. In some sources [1; 2; 6; 21], "social entrepreneurship" is synonymous with inclusive business. ...
... So in game industry like other industries we face an issue called regulations and regulatory. Wherever regulations and regulatory are existed, the issue of compliance and solving this issue is also existed [32]. Game regulations set some rules for qualified and healthy games. ...
Preprint
Full-text available
Video games, just like any other media have both explicit and implicit messages, and they can have impact on physical and mental health of the users. These impacts can be positive or negative. The impacts, the implications and the meanings which exist in a game can be very widespread, multilayered and complicated. To investigate and guarantee the health of these video games, it is necessary to be able to estimate, assess and determine the implications of video games (from different perspectives). A common approach for studying complicated and multilayered phenomenon is formal semantics. Formal and rigorous methods can help in assessment and supplying the health of video games. In this article, an organizing for this assessment is proposed which is based on formal and rigorous methods and it considers various beneficiaries concerns. Moreover, a technological solution is presented which is based on system compliance to meanings, model checking methods and logical solution. The proposed organizing has several features such as: agility, flexibility, scalability, repeatability of reviews, transparency, adaptation, available details for reviews, assessing various layers and implicit and explicit implications of system of the game, avoiding subjectivity or individual skills, relying on rules and regulations, ability to plan for beneficiaries because of its transparency and employment for specialists.
... Business Process Compliance (BPC) describes and addresses the adherence to business-related requirements when designing and executing business processes [1,2]. Against the background of a growing number of compliance requirements, ensuring BPC has not only become a complex technical challenge, but also a cost-intensive task [3][4][5]. In this context, BPC is even described as a "heavy cost driver" [6]. ...
Conference Paper
Full-text available
In many industries, ensuring compliance in business processes has become a cost-intensive task due to intensive regulation. For companies to operate profitably despite current regulatory developments, approaches to the economic assessment and analysis of process-based compliance measures are needed. The dissertation entitled "Economic Assessment and Analysis of Business Process Compliance: An Approach based on Basic Control Flow Patterns and Extensible Event Streams" addresses that need by designing, implementing, and evaluating: 1) a mathematical method for the economic assessment of BPC drawing on patterns of basic control flows, and 2) an information technology-based method for the economic analysis and selection of compliance measures drawing on eXtensible Event Streams. This paper is an extended abstract of the dissertation, which briefly presents the two methods. Its conclusion discusses the implementation of a software artifact and the results of a summative evaluation.
Article
Full-text available
In this paper we report on the development and evaluation of a busi-ness process compliance checker, based on the compliance-by-design methodol-ogy proposed by Governatori and Sadiq [9].
Conference Paper
Full-text available
Most approaches to business process compliance are restricted to the analysis of the structure of processes. It has been argued that full regulatory compliance requires information on not only the structure of processes but also on what the tasks in a process do. To this end Governatori and Sadiq [2007] proposed to extend business processes with semantic annotations. We propose a methodology to automatically extract one kind of such annotations; in particular the annotations related to the data schema and templates linked to the various tasks in a business process.
Article
Australia's Financial Transaction Reports Act 1988 (Cth) set up reporting requirements designed inter alia to identify the money trail of the proceeds of criminal activities and tax evasion. It targets the cash economy, which has always provided scope for tax evasion and the financing and concealing of criminal activity, domestically and internationally. The Act was passed as a result of the findings of two Royal Commissions in the 1980s which found evidence of money laundering and the use of false‐name accounts with financial institutions. A number of laws were passed in 1987 attacking criminal activity through the prevention and detection of offences connected with the cash economy.
Article
Deontic logic is concerned with the logical analysis of such normative notions as obligation, permission, right and prohibition. Although its origins lie in systematic legal and moral philosophy, deontic logic has begun to attract the interest of researchers in other areas, particularly computer science, management science and organisation theory. Among the application areas which have already received some attention in the literature are: issues of knowledge representation in the design of legal expert systems; the formal specification of aspects of computer systems, for instance in regard to security and access control policies, fault tolerance, and database integrity constraints; the formal characterisation of aspects of organisational structure, pertaining for example to the responsibilities and powers which agents are required or authorised to exercise. The “AEON” workshop proceedings provide some illustrations of work in these areas (see [ΔEON91; ΔEON94; ΔEON96]).
Conference Paper
Managing regulatory compliance is increasingly challenging and costly for organizations world-wide. Due to the diversity of stakeholders in compliance management initiatives, any effort towards providing compliance management solutions demands a common understanding of compliance management concepts and practice. This paper reports on research undertaken to develop an ontology to create a shared conceptualization of the compliance management domain, namely CoMOn (Compliance Management Ontology). The ontology concepts are extracted from interviews and surveys of compliance management experts and practitioners, and refined through synthesis with leading academic literature related to compliance management. A semiotic framework was utilized to conduct a rigorous evaluation of CoMOn through a series of eight case studies spanning a number of industry sectors. The consensus achieved through the evaluation has positioned CoMOn as a comprehensive domain ontology for Compliance Management.