Software & Systems Modeling

, Volume 15, Issue 1, pp 119–146 | Cite as

Formalizing and appling compliance patterns for business process compliance

  • Amal ElgammalEmail author
  • Oktay Turetken
  • Willem-Jan van den Heuvel
  • Mike Papazoglou
Regular Paper


Today’s enterprises demand a high degree of compliance of business processes to meet diverse regulations and legislations. Several industrial studies have shown that compliance management is a daunting task, and organizations are still struggling and spending billions of dollars annually to ensure and prove their compliance. In this paper, we introduce a comprehensive compliance management framework with a main focus on design-time compliance management as a first step towards a preventive lifetime compliance support. The framework enables the automation of compliance-related activities that are amenable to automation, and therefore can significantly reduce the expenditures spent on compliance. It can help experts to carry out their work more efficiently, cut the time spent on tedious manual activities, and reduce potential human errors. An evident candidate compliance activity for automation is the compliance checking, which can be achieved by utilizing formal reasoning and verification techniques. However, formal languages are well known of their complexity as only versed users in mathematical theories and formal logics are able to use and understand them. However, this is generally not the case with business and compliance practitioners. Therefore, in the heart of the compliance management framework, we introduce the Compliance Request Language (CRL), which is formally grounded on temporal logic and enables the abstract pattern-based specification of compliance requirements. CRL constitutes a series of compliance patterns that spans three structural facets of business processes; control flow, employed resources and temporal perspectives. Furthermore, CRL supports the specification of compensations and non-monotonic requirements, which permit the relaxation of some compliance requirements to handle exceptional situations. An integrated tool suite has been developed as an instantiation artefact, and the validation of the approach is undertaken in several directions, which includes internal validity, controlled experiments, and functional testing.


Business process compliance Compliance patterns Formal specification Regulatory compliance Compliance management tool support Design-time compliance management 



The authors gratefully acknowledge PricewaterhouseCoopers (Netherlands), Thales Services (France), and other COMPAS project partners for their effort in providing and participating in the case studies and scenarios, and their valuable contributions. Special thanks to Dr. Guido Governatori (NICTA, Australia) for reviewing the paper and for his valuable comments.


  1. 1.
    SOX: Sarbanes-Oxley Act of 2002. In: Congress, U.S. (ed.), (2002)Google Scholar
  2. 2.
    Bank for International Settlements: Basel III: International framework for liquidity risk measurement, standards and monitoring (2010)Google Scholar
  3. 3.
    Accutiy. Visualising trends in anti-money laundering compliance. Accessed 28 Nov 2013
  4. 4.
    Ernst & Young: The Top 10 Risks For Business. The Ernst & Young Business Risk Report (2010)Google Scholar
  5. 5.
    Hartman, T.: The Cost of Being Public in the ERA of Sarbanes-Oxley. Foley & Lardner LLP (2006)Google Scholar
  6. 6.
    Goedertier, S., Vanthienen, J.: Designing compliant business processes with obligations and permissions. In: International Business Process Management Workshops (BPM), Austria, pp. 5–14 (2006)Google Scholar
  7. 7.
    Sadiq, S., Governatori, G., Naimiri, K.: Modeling control objectives for business process compliance. In: Business Process Management-BPM’09 Proceedings, pp. 149–164 (2007)Google Scholar
  8. 8.
    Holzmann, G.: The model checker SPIN. IEEE Trans. Softw. Eng. 23, 279–295 (1997)CrossRefGoogle Scholar
  9. 9.
    Ly, L.T., Rinderle-Ma, S., Göser, K., Dadam, P.: On enabling integrated process compliance with semantic constraints in process management systems. Inf. Syst. Front. 14(2), 195–219 (2012)Google Scholar
  10. 10.
    Halle, S., Villemaire, R., Cherkaoui, O.: Specifying and validating data-aware temporal web service properties. IEEE Trans. Softw. Eng. 35, 669–683 (2009)CrossRefGoogle Scholar
  11. 11.
    Giblin, C., Liu, A., Muller, S., Pfitzmann, B., Zhou, X.: Regulations expressed as logical models. In: 18th International Annual Conference of Legal Knowledge and Information Systems, Belgium, pp. 37–48 (2005)Google Scholar
  12. 12.
    Eshuis, R.: Symbolic model checking of UML activity diagrams. ACM Trans. Softw. Eng. Methodol. 15, 1–38 (2006)CrossRefGoogle Scholar
  13. 13.
    Wang, H.J., Leon Zhao, J.: Constraint-centric workflow change analytics. Decis. Support Syst. 51, 562–575 (2011)CrossRefGoogle Scholar
  14. 14.
    Abouzaid, F., Mullins, J.: A calculus for generation, verification, and refinement of BPEL specifications. Electron. Notes Theor. Comput. Sci. (ENTCS) 200, 43–65 (2008)CrossRefGoogle Scholar
  15. 15.
    Awad, A., Gore, R., Thomson, J., Weidlich, M.: An iterative approach for business process template synthesis from compliance rules. In: 23rd International Conference on Advanced Information Systems, Engineering, pp. 406–421 (2011)Google Scholar
  16. 16.
    Yu, J., Han, Y., Han, J., Jin, Y., Falcarin, P., Morisio, M.: Synthesizing service composition models on the basis of temporal business rules. J. Comput. Sci. Technol. 23, 885–894 (2008)CrossRefGoogle Scholar
  17. 17.
    Liu, Y., Muller, S., Xu, K.: A static compliance-checking framework for business process models. IBM Syst. J. 46, 335–361 (2007)Google Scholar
  18. 18.
    Awad, A., Weidlich, M., Weske, M.: Specification, verification and explanation of violation for data aware compliance rules. In: 7th International Conference on Service Oriented Computing (ICSOC- Service Wave’09), vol. 5900, pp. 500–515. Springer, Berlin (2009)Google Scholar
  19. 19.
    Geist, D.: The PSL/sugar specification language: a language for all seasons. In: The Correct Hardware Design and Verification Methods Conference, pp. 21–24 (2003)Google Scholar
  20. 20.
    Khaluf, L., Gerth, C., Engels, G.: Pattern-based modeling and formalizing of business process quality constraints. In: CAiSE’11, pp. 521–535 (2011)Google Scholar
  21. 21.
    Yu, J., Manh, T., Han, J., Jin, Y.: Pattern based property specification and verification for service composition. In: K.A. et al. (eds) WISE 2006, LNCS-4255, pp. 156–168. Springer, Berlin (2006)Google Scholar
  22. 22.
    Dwyer, M., Avrunin, G., Corbett, J.: Property specification patterns for finite-state verification. In: 2nd International Workshop on Formal Methods on Software, Practice, pp. 7–15 (1998)Google Scholar
  23. 23.
    Pelliccione, P., Inverardi, P., Muccini, H.: CHARMY: a framework for designing and verifying architectural specifications. IEEE Trans. Softw. Eng. 35, 325–346 (2009)CrossRefGoogle Scholar
  24. 24.
    Ramezani, E., Fahland, D., van der Aalst, W.: Where did i misbehave? Diagnostic information in compliance checking. In: 10th International Conference on Business Process Management (BPM), pp. 262–278. Springer, Berlin (2012)Google Scholar
  25. 25.
    Accorsi, R., Sato, Y.: Automated certification for compliant cloud-based business processes. Bus. Inf. Syst. Eng. (BISE) 3, 145–154 (2011)CrossRefGoogle Scholar
  26. 26.
    Accorsi, R., Lehmann, A.: Automatic information flow analysis of business process models. In: 10th International Conference on Business Process Management (BPM), pp. 172–187. Springer, Berlin (2012)Google Scholar
  27. 27.
    Pesic, M., Schonenberg, H., van der Aalst, W.M.P.: DECLARE: full support for loosely-structured processes. In: EDOC’07, pp. 287–300 (2007)Google Scholar
  28. 28.
    Pesic, M., van der Aalst, W.: A declarative approach for flexible business processes management. In: BPM’06 Workshops (2006)Google Scholar
  29. 29.
    Konrad, S., Cheng, B.: Real-time specification patterns. In: International Conference on Software Engineering (ICSE’05), USA, pp. 15–21 (2005)Google Scholar
  30. 30.
    Giblin, C., Muller, S., Pfitzmann, B.: From Regulatory Policies to Event Monitoring Rules. Zurich Research Laboratory, Zurich (2006)Google Scholar
  31. 31.
    Gruhn, V., Laue, R.: Specification patterns for time-related properties. In: 12th Int’l Symposium on Temporal Representation and Reasoning, pp. 198–191 (2005)Google Scholar
  32. 32.
    Wolter, C., Schaad, A.: Modeling of task-based authorization constraints in BPMN. In: Business Process Management (BPM 2007), pp. 64–79. Springer, Berlin (2007)Google Scholar
  33. 33.
    Ahn, G., Sandhu, R., Kang, M., Park., J.: Injecting RBAC to secure a web-based workflow system. In: RBAC ’00, pp. 1–10 (2000)Google Scholar
  34. 34.
    Governatori, G., Milosevic, Z., Sadiq, S.: Compliance checking between business processes and business contracts. In: 10th International Enterprise Distributed Object Computing Conference (EDOC 2006), pp. 221–232 (2006)Google Scholar
  35. 35.
    Governatori, G., Rotolo, A.: Justice delayed is justice denied: logics for a temporal account of reparations and legal compliance. In: Computational Logic in Multi-Agent Systems, vol. 6814, pp. 364–382 (2011)Google Scholar
  36. 36.
    Thomas, F.: Constructing legal arguments with rules in the legal knowledge interchange format (LKIF). In: Computable Models of the Law, Languages, Dialogues, Games, Ontologies, vol. 4884, pp. 162–184 (2008)Google Scholar
  37. 37.
    Palmirani, M., Governatori, G., Contissa, G.: Modelling temporal legal rules. In: International Conference on Artificial Intelligence and Law, pp. 131–135 (2011)Google Scholar
  38. 38.
    Governatori, G., Olivieri, F., Scannapieco, S., Cristani, M.: Designing for compliance: norms and goals. In: 5th International Conference on Rule-Based Modeling and Computing on the Semantic Web, pp. 282–297 (2011)Google Scholar
  39. 39.
    Governatori, G., Rotolo, A.: Bio logical agents: norms, beliefs, intentions in defeasible logic. J. Auton. Agents Multi Agent Syst. 17, 36–69 (2008)CrossRefGoogle Scholar
  40. 40.
    Markovic, I., Pereira, A.C., Stojanovic, N.: A framework for querying in business process modelling. International Multikonferenz Wirtschaftsinformatik, Germany, pp. 1703–1714 (2008)Google Scholar
  41. 41.
    Beeri, C., Eyal, A., Kamenkovich., S.: Querying business processes. In: 32nd International VLDB Conference, Korea, pp. 343–354 (2006)Google Scholar
  42. 42.
    Kühne, S., Kern, H., Gruhn, V., Laue, R.: Business process modeling with continuous validation. J. Softw. Evol. Process 22, 547–566 (2010)CrossRefGoogle Scholar
  43. 43.
    Delfmann, P., Herwig, S., Lis, L., Stein, A., Tent, K., Becker, J.: Pattern specification and matching in conceptual models: a generic approach based on set operations. Enterp. Modell. Inf. Syst. Arch. 5, 24–43 (2010)Google Scholar
  44. 44.
    Awad, A.: BPMN-Q: A language to query business processes. In: 2nd International Workshop on Enterprise Modelling and Information Systems Architectures: Concepts and Applications (EMISA), Germany, pp. 115–128 (2007)Google Scholar
  45. 45.
    Elgammal, A., Turetken, O., van den Heuvel, W., Papazoglou, M.: Towards a comprehensive design-time compliance management: a roadmap. In: 15 International Business Information Management Conference (15th IBIMA), Egypt, pp. 1480–1484 (2010)Google Scholar
  46. 46.
    Fu, X., Bultan, T., Su, J.: Analysis of Interacting BPEL Web Services. World Wide Web (WWW), pp. 621–630. ACM Press, USA (2004)Google Scholar
  47. 47.
    Fu, X., Bultan, T., Su, J.: WSAT: a tool for formal analysis of web services. In: 16th International Conference on Computer Aided Verification, USA, pp. 510–514 (2004)Google Scholar
  48. 48.
    Turetken, O., Elgammal, A., van den Heuvel, W.J., Papazoglou, M.: Enforcing compliance on business processes through the use of patterns. In: 19th European Conference on Information Systems (ECIS 2011), Finland (2011)Google Scholar
  49. 49.
    Turetken, O., Elgammal, A., van den Heuvel, W., Papazoglou, M.: Capturing compliance requirements: a pattern-based approach. IEEE Softw. 29, 28–36 (2012)CrossRefGoogle Scholar
  50. 50.
    COSO: Internal Control: Integrated Framework. The Committee of Sponsoring Organizations of the Treadway Commission (1994)Google Scholar
  51. 51.
    Elgammal, A., Turetken, O., van den Heuvel, W., Papazoglou, M.: Root-cause analysis of design-time compliance violations on the basis of property patterns. In: 8th International Conference on Service-Oriented Computing (ICSOC’10), USA, pp. 17–31 (2010)Google Scholar
  52. 52.
    Elgammal, A., Turetken, O., van den Heuvel, W.: Using patterns for the analysis and resolution of compliance violations. Int. J. Coop. Inf. Syst. 21, 31–54 (2012)CrossRefGoogle Scholar
  53. 53.
    COMPAS Project, Deliverable 2.1: State-of-the-Art in the Field of Compliance Languages (2008)Google Scholar
  54. 54.
    IFRS: International Financial Reporting Standards. International Accounting Standards Board (2001)Google Scholar
  55. 55.
    FINRA: The Financial Industry Regulatory Authority, “FINRA Manual” (2008)Google Scholar
  56. 56.
    COBIT: Control Objectives for Information and related Technology: COBIT, 4.1. IT Governance Institute (2007)Google Scholar
  57. 57.
    OCEG: GRC Capability Model, Ver 2.0. Open Compliance and Ethics Group (2009)Google Scholar
  58. 58.
    Elgammal, A., Turetken, O., van den Heuvel, W., Papazoglou, M.: On the formal specification of regulatory compliance: a comparative analysis. In: International Performance Assessment and Auditing in Service Computing Workshop, ICSOC’10 workshops, USA (2010)Google Scholar
  59. 59.
    Elgammal, A., Turetken, O., van den Heuvel, W., Papazoglou, M.: On the formal specification of business contracts and regulatory compliance. In: 4th Workshop on Formal Languages and Analysis of Contract-Oriented Software, EPTCS, Pisa, Italy. pp. 33–36 (2010)Google Scholar
  60. 60.
    Elgammal, A.: Towards a comprehensive framework for business process compliance. Ph.D. Dissertation. Information Management Department, Tilburg University, Tilburg University Press, pp. 284 (April 2012)Google Scholar
  61. 61.
    Pnueli, A.: The temporal logic of programs. In: 18th IEEE Symposium on Foundations of Computer, Science, pp. 46–57 (1977)Google Scholar
  62. 62.
    Armoni, R., Fix, L., Flaisher, A., Gerth, R., Ginsburg, B., Kanza, T., Landver, A., Mador-Haim, S., Singerman, E., Tiemeyer, A., Vardi, M., Zbar, Y.: The ForSpec temporal logic: a new temporal property-specification language. Lecture Notes In Computer Science, vol. 2280 (2002)Google Scholar
  63. 63.
    Alur, R., Henzinger, T.: Real-time logics: complexity and expressiveness. Inf. Comput. 104, 35–77 (1993)CrossRefMathSciNetzbMATHGoogle Scholar
  64. 64.
    Baral, C., Zhoa, J.: Non-monotonic temporal logics for goal specifications. In: 20th International Intelligence Conference on Artificial Intelligence (IJCAI-07), India, pp. 236–242 (2007)Google Scholar
  65. 65.
    Hevner, A., March, S., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28, 75–105 (2004)Google Scholar
  66. 66.
    Sebahi, S.: Business process compliance monitoring: a view based approach. Laboratoire d’InfoRmatique en Image et Systèmes d’information (LIRIS), Ph.D. University Lyon 1, Lyon (2012) Google Scholar
  67. 67.
    OMG: Semantics Of Business Vocabulary And Business Rules (SBVR), Version 1.0. (2008)Google Scholar
  68. 68.
    Abi-Lahoud, E., Butler, T., Chapin, D., Hall, J.: Interpreting regulations in SBVR. In: RuleML (2013)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Amal Elgammal
    • 1
    Email author
  • Oktay Turetken
    • 2
  • Willem-Jan van den Heuvel
    • 3
  • Mike Papazoglou
    • 3
  1. 1.Governance, Risk Management and Compliance Technology Centre (GRCTC)University College CorkCorkIreland
  2. 2.School of Industrial EngineeringEindhoven University of TechnologyEindhovenNetherlands
  3. 3.European Research Institute in Service Science (ERISS)Tilburg UniversityTilburgNetherlands

Personalised recommendations