Skip to main content
SpringerLink
Log in

Formalizing and appling compliance patterns for business process compliance

  • Regular Paper
  • Published:
Software & Systems Modeling Aims and scope Submit manuscript

Abstract

Today’s enterprises demand a high degree of compliance of business processes to meet diverse regulations and legislations. Several industrial studies have shown that compliance management is a daunting task, and organizations are still struggling and spending billions of dollars annually to ensure and prove their compliance. In this paper, we introduce a comprehensive compliance management framework with a main focus on design-time compliance management as a first step towards a preventive lifetime compliance support. The framework enables the automation of compliance-related activities that are amenable to automation, and therefore can significantly reduce the expenditures spent on compliance. It can help experts to carry out their work more efficiently, cut the time spent on tedious manual activities, and reduce potential human errors. An evident candidate compliance activity for automation is the compliance checking, which can be achieved by utilizing formal reasoning and verification techniques. However, formal languages are well known of their complexity as only versed users in mathematical theories and formal logics are able to use and understand them. However, this is generally not the case with business and compliance practitioners. Therefore, in the heart of the compliance management framework, we introduce the Compliance Request Language (CRL), which is formally grounded on temporal logic and enables the abstract pattern-based specification of compliance requirements. CRL constitutes a series of compliance patterns that spans three structural facets of business processes; control flow, employed resources and temporal perspectives. Furthermore, CRL supports the specification of compensations and non-monotonic requirements, which permit the relaxation of some compliance requirements to handle exceptional situations. An integrated tool suite has been developed as an instantiation artefact, and the validation of the approach is undertaken in several directions, which includes internal validity, controlled experiments, and functional testing.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. BPCM Business Process Compliance Management Tool Suite: http://eriss.uvt.nl/compas/.

  2. Ongoing work in Governance, Risk and Compliance Technology Centre (GRCTC), Ireland, http://www.grctc.com/, the first author is affiliated to.

  3. BPCM—Business Process Compliance Management Tool Suite: http://eriss.uvt.nl/compas/.

References

  1. SOX: Sarbanes-Oxley Act of 2002. In: Congress, U.S. (ed.), (2002)

  2. Bank for International Settlements: Basel III: International framework for liquidity risk measurement, standards and monitoring (2010)

  3. Accutiy. Visualising trends in anti-money laundering compliance. http://www.accuity.com/industry-updates/free-resources/trends-in-aml-compliance-infographic/. Accessed 28 Nov 2013

  4. Ernst & Young: The Top 10 Risks For Business. The Ernst & Young Business Risk Report (2010)

  5. Hartman, T.: The Cost of Being Public in the ERA of Sarbanes-Oxley. Foley & Lardner LLP (2006)

  6. Goedertier, S., Vanthienen, J.: Designing compliant business processes with obligations and permissions. In: International Business Process Management Workshops (BPM), Austria, pp. 5–14 (2006)

  7. Sadiq, S., Governatori, G., Naimiri, K.: Modeling control objectives for business process compliance. In: Business Process Management-BPM’09 Proceedings, pp. 149–164 (2007)

  8. Holzmann, G.: The model checker SPIN. IEEE Trans. Softw. Eng. 23, 279–295 (1997)

    Article  Google Scholar 

  9. Ly, L.T., Rinderle-Ma, S., Göser, K., Dadam, P.: On enabling integrated process compliance with semantic constraints in process management systems. Inf. Syst. Front. 14(2), 195–219 (2012)

    Google Scholar 

  10. Halle, S., Villemaire, R., Cherkaoui, O.: Specifying and validating data-aware temporal web service properties. IEEE Trans. Softw. Eng. 35, 669–683 (2009)

    Article  Google Scholar 

  11. Giblin, C., Liu, A., Muller, S., Pfitzmann, B., Zhou, X.: Regulations expressed as logical models. In: 18th International Annual Conference of Legal Knowledge and Information Systems, Belgium, pp. 37–48 (2005)

  12. Eshuis, R.: Symbolic model checking of UML activity diagrams. ACM Trans. Softw. Eng. Methodol. 15, 1–38 (2006)

    Article  Google Scholar 

  13. Wang, H.J., Leon Zhao, J.: Constraint-centric workflow change analytics. Decis. Support Syst. 51, 562–575 (2011)

    Article  Google Scholar 

  14. Abouzaid, F., Mullins, J.: A calculus for generation, verification, and refinement of BPEL specifications. Electron. Notes Theor. Comput. Sci. (ENTCS) 200, 43–65 (2008)

    Article  Google Scholar 

  15. Awad, A., Gore, R., Thomson, J., Weidlich, M.: An iterative approach for business process template synthesis from compliance rules. In: 23rd International Conference on Advanced Information Systems, Engineering, pp. 406–421 (2011)

  16. Yu, J., Han, Y., Han, J., Jin, Y., Falcarin, P., Morisio, M.: Synthesizing service composition models on the basis of temporal business rules. J. Comput. Sci. Technol. 23, 885–894 (2008)

    Article  Google Scholar 

  17. Liu, Y., Muller, S., Xu, K.: A static compliance-checking framework for business process models. IBM Syst. J. 46, 335–361 (2007)

    Google Scholar 

  18. Awad, A., Weidlich, M., Weske, M.: Specification, verification and explanation of violation for data aware compliance rules. In: 7th International Conference on Service Oriented Computing (ICSOC- Service Wave’09), vol. 5900, pp. 500–515. Springer, Berlin (2009)

  19. Geist, D.: The PSL/sugar specification language: a language for all seasons. In: The Correct Hardware Design and Verification Methods Conference, pp. 21–24 (2003)

  20. Khaluf, L., Gerth, C., Engels, G.: Pattern-based modeling and formalizing of business process quality constraints. In: CAiSE’11, pp. 521–535 (2011)

  21. Yu, J., Manh, T., Han, J., Jin, Y.: Pattern based property specification and verification for service composition. In: K.A. et al. (eds) WISE 2006, LNCS-4255, pp. 156–168. Springer, Berlin (2006)

  22. Dwyer, M., Avrunin, G., Corbett, J.: Property specification patterns for finite-state verification. In: 2nd International Workshop on Formal Methods on Software, Practice, pp. 7–15 (1998)

  23. Pelliccione, P., Inverardi, P., Muccini, H.: CHARMY: a framework for designing and verifying architectural specifications. IEEE Trans. Softw. Eng. 35, 325–346 (2009)

    Article  Google Scholar 

  24. Ramezani, E., Fahland, D., van der Aalst, W.: Where did i misbehave? Diagnostic information in compliance checking. In: 10th International Conference on Business Process Management (BPM), pp. 262–278. Springer, Berlin (2012)

  25. Accorsi, R., Sato, Y.: Automated certification for compliant cloud-based business processes. Bus. Inf. Syst. Eng. (BISE) 3, 145–154 (2011)

    Article  Google Scholar 

  26. Accorsi, R., Lehmann, A.: Automatic information flow analysis of business process models. In: 10th International Conference on Business Process Management (BPM), pp. 172–187. Springer, Berlin (2012)

  27. Pesic, M., Schonenberg, H., van der Aalst, W.M.P.: DECLARE: full support for loosely-structured processes. In: EDOC’07, pp. 287–300 (2007)

  28. Pesic, M., van der Aalst, W.: A declarative approach for flexible business processes management. In: BPM’06 Workshops (2006)

  29. Konrad, S., Cheng, B.: Real-time specification patterns. In: International Conference on Software Engineering (ICSE’05), USA, pp. 15–21 (2005)

  30. Giblin, C., Muller, S., Pfitzmann, B.: From Regulatory Policies to Event Monitoring Rules. Zurich Research Laboratory, Zurich (2006)

    Google Scholar 

  31. Gruhn, V., Laue, R.: Specification patterns for time-related properties. In: 12th Int’l Symposium on Temporal Representation and Reasoning, pp. 198–191 (2005)

  32. Wolter, C., Schaad, A.: Modeling of task-based authorization constraints in BPMN. In: Business Process Management (BPM 2007), pp. 64–79. Springer, Berlin (2007)

  33. Ahn, G., Sandhu, R., Kang, M., Park., J.: Injecting RBAC to secure a web-based workflow system. In: RBAC ’00, pp. 1–10 (2000)

  34. Governatori, G., Milosevic, Z., Sadiq, S.: Compliance checking between business processes and business contracts. In: 10th International Enterprise Distributed Object Computing Conference (EDOC 2006), pp. 221–232 (2006)

  35. Governatori, G., Rotolo, A.: Justice delayed is justice denied: logics for a temporal account of reparations and legal compliance. In: Computational Logic in Multi-Agent Systems, vol. 6814, pp. 364–382 (2011)

  36. Thomas, F.: Constructing legal arguments with rules in the legal knowledge interchange format (LKIF). In: Computable Models of the Law, Languages, Dialogues, Games, Ontologies, vol. 4884, pp. 162–184 (2008)

  37. Palmirani, M., Governatori, G., Contissa, G.: Modelling temporal legal rules. In: International Conference on Artificial Intelligence and Law, pp. 131–135 (2011)

  38. Governatori, G., Olivieri, F., Scannapieco, S., Cristani, M.: Designing for compliance: norms and goals. In: 5th International Conference on Rule-Based Modeling and Computing on the Semantic Web, pp. 282–297 (2011)

  39. Governatori, G., Rotolo, A.: Bio logical agents: norms, beliefs, intentions in defeasible logic. J. Auton. Agents Multi Agent Syst. 17, 36–69 (2008)

    Article  Google Scholar 

  40. Markovic, I., Pereira, A.C., Stojanovic, N.: A framework for querying in business process modelling. International Multikonferenz Wirtschaftsinformatik, Germany, pp. 1703–1714 (2008)

  41. Beeri, C., Eyal, A., Kamenkovich., S.: Querying business processes. In: 32nd International VLDB Conference, Korea, pp. 343–354 (2006)

  42. Kühne, S., Kern, H., Gruhn, V., Laue, R.: Business process modeling with continuous validation. J. Softw. Evol. Process 22, 547–566 (2010)

    Article  Google Scholar 

  43. Delfmann, P., Herwig, S., Lis, L., Stein, A., Tent, K., Becker, J.: Pattern specification and matching in conceptual models: a generic approach based on set operations. Enterp. Modell. Inf. Syst. Arch. 5, 24–43 (2010)

    Google Scholar 

  44. Awad, A.: BPMN-Q: A language to query business processes. In: 2nd International Workshop on Enterprise Modelling and Information Systems Architectures: Concepts and Applications (EMISA), Germany, pp. 115–128 (2007)

  45. Elgammal, A., Turetken, O., van den Heuvel, W., Papazoglou, M.: Towards a comprehensive design-time compliance management: a roadmap. In: 15 International Business Information Management Conference (15th IBIMA), Egypt, pp. 1480–1484 (2010)

  46. Fu, X., Bultan, T., Su, J.: Analysis of Interacting BPEL Web Services. World Wide Web (WWW), pp. 621–630. ACM Press, USA (2004)

  47. Fu, X., Bultan, T., Su, J.: WSAT: a tool for formal analysis of web services. In: 16th International Conference on Computer Aided Verification, USA, pp. 510–514 (2004)

  48. Turetken, O., Elgammal, A., van den Heuvel, W.J., Papazoglou, M.: Enforcing compliance on business processes through the use of patterns. In: 19th European Conference on Information Systems (ECIS 2011), Finland (2011)

  49. Turetken, O., Elgammal, A., van den Heuvel, W., Papazoglou, M.: Capturing compliance requirements: a pattern-based approach. IEEE Softw. 29, 28–36 (2012)

    Article  Google Scholar 

  50. COSO: Internal Control: Integrated Framework. The Committee of Sponsoring Organizations of the Treadway Commission (1994)

  51. Elgammal, A., Turetken, O., van den Heuvel, W., Papazoglou, M.: Root-cause analysis of design-time compliance violations on the basis of property patterns. In: 8th International Conference on Service-Oriented Computing (ICSOC’10), USA, pp. 17–31 (2010)

  52. Elgammal, A., Turetken, O., van den Heuvel, W.: Using patterns for the analysis and resolution of compliance violations. Int. J. Coop. Inf. Syst. 21, 31–54 (2012)

    Article  Google Scholar 

  53. COMPAS Project, Deliverable 2.1: State-of-the-Art in the Field of Compliance Languages (2008)

  54. IFRS: International Financial Reporting Standards. International Accounting Standards Board (2001)

  55. FINRA: The Financial Industry Regulatory Authority, “FINRA Manual” (2008)

  56. COBIT: Control Objectives for Information and related Technology: COBIT, 4.1. IT Governance Institute (2007)

  57. OCEG: GRC Capability Model, Ver 2.0. Open Compliance and Ethics Group (2009)

  58. Elgammal, A., Turetken, O., van den Heuvel, W., Papazoglou, M.: On the formal specification of regulatory compliance: a comparative analysis. In: International Performance Assessment and Auditing in Service Computing Workshop, ICSOC’10 workshops, USA (2010)

  59. Elgammal, A., Turetken, O., van den Heuvel, W., Papazoglou, M.: On the formal specification of business contracts and regulatory compliance. In: 4th Workshop on Formal Languages and Analysis of Contract-Oriented Software, EPTCS, Pisa, Italy. pp. 33–36 (2010)

  60. Elgammal, A.: Towards a comprehensive framework for business process compliance. Ph.D. Dissertation. Information Management Department, Tilburg University, Tilburg University Press, pp. 284 (April 2012)

  61. Pnueli, A.: The temporal logic of programs. In: 18th IEEE Symposium on Foundations of Computer, Science, pp. 46–57 (1977)

  62. Armoni, R., Fix, L., Flaisher, A., Gerth, R., Ginsburg, B., Kanza, T., Landver, A., Mador-Haim, S., Singerman, E., Tiemeyer, A., Vardi, M., Zbar, Y.: The ForSpec temporal logic: a new temporal property-specification language. Lecture Notes In Computer Science, vol. 2280 (2002)

  63. Alur, R., Henzinger, T.: Real-time logics: complexity and expressiveness. Inf. Comput. 104, 35–77 (1993)

    Article  MathSciNet  MATH  Google Scholar 

  64. Baral, C., Zhoa, J.: Non-monotonic temporal logics for goal specifications. In: 20th International Intelligence Conference on Artificial Intelligence (IJCAI-07), India, pp. 236–242 (2007)

  65. Hevner, A., March, S., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28, 75–105 (2004)

    Google Scholar 

  66. Sebahi, S.: Business process compliance monitoring: a view based approach. Laboratoire d’InfoRmatique en Image et Systèmes d’information (LIRIS), Ph.D. University Lyon 1, Lyon (2012)

  67. OMG: Semantics Of Business Vocabulary And Business Rules (SBVR), Version 1.0. (2008)

  68. Abi-Lahoud, E., Butler, T., Chapin, D., Hall, J.: Interpreting regulations in SBVR. In: RuleML (2013)

Download references

Acknowledgments

The authors gratefully acknowledge PricewaterhouseCoopers (Netherlands), Thales Services (France), and other COMPAS project partners for their effort in providing and participating in the case studies and scenarios, and their valuable contributions. Special thanks to Dr. Guido Governatori (NICTA, Australia) for reviewing the paper and for his valuable comments.

Author information

Authors and Affiliations

  1. Governance, Risk Management and Compliance Technology Centre (GRCTC), University College Cork, Cork, Ireland

    Amal Elgammal

  2. School of Industrial Engineering, Eindhoven University of Technology, 5600 MB , Eindhoven, Netherlands

    Oktay Turetken

  3. European Research Institute in Service Science (ERISS), Tilburg University, 5000 LE , Tilburg, Netherlands

    Willem-Jan van den Heuvel & Mike Papazoglou

Authors
  1. Amal Elgammal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Oktay Turetken
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Willem-Jan van den Heuvel
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mike Papazoglou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Amal Elgammal.

Additional information

Communicated by Prof. Ulrich Frank.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Elgammal, A., Turetken, O., van den Heuvel, WJ. et al. Formalizing and appling compliance patterns for business process compliance. Softw Syst Model 15, 119–146 (2016). https://doi.org/10.1007/s10270-014-0395-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10270-014-0395-3

Keywords

Search

Navigation