Abstract
The diversity of stakeholders in compliance management initiatives contributes to the challenges organisations face when managing compliance, and consequently adds to the cost of compliance. In particular, there is evidence that the lack of a common or shared understanding of compliance management concepts is a barrier to effective compliance management practice. Taking an information-centric view to addressing this challenge, this paper reports on the development of an ontology intended to provide a shared conceptualisation of the compliance management domain for various stakeholders. The ontology is based on input from domain experts and practitioners, validated and refined through eight case studies, and subsequently evaluated for its usability in practice.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Conference venues: ACIS, AMCIS, BPM, CAiSE, ECIS, ER, HICSS, ICIS and PACIS.
Journal venues: BPMJ, CACM, CAIS, EJIS, I&M, IS, ISF, ISJ, ISR, JAIS, JIS, JMIS, and MISQ.
The Australasian Compliance Institute (ACI) is the premier member organization for compliance and risk professionals across the Asia Pacific region. ACI connects its members with continuing education, accreditation, publications, networking and advocacy, and is devoted to supporting the profession by increasing its awareness within the Asia Pacific community. ACI website: www.compliance.org.au.
A qualitative data analysis software package that is used to code and analyse qualitative data gathered from surveys, interviews, observations, document analysis, or other text-based data. www.qsrinternational.com .
OWL specification of CoMOn is omitted from this paper due to space constraints.
The survey instrument was pilot tested with three academics familiar with the compliance management domain.
Full details of all 81 constructs are available by request.
References
Anon, J.,. L., Filowitz, H., & Kovatch, J. M. (2007). Integrating sarbanes-oxley controls into an investment firm governance framework. The Journal of Investment Compliance, 8(1), 40–43.
Bace, J., & Rozwell, C. (2006). Understanding the Components of Compliance. Gartner Research: Gartner Research, Inc.
Bace, J., Rozwell, C., Feiman, J., & Kirwin, B. (2006). Understanding the Costs of Compliance. Gartner Research: Gartner, Inc.
Berente, N., Ivanov, D., & Vandenbosch, B. (2010). Process gatekeepers and compliance with enterprise processes. Business Process Management Journal, 16(3), 394–419.
Boella, G., Janssen, M., Hulstijn, J., Humphreys, L., & Torre, L. v. d. (2013). Managing legal interpretation in regulatory compliance. Paper presented at the Proceedings of the Fourteenth International Conference on Artificial Intelligence and Law, Rome, Italy,
Bonner, E., J., O.’. R., & Curran, K. (2011). Implementing the payment card industry (PCI) data security standard (DSS). Telkomnika, 9(2), 365–376.
Booch, G., Rumbaugh, J., & Jacobson, I. (2005). Unified modeling language user guide (2nd edition ed. Addison-Wesley Object Technology Series): Addison-Wesley Professional.
Brank, J., Grobelnik, M., & Mladenić, D. (2005) A Survey of Ontology Evaluation Techniques. In In Proceedings of the Conference on Data Mining and Data Warehouses (SiKDD 2005.
Brewster, C., Alani, H., Dasmahapatra, S., & Wilks, Y. (2004) Data Driven Ontology Evaluation. In Proceedings of International Conference on Language Resources and Evaluation
Brusa, G., Caliusco, M. L., & Chiotti, O. (2006). A process for building a domain ontology: An experience in developing a government budgetary ontology. Hobart, Australia: Paper presented at the Proceedings of the Second Australasian Workshop on Advances in Ontologies.
Burton-Jones, A., Storey, V. C., Sugumaran, V., & Ahluwalia, P. (2005). A semiotic metrics suite for assessing the quality of ontologies. Data & Knowledge Engineering, 55(1), 84–102. doi:10.1016/j.datak.2004.11.010.
Butler, T., & McGovern, D. (2012). A conceptual model and IS framework for the design and adoption of environmental compliance management systems. Information Systems Frontiers, 14(2), 221–235. doi:10.1007/s10796-009-9197-5.
Buttigieg, P. L., Morrison, N., Smith, B., Mungall, C. J., Lewis, S. E., &, t. E. C. (2013). The environment ontology: contextualising biological and biomedical entities. Journal of Biomedical Semantics, 4(43), 1–9.
Caldwell, F. (2008). The enterprise governance, risk and compliance platform defined. Gartner Research.
Caldwell, F., & Eid, T. (2008). Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms. Gartner Research: Gartner, Inc.
Caldwell, F., & Mogull, R. (2006). Risk management and business performance are compatible. Gartner Research
Casellas, N. (2009). Ontology Evaluation through Usability Measures. In R. Meersman, P. Herrero, & T. Dillon (Eds.), On the Move to Meaningful Internet Systems: OTM 2009 Workshops (Vol. 5872, pp. 594–603, Lecture Notes in Computer Science): Springer Berlin/Heidelberg.
Clayton Utz. (2013). Governance. Risk and Compliance: Managing Legal Risks in An Integrated Governance, Risk and Compliance Framework.
Coates, J. C. (2007). The goals and promise of the sarbanes-oxley act. The Journal of Economic Perspectives, 21, 91–116.
Cohen, J. (1960). A Coefficient of Agreement for Nominal Scales. Educational and Psychological Measurement, 20(1), 37–46, doi:10.1177/001316446002000104.
Corcho, O., Fernández-López, M., & Gómez-Pérez, A. (2003). Methodologies, tools and languages for building ontologies. Where is their meeting point? Data & Knowledge Engineering, 46(1), 41–64. doi:10.1016/S0169-023X(02)00195-7.
Cozens, J. (2009). Anti-money laundering - practical tips and lessons to be learned. Keeping Good Companies, 61(8), 452–453.
Cuaresma, J. C. (2002). The gramm-leach-bliley act. Berkeley Technology Law Journal, 17, 497.
Davis, F. D. (1989). Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly, 13(3), 319–340. doi:10.2307/249008.
Davis, F. D., Bagozzi, R. P., & Warshaw, P. R. (1989). User acceptance of computer technology: a comparison of two theoretical models. Management Science, 35(8), 982–1003. doi:10.1287/mnsc.35.8.982.
Davis, F. D., Bagozzi, R. P., & Warshaw, P. R. (1992). Extrinsic and intrinsic motivation to use computers in the Workplace1. Journal of Applied Social Psychology, 22(14), 1111–1132. doi:10.1111/j.1559-1816.1992.tb00945.x.
Deloitte (2013). Enterprise compliance: The risk intelligent approach. USA: Deloitte Development LLC..
Dividino, R., & Sonntag, D. (2008). Controlled Ontology Evolution through Semiotic-based Ontology Evaluation. Paper presented at the Proceedings of the International Workshop on Ontology Dynamics (IWOD), in collaboration with the 7th International Semantic Web Conference (ISWC)},
Dreyfuss, C. (2008). Use IT governance to leverage business objectives and to support compliance requirements. Gartner Research.
Eessaar, E. (2013). On Using a Semiotic Quality Framework to Evaluate the Quality of Conceptual Database Schemas. In T. Sobh, & K. Elleithy (Eds.), Emerging Trends in Computing, Informatics, Systems Sciences, and Engineering (Vol. 151, pp. 103–115, Lecture Notes in Electrical Engineering): Springer New York.
EMC (2010). Enterprise governance risk and compliance: a new paradigm to meet new demands. EMC Perspective
Esteban, A. (2009). Integrated governance, risk and compliance: Enabling transparency, accountability and integrity. Australia: SAI GLobal Limited.
Fensel, D. (2001). Ontologies. In Ontologies (pp. 11–18): Springer Berlin Heidelberg.
Fernández-López, M., & Gómez-Pérez, A. (2002). Overview and analysis of methodologies for building ontologies. The Knowledge Engineering Review, 17(2), 129–156. doi:10.1017/s0269888902000462.
Fernández, M., Gómez-Pérez, A., & Juristo, N. (1997) METHONTOLOGY: From Ontological Art towards Ontological Engineering. In AAAI97 Spring Symposium Series, Menlo Park, California, (pp. 33–40)
Frimpong, J. A., & Rivers, P. A. (2006). Health insurance portability and accountability act: blessing or curse? Journal of Health Care Finance, 33(1), 31–39.
Ghanavati, S., Amyot, D., & Peyton, L. (2007). Towards a Framework for Tracking Legal Compliance in Healthcare. In J. Krogstie, A. Opdahl, & G. Sindre (Eds.), Advanced Information Systems Engineering (Vol. 4495, pp. 218–232, Lecture Notes in Computer Science): Springer Berlin Heidelberg.
Gómez-Pérez, A., Fernández-López, M., & Corcho, O. (2004). Methodologies and Methods for Building Ontologies. In Ontological Engineering (pp. 107–197, Advanced Information and Knowledge Processing): Springer London.
Grimes, G. A. (2007). Compliance with the CAN-SPAM act of 2003. Communications of the ACM, 50(2), 56–62.
Gruber, T. (2009). Ontology. In L. Liu, & M. T. Özsu (Eds.), Encyclopedia of database systems. Springer: US.
Grüninger, M., & Fox, M. S. (1995). Methodology for the Design and Evaluation of Ontologies. Paper presented at the Workshop on Basic Ontological Issues in Knowledge Sharing: International Joint Conference on Artificial Inteligence (IJCAI95),, Montreal, Canada,
Grüninger, M., & Lee, J. (2002). Ontology application and design: introduction. Communications of the ACM, 45(2), 39–41.
Guarino, N., & Welty, C. A. (2009). An Overview of OntoClean. In S. Staab, & D. Rudi Studer (Eds.), Handbook on Ontologies (pp. 201–220, International Handbooks on Information Systems): Springer Berlin Heidelberg.
Guo, T., Schwartz, D. G., Burstein, F., & Linger, H. (2009). Codifying collaborative knowledge: using wikipedia as a basis for automated ontology learning. Knowledge Management Research and Practice, 7(3), 206–217.
Gupta, P. P. (2008). Management’s evaluation of internal controls under section 404(a) using the COSO 1992 control framework: evidence from practice. International Journal of Disclosure and Governance, 5(1), 48–68.
Haghighi, P. D., Burstein, F., Zaslavsky, A., & Arbon, P. (2013). Development and evaluation of ontology for intelligent decision support in medical emergency management for mass gatherings. Decision Support Systems, 54(2), 1192–1204. doi:10.1016/j.dss.2012.11.013.
Hasan, & Stiller, B. (2007). AURIC: A Scalable and Highly Reusable SLA Compliance Auditing Framework. In A. Clemm, L. Granville, & R. Stadler (Eds.), Managing Virtualization of Networks and Services (Vol. 4785, pp. 203–215, Lecture Notes in Computer Science): Springer Berlin Heidelberg.
Hevner, A. R., March, S. T., Park, J., & Ram, S. (2004). Design science in information systems research. MIS Quarterly, 28(1), 75–105.
Hoffmann, J., Weber, I., & Governatori, G. (2012). On compliance checking for clausal constraints in annotated process models. Information Systems Frontiers, 14(2), 155–177. doi:10.1007/s10796-009-9179-7.
Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM, 54(6), 54–60. doi:10.1145/1953122.1953142.
Jones, D. M., Bench-Capon, T. J. M., & Visser, P. R. S. (1998) Methodologies for Ontology Development. In ITi and KNOWS Conference of the 15th IFIP World Computer Congress, Chapman-Hall, (pp. 62–75)
Kim, H. M., Fox, M. S., & Sengupta, A. (2007). How to Build Enterprise Data Models to Achieve Compliance to Standards or Regulatory Requirements (and share data). Journal of the Association for Information Systems, 8(2), 105–128.
Knight, K., & Luk, S. K. (1994). Building a Large-Scale Knowledge Base for Machine Translation. Paper presented at the Proceedings of the Twelfth National Conference on Artificial Intelligence (vol. 1), Seattle, Washington, United States.
KPMG (2005a). The compliance journey: Balancing risk and controls with business improvement. KPMG Advisory.
KPMG (2005b). The compliance journey:Making compliance sustainable. KPMG International.
KPMG (2006). The compliance journey: Leveraging information technology to reduce costs and improve responsiveness. KPMG International.
KPMG (2007). Compliance framework. KPMG International.
KPMG (2008). Understanding and articulating risk appetite. KPMG International.
Lahti, C., Lanza, S., & Peterson, R. (2005). Sarbanes-oxley IT compliance using COBIT and open source tools: Syngress publishing.
Leukel, J., & Sugumaran, V. (2009). Towards a semiotic metrics suite for product ontology evaluation. Intelligent Information Technologies, 5(4), 1–15. doi:10.4018/jiit.2009080701.
Lim, S. C. J., Liu, Y., & Lee, W. B. (2011). A methodology for building a semantically annotated multi-faceted ontology for product family modelling. Advanced Engineering Informatics, 25(2), 147–161. doi:10.1016/j.aei.2010.07.005.
Lu, R., Sadiq, S., & Governatori, G. (2008). Measurement of compliance distance in business work practice. Information Systems Management, 25(4), 344–355.
Mathieson, K. (1991). Predicting user intentions: comparing the technology acceptance model with the theory of planned behavior. Information Systems Research, 2(3), 173–191. doi:10.1287/isre.2.3.173.
McClure, D., Caldwell, F., & Bittinger, S. (2009). An Overall Risk and Compliance Management Framework for Government Agencies. Gartner Industry Research (31 March 2009 ed.): Gartner, Inc.
McCorkell, P. L. (1998). EU data protection directive. Credit World, 86, 5–6.
Mellouli, S., Bouslama, F., & Akande, A. (2010). An ontology for representing financial headline news. Web Semantic, 8(2–3), 203–208. doi:10.1016/j.websem.2010.02.001.
Mitchell, S. L., & Switzer, C. S. (2009). GRC Capability Model "Red Book" 2.0: Open Compliance & Ethics Group (OCEG).
Mont, M. C., & Thyne, R. (2008). Privacy policy enforcement in enterprises with identity management solutions. Journal of Computer Security, 16, 133–163. doi:10.1145/1501434.1501465.
Mount, S. (1993). The privacy act 1993. Auckland University Law Review, 7, 408.
Nawoj, A., & Goniak, M. (2004, Ontology development challenges and applications using DARPA agen markup language (DAML). IAnewsletter
Noy, N. F., & McGuinness, D. L. (2001). Ontology Development 101: A Guide to Creating Your First Ontology. Stanford Knowledge Systems Laboratory Technical Report KSL-01-05 and Stanford Medical Informatics Technical Report SMI-2001-0880. Stanford: Stanford University.
OCEG (2011). GRC Technology Solutions Guide Version 2.1. OCEG.
Opdahl, A. L., & Henderson-Sellers, B. (2002). Ontological evaluation of the UML using the bunge–wand–weber model. Software and Systems Modeling, 1(1), 43–67. doi:10.1007/s10270-002-0003-9.
Pacini, C., & Barker, K. (2010). The fair credit reporting act. The CPA Journal, 80, 60–63.
Paredes-Moreno, A., Martínez-López, F. J., & Schwartz, D. G. (2010). A methodology for the semi-automatic creation of data-driven detailed business ontologies. Information Systems, 35(7), 758–773. doi:10.1016/j.is.2010.03.002.
Pershkow, B. I. (2003). Sarbanes-oxley: investment company compliance. The Journal of Investment Compliance, 3(4), 16–30.
Pinto, H. S., Gómez-Pérez, A., & Martins, J. P. (1999). Some Issues on Ontology Integration. In Proceedings of the IJCAI-99 Workshop on Ontologies and Problem-Solving Methods
Pinto, H. S., & Martins, J. P. (2001). A Methodology for Ontology Integration. Paper presented at the Proceedings of the 1st International Conference on Knowledge Capture, Victoria, British Columbia, Canada,
Pinto, H. S., & Martins, J. P. (2004). Ontologies: how can they be built? Knowledge and Information Systems, 6(4), 441–464. doi:10.1007/s10115-003-0138-1.
Porzel, R., & Malaka, R. (2004) A Task-based Approach for Ontology Evaluation. In ECAI Workshop on Ontology Learning and Population, (pp. 7–12)
Protiviti (2013). Growing with governance, risk and compliance (GRC) solutions: Avoiding common pitfalls to maximize GRC solutions. United States: Protiviti Inc..
Pulido, J. R. G., Ruiz, M. A. G., Herrera, R., Cabello, E., Legrand, S., & Elliman, D. (2006). Ontology languages for the semantic web: a never completely updated review. Knowledge-Based Systems, 19(7), 489–497. doi:10.1016/j.knosys.2006.04.013.
Recker, J., Indulska, M., Rosemann, M., & Green, P. (2005) Do Process Modelling Techniques Get Better? A Comparative Ontological Analysis of BPMN. In B. Campbell, J. Underwood, & D. Bunker (Eds.), 16th Australasian Conference on Information Systems, Sydney, Australia, November 30 - December 2, 2005
S. Smith, D. Bunker, V. Pang. (2006) Does Agency Size affect IS Security Compliance for E-government? In The Tenth Pacific Asia Conference on Information Systems (PACIS 2006)
Sadiq, S., Governatori, G., & Naimiri, K. (2007). Modeling Control Objectives for Business Process Compliance. In 5th International Conference on Business Process Management, Brisbane, Australia, Sept 2007 2007: Springer-Verlag
Schwaig, K. S., Kane, G. C., & Storey, V. C. (2006). Compliance to the fair information practices: how are the fortune 500 handling online privacy disclosures? Information Management, 43, 805–820.
Sekaran, U., & Bougie, R. (2010). Research methods for business: A skill building approach: John wiley & sons.
Shanks, G., Tansley, E., Nuredini, J., Tobin, D., & Weber, R. (2008). Representing part-whole relations in conceptual modeling: an empirical evaluation. MIS Quarterly, 32(3), 553–573.
Smith, B., Williams, J., & Steffen, S. K. (2003). The Ontology of the Gene Ontology. In AMIA Annual Symposium Proceedings, 2003 (Vol. 2003, pp. 609)
Smith, H. A., & McKeen, J. D. (2006). Developments in practice XXI: IT in the new world of corporate governance reforms. Communications of the Association FOR Information Systems, Volume 17, 714-727.
Standards Australia. (2006). AS 3806:2006 compliance programs. (pp. 25). Sydney, Australia: Standards Australia.
Standards Australia, & Zealand, S. N. (2009). AS/NZS ISO 31000:2009 risk management - principles and guidelines. (pp. 24). Sydney, Australia & Wellington, New Zealand: Standards Australia & Standards New Zealand.
Sure, Y., Staab, S., & Studer, R. (2009). Ontology Engineering Methodology. In S. Staab, & D. Rudi Studer (Eds.), Handbook on Ontologies (pp. 135–152, International Handbooks on Information Systems): Springer Berlin Heidelberg.
Syed Abdullah, N., Indulska, M., & Sadiq, S. (2009). A Study of Compliance Management in Information Systems Research. Paper presented at the The 17th European Conference on Information Systems (ECIS2009), Verona, Italy, 8–10 June
Syed Abdullah, N., Sadiq, S., & Indulska, M. (2010b). Emerging Challenges in Information Systems Research for Regulatory Compliance Management. In B. Pernici (Ed.), Advanced Information Systems Engineering (Vol. 6051, pp. 251–265, Lecture Notes in Computer Science): Springer Berlin/Heidelberg.
Syed Abdullah, N., Sadiq, S., & Indulska, M. (2010b). Information Systems Research: Aligning to Industry Challenges in Management of Regulatory Compliance. Paper presented at the Proceedings of the Pacific Asia Conference on Information Systems Engineering (PACIS 2010a), Taipei, Taiwan,
Syed Abdullah, N., Sadiq, S., & Indulska, M. (2011). A Framework for Industry-Relevant Ontology Development. Paper presented at the Proceedings of the 22nd Australasian Conference on Information Systems (ACIS 2011), Sydney, Australia, 29 November - 2 December 2011
Tan, Y.-H., & Thoen, W. (2000). INCAS: a legal expert system for contract terms in electronic commerce. Decision Support Systems, 29(4), 389–411. doi:10.1016/S0167-9236(00)00085-3.
Taylor, S., & Todd, P. A. (1995). Understanding information technology usage: a test of competing models. Information Systems Research, 6(2), 144–176. doi:10.1287/isre.6.2.144.
Uschold, M. (1996). Building Ontologies: Towards a Unified Methodology. In 16th Annual Conf. of the British Computer Society Specialist Group on Expert Systems, 1996 1996. doi:citeulike-article-id:1244396.
Uschold, M., & King, M. (1995). Towards a Methodology for Building Ontologies. Paper presented at the Workshop on Basic Ontological Issues in Knowledge Sharing, held in conduction with IJCAI-95, Montreal, Canada,
Velardi, P., Missikoff, M., & Basili, R. (2001). Identification of relevant terms to support the construction of domain ontologies. Toulouse, France: Paper presented at the Proceedings of the Workshop on Human Language Technology and Knowledge Management.
Venkatesh, V. (2000). Determinants of perceived ease of use: integrating control, intrinsic motivation, and emotion into the technology acceptance model. Information Systems Research, 11(4), 342–365. doi:10.1287/isre.11.4.342.11872.
Venkatesh, V., & Bala, H. (2008). Technology acceptance model 3 and a research agenda on interventions. Decision Sciences, 39, 273–315. doi:10.1111/j.1540-5915.2008.00192.x.
Viera, A. J., & Garrett, J. M. (2005). Understanding interobserver agreement: the kappa statistic. Family Medicine, 37(5), 360–363.
Volonino, L. (2003). Electronic evidence and computer forensics. Communications of the Association for Information Systems, 12, 457–468.
W3C OWL Working Group (2009). OWL 2 Web Ontology Language - Document Overview. (Recommendation REC-owl2-overview-20091027 ed.): World Wide Web Consortium.
Weber, R. (1997). Ontological foundations of information systems. Melbourne, Australia: Coopers & Lybrand and the Accounting Association of Australia and New Zealand.
WenJun, W., CunXiang, D., & Peng, Y. (2009). Ontology Modeling of Emergency Plan Systems. Paper presented at the Proceedings of the 6th International Conference on Fuzzy Systems and Knowledge Discovery - Volume 2, Tianjin, China.
Wenk, M. S. (2005). Interrelationships between BS 7750 and the EMAS Program. In The European Union’s Eco-Management and Audit Scheme (EMAS) (Vol. 16, pp. 5–8, Eco-Efficiency in Industry and Science): Springer Netherlands.
Williams, B. J., & King, M. S. (2004). Implementing Voting Systems: The Georgia Method. Communications of the ACM, 47(10), 39–42.
Wood, J. M. (2007). Understanding and computing cohen’s kappa: a tutorial. WebPsychEmpiricist
Yin, R. K. (2009). Case study research: Design and methods (fourth (Edition ed., ). California: SAGE Publications.
Zeshan, F., & Mohamad, R. (2012). Medical ontology in the dynamic healthcare environment. Procedia Computer Science, 10(0), 340–348, doi:10.1016/j.procs.2012.06.045.
Author information
Authors and Affiliations
Corresponding author
Appendix A
Appendix A
Overview of the structure and content of CoMOn (used for Ontology Validation)
1.1 Appendix B
Rights and permissions
About this article
Cite this article
Abdullah, N.S., Indulska, M. & Sadiq, S. Compliance management ontology – a shared conceptualization for research and practice in compliance management. Inf Syst Front 18, 995–1020 (2016). https://doi.org/10.1007/s10796-016-9631-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-016-9631-4