Managing Regulatory Compliance in Business Processes

  • Shazia SadiqEmail author
  • Guido Governatori
Part of the International Handbooks on Information Systems book series (INFOSYS)


The ever-increasing obligations of regulatory compliance are presenting a new breed of challenges for organizations across several industry sectors. Aligning control objectives that stem from regulations and legislation with business objectives devised for improved business performance is a foremost challenge. The organizational as well as IT structures for the two classes of objectives are often distinct and potentially in conflict. In this chapter, we present an overarching methodology for aligning business and control objectives. The various phases of the methodology are then used as a basis for discussing state-of-the-art in compliance management. Contributions from research and academia as well as industry solutions are discussed. The chapter concludes with a discussion on the role of BPM as a driver for regulatory compliance and a presentation of open questions and challenges.


Business Process Control Objective Business Process Management Business Process Model Business Objective 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. Agrawal R, Johnson C, Kiernan J, Leymann F (2006) Taming compliance with sarbanes-oxley internal controls using database technology. In: Proceedings of the 22nd International conference on data engineering, 2006. Atlanta, GA, USA, IEEE Computer SocietyGoogle Scholar
  2. Alberti M, Chesani F, Gavanelli M, Lamma E, Mello P, Torroni P (2006) Compliance verification of agent interaction: a logic based tool. Appl Artif Int 20(2–4):133–157CrossRefGoogle Scholar
  3. ASX (2006) Australian securities exchange principles of good governance, recommendation 7.1, Nov. 2006. (last accesses June 01, 2008)
  4. AUSTRAC (2006) Australian transaction reports and analysis centre supervisory framework. Accessed 01 Jun 2008)
  5. BPM Forum (2006) CEE: the future. Building the compliance enabled enterprise. Report produced by global fluency in partnership with: AXS-One, chief executive magazine and IT compliance instituteGoogle Scholar
  6. Caldwell F, Eid T (2007) Magic quadrant for finance governance, risk and compliance management software, 2007. Gartner RAS Core Research Note G00145150, 1 Feb 2007, RS196 0906 2007Google Scholar
  7. Caldwell F, Eid T (2008) Magic quadrant for enterprise governance, risk and compliance platforms. ID. G00158295. June 2008. Gartner ResearchGoogle Scholar
  8. Carmo J, Jones AJ (2002) Deontic logic and contrary to duties. In: Gabbay D, Guenther F (eds.) Handbook of Philosophical Logic, 2nd edn., vol. 8, pp 265–343Google Scholar
  9. COSO –The committee of sponsoring organizations of the treadway commission (1994) Internal control – integrated framework. May 1994Google Scholar
  10. Desai N, Mallya AU, Chopra AK, Singh MP (2005) Interaction protocols as design abstractions for business processes. IEEE Trans Softw Eng 31(12):1015–1027CrossRefGoogle Scholar
  11. Desai N, Nanjangud NC, Singh MP (2008) Checking correctness of business contracts via commitments. In: Padgham L, Parkes DC, Müller J, Parsons S (eds) Proceedings of 7th International conference on autonomous agents and multiagent systems (AAMAS2008), Estoril, Portugal, 12–16 May 2008Google Scholar
  12. Farrell ADH, Sergot MJ, Sallé M, Bartolini C (2005) Using the event-calculus for tracking the normative state in contracts. Int J Coop Infor Syst 14(2–3):99–129CrossRefGoogle Scholar
  13. Giblin C, Muller S, Pfitzmann B (2006) From regulatory policies to event monitoring rules: towards model driven compliance automation. IBM Research Report. Zurich Research LaboratoryGoogle Scholar
  14. Goedertier S, Vanthienen J (2006) Designing compliant business processes with obligations and permissions. In Eder J, Dustdar S et al. (eds) Proceedings of workshop on business process design, Springer, Vienna, Austria, pp 5–14, LNCS 4103Google Scholar
  15. Governatori G (2005) Representing business contracts in RuleML. Int J Coop Infor Syst 14(2–3):181–216CrossRefGoogle Scholar
  16. Governatori G, Milosevic Z (2006) A formal analysis of a business contract language. Int J Coop Infor Syst 15(4):659–685CrossRefGoogle Scholar
  17. Governatori G, Rotolo A (2006) Logic of violations: a gentzen system for reasoning on contrary-to-duty obligations. Austral J Logic 4:193–215Google Scholar
  18. Governatori G, Rotolo A, Sartor G (2005) Temporalised normative positions in defeasible logic. In: Gardner A (ed) Proceedings of the 10th International conference on artificial intelligence and law, ACM Press, pp 25–34Google Scholar
  19. Governatori G, Milosevic Z, Sadiq S (2006) Compliance checking between business processes and business contracts. In: Proceedings of the 10th IEEE conference on enterprise distributed object computing, Hong KongGoogle Scholar
  20. Governatori G, Hoffmann J, Sadiq S, Weber, I (2008) Detecting regulatory compliance for business process models through semantic annotations. In: 4th International workshop on business process design (BPD'08). In conjunction with the 6th International Conference on Business Process Management, Milan, Italy. pp 1-4Google Scholar
  21. Hagerty J, Hackbush J, Gaughan D, Jacobson S (2008) The governance, risk management, and compliance spending report, 2008–2009: Inside the $32B GRC Market. March 25, 2008. AMR Research, Boston USAGoogle Scholar
  22. Kuster J, Ryndina K, Gall H (2007) Generation of business process models for object life cycle. In: Proceedings of the 5th International conference on business process management. Springer, Brisbane, Australia, pp 165–180Google Scholar
  23. KPMG Advisory (2005) The compliance journey: balancing risk and controls with business improvementGoogle Scholar
  24. Liu Y, Muller S, Xu K (2007) A static compliance checking framework for business process models. IBM Syst J 46:335–361CrossRefGoogle Scholar
  25. Lu R, Sadiq S, Governatori G (2008) Compliance aware business process design. Third International workshop on business process design (BPD'07). In: conjunction with the 5th International conference on business process management, 24–28 September 2007. Springer Berlin, LNCS Volume 4928/2008, pp 120–131Google Scholar
  26. Neiger D, Churilov L, zur Mühlen M, Rosemann M (2006) Integrating risks in business process models with value focused process engineering. In: Proceedings of the 2006 European conference on information systems (ECIS 2006), Goteborg, Sweden, 12–14 June 2006Google Scholar
  27. Padmanabhan V, Governatori G, Sadiq S, Colomb R, Rotolo A (2006) Process modeling: the deontic way. In Stumptner M, Hartmann S, Kiyoki Y (eds) Australia–Pacific conference on conceptual modeling, pp 75–84, CRPIT 53Google Scholar
  28. Pesic M, van der Aalst WMP (2006) A declarative approach for flexible business processes. In: Eder J, Dustdar S (eds) Business process management workshops, workshop on dynamic process management (DPM 2006), volume 4103 of Lecture notes in computer science. Springer-Verlag, Berlin, pp 169–180Google Scholar
  29. Sadiq S, Sadiq W, Orlowska M (2005) A framework for constraint specification and validation in flexible workflows. Inf Syst 30(5):349–378CrossRefGoogle Scholar
  30. Sadiq S, Governatori G, Naimiri K (2007) Modeling control objectives for business process compliance. In: Proceedings of the 5th International conference on business process management, Springer, Brisbane, Australia, pp 149–164Google Scholar
  31. Sartor G (2005) Legal reasoning: a cognitive approach to the law. Springer, BerlinGoogle Scholar
  32. van der Aalst WMP, van Dongen BF, Herbst J, Maruster L, Schimm G, Weijters AJMM (2003) Workflow mining: a survey of issues and approaches. Data Knowl Eng 47:237–267CrossRefGoogle Scholar
  33. van der Aalst WMP, Alves de Medeiros AK, Weijters AJMM (2006) Process equivalence: comparing two process models based on observed behavior. In: Proceedings of the 4th International conference on business process management, Vienna, Austria, 2007. Springer, pp 129–144Google Scholar
  34. van Dongen BF, de Medeiros AKA, Verbeek HMW, Weijters AJMM, van der Aalst WMP (2005) The ProM Framework: a new era in process mining tool support. In: Proceedings of 26th International conference applications and theory of petri nets, Springer, Miami, USA, pp 444–454Google Scholar
  35. zur Mühlen M, Rosemann M (2005) Integrating risks in business process models. In: Proceedings of 16th Australasian conference on information systems. Sydney, AustraliaGoogle Scholar
  36. zur Mühlen M, Indulska M, Kamp G (2007) Business process and business rule modelling languages for compliance management: a representational analysis. In: 26th International Conference on Conceptual Modelling – ER2007 –Tutorials, Posters, Panels and Industrial Contributions, Auckland, New ZealandGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.School of Information Technology and Electrical EngineeringThe University of QueenslandBrisbaneAustralia

Personalised recommendations