Business Control Management – A Discipline to Ensure Regulatory Compliance of SOA Applications

  • Axel Martens
  • Francisco Curbera
  • Nirmal K. Mukhi
  • Aleksander Slominski
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 66)


The success of today’s business operations depends largely on the ability to react to changing factors of influence. With the increasing distribution and heterogeneity of enterprise applications, the challenge is to gain and sustain oversight and to manage the different aspects of business operations systematically. Many disciplines and best practices have been established: On the infrastructure level, Service oriented architectures provide a common base to compose distributed applications. On the operational level, business process management provides high level visibility of end-to-end transactions. On the information level, master data management aggregates and consolidates data throughout the organization. There is, however, an aspect that is becoming more and more relevant but still lacks a proper discipline: Regulatory compliance of business operations. The pressure to prove compliance with legal obligations and industry wide requirements has risen tremendously in recent years – and in light of the ongoing economic crises it is likely to rise further. To address this gap, this paper presents a systematic development method to define, deploy and monitor business controls across a distributed enterprise application. First, we establish a repository of obligations that keeps track of the dependencies between processes, data, applications, and regulations. Second, we define and deploy operational controls as a set of services to gather, classify and correlate information. Finally, we provide end-to-end visibility of the business transactions for monitoring and reporting.


Regulatory compliance CMS Continuous assurance Provenance 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Curbera, F., Doganata, Y., Martens, A., Mukhi, N., Slominski, A.: Business Provenance - A Technology to Increase Traceability of End-to-End Operations. In: Proceedings of Coopis 2008. LNCS, vol. 5331. Springer, Heidelberg (2008)Google Scholar
  2. 2.
    Committee of Sponsoring Organizations of the Treadway Commission:Enterprise Risk Management – Integrated Framework (2004),
  3. 3.
    Agrawal, R., Johnson, C., Kiernan, J., Leymann, F.: Taming Compliance with Sarbanes-Oxley Internal Controls Using Database Technology. In: Proceedings of the 22nd Conference on Data Engineering, ICDE. IEEE Computer Society, Washington, DC (2006)Google Scholar
  4. 4.
    Christopher, G., Müller, S., Pfitzmann, B.: From Regulatory Policies to Event Monitoring Rules: Towards Model-Driven Compliance Automation. IBM Research Report RZ 3662, IBM Zurich Research Laboratory (2006)Google Scholar
  5. 5.
    Lu, R., Sadiq, S., Governatori, G.: Compliance Aware Business Process Design. In: ter Hofstede, A.H.M., Benatallah, B., Paik, H.-Y. (eds.) BPM Workshops 2007. LNCS, vol. 4928, pp. 120–131. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Goedertier, S., Vanthienen, J.: Designing Compliant Business Processes with Obligations and Permissions. In: Eder, J., Dustdar, S. (eds.) BPM Workshops 2006. LNCS, vol. 4103, pp. 5–14. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Governatori, G., Milosevic, Z., Sadiq, S.: Compliance checking between business processes and business contracts. In: Proceedings of the 10th IEEE Conference on Enterprise Distributed Object Computing, EDOC. IEEE Computer Society, Washington, DC (2006)Google Scholar
  8. 8.
    Namiri, K., Stojanovic, N.: A Formal Approach for Internal Controls Compliance in Business Processes. In: Proceedings of 8th Workshop on Business Process Modeling, Development, and Support (BPMDS 2007), Trondheim, Norway (2007)Google Scholar
  9. 9.
    Verver, J.: Building and Implementing a Continuous Controls Monitoring and Auditing Framework, ACL Services Ltd. (2005)Google Scholar
  10. 10.
    Brown, R.L.: The SOA road to sustainable risk and control management. IBM White Paper (January 2007),
  11. 11.
    Ferrucci, D., Lally, A.: Building an example application with the Unstructured Information Management Architecture. IBM Systems Journal 43(3), 455–475 (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Axel Martens
    • 1
  • Francisco Curbera
    • 1
  • Nirmal K. Mukhi
    • 1
  • Aleksander Slominski
    • 1
  1. 1.IBM T J Watson Research CenterHawthorneUSA

Personalised recommendations