Modeling Control Objectives for Business Process Compliance

  • Shazia Sadiq
  • Guido Governatori
  • Kioumars Namiri
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4714)


Business process design is primarily driven by process improvement objectives. However, the role of control objectives stemming from regulations and standards is becoming increasingly important for businesses in light of recent events that led to some of the largest scandals in corporate history. As organizations strive to meet compliance agendas, there is an evident need to provide systematic approaches that assist in the understanding of the interplay between (often conflicting) business and control objectives during business process design. In this paper, our objective is twofold. We will firstly present a research agenda in the space of business process compliance, identifying major technical and organizational challenges. We then tackle a part of the overall problem space, which deals with the effective modeling of control objectives and subsequently their propagation onto business process models. Control objective modeling is proposed through a specialized modal logic based on normative systems theory, and the visualization of control objectives on business process models is achieved procedurally. The proposed approach is demonstrated in the context of a purchase-to-pay scenario.


Compliance Risk Internal Controls Business Process Design 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    van der Aalst, W.M.P., van Dongen, B.F., Herbst, J., Maruster, L., Schimm, G., Weijters, A.J.M.M.: Workflow Mining: A Survey of Issues and Approaches. Data & Knowledge Engineering 47, 237–267 (2003)CrossRefGoogle Scholar
  2. 2.
    Alberti, M., Chesani, F., Gavanelli, M., Lamma, E., Mello, P., Torroni, P.: Compliance verification of agent interaction: A logic based tool. Applied Artificial Intelligence 20(2-4), 133–157 (2006)CrossRefGoogle Scholar
  3. 3.
    Antoniou, G., Billington, D., Governatori, G., Maher, M.J.: Representation results for defeasible logic. ACM Transactions on Computational Logic 2(2), 255–287 (2001)CrossRefGoogle Scholar
  4. 4.
    BPM Forum CEE: The Future. Building the Compliance Enabled Enterprise. Report produced by GlobalFluency in partnership with: AXS-One, Chief Executive Magazine and IT Compliance Institute (2006)Google Scholar
  5. 5.
    Carmo, J., Jones, A.J.I.: Deontic Logic and Contrary-to-Duties. In: Handbook of Philosophical Logic, 2nd edn., vol. 8, pp. 265–344. Kluwer, Dordrecht (2002)Google Scholar
  6. 6.
    COSO - The Committee of Sponsoring Organizations of the Treadway Commission Internal Control – Integrated Framework (May 1994)Google Scholar
  7. 7.
    Desai, N., Mallya, A.U., Chopra, A.K., Singh, M.P.: Interaction Protocols as Design Abstractions for Business Processes. IEEE Transaction on Software Engineering 31(12), 1015–1027 (2005)CrossRefGoogle Scholar
  8. 8.
    Dignum, V., Vázquez-Salceda, J., Dignum, F.: OMNI: Introducing Social Structure, Norms and Ontologies into Agent Organizations. In: Bordini, R.H., Dastani, M., Dix, J., Seghrouchni, A.E.F. (eds.) Programming Multi-Agent Systems. LNCS (LNAI), vol. 3346, pp. 181–198. Springer, Heidelberg (2005)Google Scholar
  9. 9.
    Farrell, D.H., Sergot, M.J., Sallé, M., Bartolini, C.: Using the event calculus for tracking the normative state in contracts. International Journal of Cooperative Information Systems 14(2-3), 99–129 (2005)CrossRefGoogle Scholar
  10. 10.
    Giblin, C., Muller, S., Pfitzmann, B.: From regulatory policies to event monitoring rules: Towards model driven compliance automation. IBM Research Report. Zurich Research Laboratory (October 2006)Google Scholar
  11. 11.
    Goedertier, S., Vanthienen, J.: Designing Compliant Business Processes with Obligations and Permissions. In: Eder, J., Dustdar, S. (eds.) Business Process Management Workshops. LNCS, vol. 4103, pp. 5–14. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Governatori, G., Milosevic, Z., Sadiq, S.: Compliance checking between business processes and business contracts. In: Proceedings of the 10th IEEE Conference on Enterprise Distributed Object Computing, Hong Kong, October 16-20, 2006, pp. 16–20. IEEE Computer Society Press, Los Alamitos (2006)Google Scholar
  13. 13.
    Governatori, G.: Representing Business Contracts in RuleML. International Journal of Cooperative Information Systems 14(2-3), 181–216 (2005)CrossRefGoogle Scholar
  14. 14.
    Governatori, G., Rotolo, A.: Logic of Violations: A Gentzen System for Reasoning on Contrary-To-Duty Obligations. Australasian Journal of Logic 4, 193–215 (2006)zbMATHGoogle Scholar
  15. 15.
    Governatori, G., Milosevic, Z.: A Formal Analysis of a Business Contract Language. International Journal of Cooperative Information Systems 15(4), 659–685 (2006)CrossRefGoogle Scholar
  16. 16.
    Governatori, G., Rotolo, A., Sartor, G.: Temporalised normative positions in defeasible logic. In: Gardner, A. (ed.) Procedings of the 10th International Conference on Artificial Intelligence and Law, pp. 25–34. ACM Press, New York (2005)CrossRefGoogle Scholar
  17. 17.
    Hagerty, J.: SOX Spending for 2006. AMR Research, Boston USA. (November 29, 2007)Google Scholar
  18. 18.
    Pesic, M., van der Aalst, W.M.P.: A Declarative Approach for Flexible Business Processes. In: Eder, J., Dustdar, S. (eds.) Business Process Management Workshops. LNCS, vol. 4103, pp. 169–180. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  19. 19.
    Sartor, G.: Legal Reasoning: A Cognitive Approach to the Law. Springer, Heidelberg (2005)Google Scholar
  20. 20.
    Sadiq, S., Sadiq, W., Orlowska, M.: A Framework for Constraint Specification and Validation in Flexible Workflows. Information Systems 30(5), 349–378 (2005)CrossRefGoogle Scholar
  21. 21.
    Padmanabhan, V., Governatori, G., Sadiq, S., Colomb, R., Rotolo, A.: Process Modeling: The Deontic Way. In: Stumptner, M., Hartmann, S., Kiyoki, Y. (eds.) Australia-Pacific Conference on Conceptual Modeling 2006, CRPIT, vol. 53, pp. 75–84 (2006)Google Scholar
  22. 22.
    zur Muehlen, M., Rosemann, M.: Integrating Risks in Business Process Models. In: 16th Australasian Conference on Information Systems. November 29 – December 2, Sydney, Australia (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Shazia Sadiq
    • 1
  • Guido Governatori
    • 1
  • Kioumars Namiri
    • 2
  1. 1.School of Information Technology and Electrical Engineering, The University of Queensland, St Lucia QLD 4072., BrisbaneAustralia
  2. 2.SAP Research Centre CEC Karlsruhe, SAP AG, Vincenz-Prießnitz-Str.1, 76131 KarlsruheGermany

Personalised recommendations