Abstract
Business Process Compliance refers to the act of conformance of a business process with policies, regulations and rules that govern the organization. An imperative requirement of business processes in various fields such as Health care, Insurance, Finance and Online Trade is adherence to a large number of compliance requirements, constraints and quality policies from various sources. Lack of compliance may result in huge compensations and loss of customers and reputation. Compliance issues can be handled either retrospectively i.e. after non-complaint situations are observed or they can be handled proactively i.e. anticipation of possibilities leading to non-compliant circumstances during process execution which may prevent occurrence of deviations and thus save upon compensation effects. Hence compliance management tasks need to be incorporated into each phase of the life-cycle of a business process. In this article we discuss contemporary activities related to lifecycle of compliance management in business processes which involve compliance elicitation, compliance formalization, compliance implementation, compliance verification and compliance improvement based on existing literature. Compliance Monitoring Functionalities (CMFs) which may be used to categorize and also assess existing compliance management approaches and frameworks are also discussed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
References
Governatori G (2005) Representing business contracts in RuleML. Int J Coop Inf Syst 14(02n03):181–216
Bianco P, Lewis GA, Merson P (2008) Service level agreements in service-oriented architecture environments (No. CMU/SEI-2008-TN-021). Carnegie-Mellon University, Pittsburgh Pa Software Engineering Institute
Sadiq S, Governatori G (2010) Managing regulatory compliance in business processes. In: Handbook on business process management, vol 2. Springer, Berlin, Heidelberg, pp 159–175
Hagerty J, Hackbush J, Gaughan D, Jacobson S (2008) The governance, risk management, and compliance spending report, 2008–2009: inside the $32 B GRC Market. AMR Research, Boston, USA, 25 Mar
Becker J, Delfmann P, Eggert M, Schwittay S (2012) Generalizability and applicability of model-based business process compliance-checking approaches—a state-of-the-art analysis and research roadmap. Bus Res 5(2):221–247
Fellmann M, Zasada A (2014) State-of-the-art of business process compliance approaches. In 22st European conference on information systems (ECIS 2014), Tel Aviv, Israel, June 9–11. http://aisel.aisnet.org/ecis2014/proceedings/track06/8
Silveira P, Rodríguez C, Birukou A, Casati F, Daniel F, D’Andrea V, Worledge C, Taheri Z (2012) Aiding compliance governance in service-based business processes. In: Handbook of research on service-oriented systems and non-functional properties: future directions. IGI Global, pp 524–548
World Health Organization, Special Programme for Research, Training in Tropical Diseases, World Health Organization. Department of Control of Neglected Tropical Diseases, World Health Organization. Epidemic and Pandemic Alert, 2009. Dengue: guidelines for diagnosis, treatment, prevention and control. World Health Organization
Cabanillas Macías C, Resinas Arias de Reyna M, Ruiz Cortés A (2010) Hints on how to face business process compliance. III Taller De Procesos De Negocio E Ingeniería De Servicios, PNIS2010, Valencia, España
Ramezani E, Fahland D, van der Aalst W (2012) Where did i misbehave? Diagnostic information in compliance checking. Bus Process Manag 262–278
Van der Aalst W, Van Hee K, Van der Werf JM, Kumar A, Verdonk M (2011) Conceptual model for online auditing. Decis Support Syst 50(3):636–647
Ramezani E, Fahland D, van der Werf JM, Mattheis P (2011) Separating compliance management and business process management. In: International conference on business process management. Springer, Berlin, Heidelberg, pp 459–464
Saeki M, Kaiya H (2008) Supporting the elicitation of requirements compliant with regulations. In: Advanced information systems engineering. Springer, Berlin, Heidelberg, pp 228–242
Davis J (2009) Open source SOA. Manning Publications Co
Steinke G, Nickolette C (2003) Business rules as the basis of an organization’s information systems. Ind Manag Data Syst 103(1):52–63
Graham I (2007) Business rules management and service oriented architecture: a pattern language. Wiley
Alberti M, Chesani F, Gavanelli M, Lamma E, Mello P, Montali M, Torroni P (2008) Expressing and verifying business contracts with abductive logic programming. Int J Electron Commer 12(4):9–38
Awad A, Decker G, Weske M (2008) Efficient compliance checking using BPMN-Q and temporal logic. In: BPM, vol 8, pp 326–341
Ghose A, Koliadis G (2007) Auditing business process compliance. In: Service-oriented computing (ICSOC 2007), pp 169–180
Governatori G, Sadiq S (2008) The journey to business process compliance
Hashmi M, Governatori G, Wynn MT (2016) Normative requirements for regulatory compliance: an abstract formal framework. Inf Syst Front 18(3):429–455
Mulo E, Zdun U, Dustdar S (2009) Monitoring web service event trails for business compliance. In: 2009 IEEE international conference on service-oriented computing and applications (SOCA). IEEE, pp 1–8
Zhang P, Leung H, Li W, Li X (2013) Web services property sequence chart monitor: a tool chain for monitoring BPEL-based web service composition with scenario-based specifications. IET Softw 7(4):222–248
Zur Muehlen M, Indulska M, Kamp G (2007) Business process and business rule modeling languages for compliance management: a representational analysis. In: Tutorials, posters, panels and industrial contributions at the 26th international conference on conceptual modeling, vol 83. Australian Computer Society, Inc, pp 127–132
Wagner G (2005) Rule modeling and markup. In: Reasoning web. Springer, Berlin, Heidelberg, pp 251–274
Elgammal A, Turetken O, van den Heuvel WJ, Papazoglou M (2016) Formalizing and appling compliance patterns for business process compliance. Softw Syst Model 15(1):119–146
Saralaya S, D’Souza R, Saralaya V (in press) An event-driven dynamic cross-layer business process compliance monitoring and analysis framework. Int J Bus Inf Syst. http://www.inderscience.com/info/ingeneral/forthcoming.php?jcode=ijbis
Dwyer MB, Avrunin GS, Corbett JC (1998) Property specification patterns for finite-state verification. In: Proceedings of the second workshop on formal methods in software practice. ACM, pp 7–15
Turetken O, Elgammal A, Van den Heuvel W, Papazoglou M (2012) Capturing compliance requirements: a pattern-based approach. IEEE Softw 29(3):28–36
Cabanillas Macías C, Resinas Arias de Reyna M, Ruiz Cortés A (2010) On the identification of data-related compliance problems in business processes. Vi Jornadas Científico-Técnicas En Servicios Web Y Soa, JSWEB 2010, Valencia, Spain
Knuplesch D, Ly LT, Rinderle-Ma S, Pfeifer H, Dadam P (2010) On enabling data-aware compliance checking of business process models. ER 10:332–346
Hashmi M, Governatori G, Wynn MT (2012) Business process data compliance. In: International workshop on rules and rule markup languages for the semantic web. Springer, Berlin, Heidelberg, pp 32–46
Gómez-López MT, Gasca RM, Pérez-Álvarez JM (2015) Compliance validation and diagnosis of business data constraints in business processes at runtime. Inf Syst 48:26–43
Schleicher D, Fehling C, Grohe S, Leymann F, Nowak A, Schneider P, Schumm D (2011) Compliance domains: a means to model data-restrictions in cloud environments. In: 2011 15th IEEE international enterprise distributed object computing conference (EDOC). IEEE, pp 257–266
Palmirani M, Governatori G, Contissa G (2011) Modelling temporal legal rules. In: Proceedings of the 13th international conference on artificial intelligence and law. ACM, pp 131–135
Barbon F, Traverso P, Pistore M, Trainotti M (2006) Run-time monitoring of instances and classes of web service compositions. In: International conference on web services, 2006 (ICWS’06). IEEE, pp 63–71
Li B, Ji S, Liao L, Qiu D, Sun M (2013) Monitoring web services for conformance. In: 2013 IEEE 7th international symposium on service oriented system engineering (SOSE). IEEE, pp 92–102
Governatori G, Hulstijn J, Riveret R, Rotolo A (2007) Characterising deadlines in temporal modal defeasible logic
Kumar A, Barton RR (2017) Controlled violation of temporal process constraints–models, algorithms and results. Inf Syst 64:410–424
Cabanillas C, Resinas M, Ruiz-Cortés A (2011) Defining and analysing resource assignments in business processes with ral. In: International conference on service-oriented computing. Springer, Berlin, Heidelberg, pp 477–486
Nakatumba J (2013) Resource-aware business process management: analysis and support. PhD thesis, Eindhoven University of Technology. https://doi.org/10.6100/ir760115
Weidlich M, Ziekow H, Mendling J, Günther O, Weske M, Desai N (2011) Event-based monitoring of process execution violations. In: BPM, vol 11, pp 182–198
Popova V, Sharpanskykh A (2010) Modeling organizational performance indicators. Inf Syst 35(4):505–527
Shahin A, Mahbod MA (2007) Prioritization of key performance indicators: an integration of analytical hierarchy process and goal setting. Int J Product Perform Manag 56(3):226–240
Frankland J (2008) IT security metrics: implementation and standards compliance. Netw Secur 2008(6):6–9
Chen C, Li L, Wei J (2007) AOP based trustable SLA compliance monitoring for web services. In Seventh international conference on quality software, 2007 (QSIC’07). IEEE, pp 225–230
Mayerl C, Huner KM, Gaspar JU, Momm C, Abeck S (2007) Definition of metric dependencies for monitoring the impact of quality of services on quality of processes. In: 2nd IEEE/IFIP international workshop on business-driven IT management, 2007 (BDIM’07). IEEE, pp 1–10
Hershey P, Runyon D, Wang Y (2007) Metrics for end-to-end monitoring and management of enterprise systems. In: Military communications conference, 2007 (MILCOM 2007). IEEE, pp 1–7
Pedrinaci C, Domingue J (2009) Ontology-based metrics computation for business process analysis. In: Proceedings of the 4th international workshop on semantic business process management. ACM, pp 43–50
Leitner P, Inzinger C, Hummer W, Satzger B, Dustdar S (2012) Application-level performance monitoring of cloud services based on the complex event processing paradigm. In: 2012 5th IEEE international conference on service-oriented computing and applications (SOCA). IEEE, pp 1–8
Sarwar A, Boland G, Monks A, Kruskal JB (2015) Metrics for radiologists in the era of value-based health care delivery. Radiographics 35(3):866–876
Saralaya S, D’Souza R, Saralaya V (2016) Metrics for monitoring a hierarchical service-based system. Int J Appl Eng Res 11(6):3897–3904
Giblin C, Liu AY, Müller S, Pfitzmann B, Zhou X (2005) Regulations expressed as logical models (REALM). In: JURIX, pp 37–48
Hashmi M, Governatori G, Wynn MT (2014) Modeling obligations with event-calculus. In: International workshop on rules and rule markup languages for the semantic web. Springer, Cham, pp 296–310
Kowalski R, Sergot M (1989) A logic-based calculus of events. In: Foundations of knowledge base management. Springer, Berlin, Heidelberg, pp 23–55
Spanoudakis G, Mahbub K (2006) Non-intrusive monitoring of service-based systems. Int J Coop Inf Syst 15(03):325–358
Elgammal A, Turetken O, van den Heuvel WJ, Papazoglou M (2010a) On the formal specification of regulatory compliance: a comparative analysis. In: International conference on service-oriented computing. Springer, Berlin, Heidelberg, pp 27–38
Hinman PG (2007) Fundamentals of mathematical logic
Governatori G, Hashmi M (2015) No time for compliance. In: 2015 IEEE 19th international enterprise distributed object computing conference (EDOC). IEEE, pp 9–18
Governatori G, Shek S (2012) Rule based business process compliance. In: RuleML (2)
Awad A (2007) BPMN-Q: a language to query business processes. In: EMISA, vol 119, pp 115–128
Van Der Aalst WM, Pesic M (2006) DecSerFlow: towards a truly declarative service flow language. In: International workshop on web services and formal methods. Springer, Berlin, Heidelberg, pp 1–23
Chesani F, Mello P, Montali M, Storari S (2007) Testing careflow process execution conformance by translating a graphical language to computational logic. In: AIME, vol 4594, pp 479–488
Khaluf L, Gerth C, Engels G (2011) Pattern-based modeling and formalizing of business process quality constraints. In: Advanced information systems engineering. Springer, Berlin, Heidelberg, pp 521–535
Governatori G, Milosevic Z, Sadiq S (2006) Compliance checking between business processes and business contracts. In: 10th IEEE international enterprise distributed object computing conference, 2006 (EDOC’06). IEEE, pp 221–232
Meidan A, García-García JA, Escalona MJ, Ramos I (2017) A survey on business processes management suites. Comput Stand Interfaces 51:71–86
Dijkman RM, Dumas M, Ouyang C (2008) Semantics and analysis of business process models in BPMN. Inf Softw Technol 50(12):1281–1294
Ouyang C, Dumas M, Breutel S, ter Hofstede A (2006) Translating standard process models to BPEL. In: International conference on advanced information systems engineering. Springer, Berlin, Heidelberg, pp 417–432
Ramezani E (2017) Understanding non-compliance. PhD thesis, Eindhoven University of Technology. https://pure.tue.nl/ws/files/52365079/20170116_Ramezani_Taghiabadi.pdf
Koehler J (2011) The process-rule continuum-Can bpmn & sbvr cope with the challenge?. In 2011 IEEE 13th Conference on Commerce and Enterprise Computing (CEC), pp. 302–309. IEEE, 2011
Boella G, Janssen M, Hulstijn J, Humphreys L, Van Der Torre L (2013) Managing legal interpretation in regulatory compliance. In: Proceedings of the fourteenth international conference on artificial intelligence and law. ACM, pp 23–32
Holzmann GJ (1997) The model checker SPIN. IEEE Trans Softw Eng 23(5):279–295
Holzmann G (2003) Spin model checker, the: primer and reference manual. Addison-Wesley Professional
Halle S, Villemaire R, Cherkaoui O (2009) Specifying and validating data-aware temporal web service properties. IEEE Trans Softw Eng 35(5):669–683
Eshuis R (2006) Symbolic model checking of UML activity diagrams. ACM Trans Softw Eng and Methodol (TOSEM) 15(1):1–38
Wang HJ, Zhao JL (2011) Constraint-centric workflow change analytics. Decis Support Syst 51(3):562–575
Abouzaid F, Mullins J (2008) A calculus for generation, verification and refinement of BPEL specifications. Electronic Notes in Theoretical Computer Science 200(3):43–65
Awad A, Goré R, Thomson J, Weidlich M (2011) An iterative approach for business process template synthesis from compliance rules. In: Advanced information systems engineering. Springer, Berlin, Heidelberg, pp 406–421
Yu J, Han YB, Han J, Jin Y, Falcarin P, Morisio M (2008) Synthesizing service composition models on the basis of temporal business rules. J Comput Sci Technol 23(6):885–894
Luckham D (2002) The power of events, vol 204. Addison-Wesley, Reading
Asim M, Llewellyn-Jones D, Lempereur B, Zhou B, Shi Q, Merabti M (2013) Event driven monitoring of composite services. In: 2013 international conference on social computing (SocialCom). IEEE, pp 550–557
Thullner R, Rozsnyai S, Schiefer J, Obweger H, Suntinger M (2011) Proactive business process compliance monitoring with event-based systems. In: 2011 15th IEEE international enterprise distributed object computing conference workshops (EDOCW). IEEE, pp 429–437
Barnawi A, Awad A, Elgammal A, Elshawi R, Almalaise A, Sakr S (2016) An anti-pattern-based runtime business process compliance monitoring framework. Int J Adv Comput Sci Appl 7(2)
Zahoor E, Perrin O, Godart C (2011) An event-based reasoning approach to web services monitoring. In: 2011 IEEE international conference on web services (ICWS). IEEE, pp 628–635
Baresi L, Guinea S (2011) Self-supervising BPEL processes. IEEE Trans Softw Eng 37(2):247–263
Kallel S, Charfi A, Dinkelaker T, Mezini M, Jmaiel M (2009) Specifying and monitoring temporal properties in web services compositions. In: Seventh IEEE European conference on web services, 2009 (ECOWS’09). IEEE, pp 148–157
Moser O, Rosenberg F, Dustdar S (2008) Non-intrusive monitoring and service adaptation for WS-BPEL. In: Proceedings of the 17th international conference on world wide web. ACM, pp 815–824
Saralaya S, D’Souza R, Saralaya V (2015) Cross layer property verification with property sequence charts. In: 2015 international conference on soft-computing and networks security (ICSNS). IEEE, pp 1–7
Sadiq S, Governatori G, Namiri K (2007) Modeling control objectives for business process compliance. Bus Process Manag 149–164
Julisch K, Suter C, Woitalla T, Zimmermann O (2011) Compliance by design–bridging the chasm between auditors and IT architects. Comput Secur 30(6):410–426
Sackmann S, Kähmer M, Gilliot M, Lowis L (2008) A classification model for automating compliance. In: 2008 10th IEEE conference on e-commerce technology and the fifth IEEE conference on enterprise computing, e-commerce and e-services. IEEE, pp 79–86
Schumm D, Turetken O, Kokash N, Elgammal A, Leymann F, Van Den Heuvel WJ (2010) Business process compliance through reusable units of compliant processes. In: International conference on web engineering. Springer, Berlin, Heidelberg, pp 325–337
Goedertier S, Vanthienen J (2006) Designing compliant business processes with obligations and permissions. In: Business process management workshops. Springer, Berlin, Heidelberg, pp 5–14
Rozinat A, Van der Aalst WM (2008) Conformance checking of processes based on monitoring real behavior. Inf Syst 33(1):64–95
Van der Aalst WM, De Beer HT, van Dongen BF (2005) Process mining and verification of properties: an approach based on temporal logic. In OTM confederated international conferences on the move to meaningful internet systems. Springer, Berlin, Heidelberg, pp 130–147
Weber I, Governatori G, Hoffmann J (2008) Approximate compliance checking for annotated process models
Ly LT, Rinderle-Ma S, Göser K, Dadam P (2012) On enabling integrated process compliance with semantic constraints in process management systems. Inf Syst Front 14(2):195–219
Ly LT, Rinderle-Ma S, Knuplesch D, Dadam P (2011) Monitoring business process compliance using compliance rule graphs. In: OTM confederated international conferences on the move to meaningful internet systems. Springer, Berlin, Heidelberg, pp 82–99
Saralaya S, D’Souza R, Saralaya V (in press) Temporal impact analysis and adaptation for service-based systems. Int J Inf Commun Technol. http://www.inderscience.com/info/ingeneral/forthcoming.php?jcode=ijict
Rodríguez C, Schleicher D, Daniel F, Casati F, Leymann F, Wagner S (2013) SOA-enabled compliance management: instrumenting, assessing, and analyzing service-based business processes. SOCA 7(4):275–292
Doggett AM (2005) Root cause analysis: a framework for tool selection. Qual Manag J 12(4):34–45
Mdhaffar A, Halima RB, Jmaiel M, Freisleben B (2014) CEP4Cloud: complex event processing for self-healing clouds. In: 2014 IEEE 23rd international WETICE conference (WETICE). IEEE, pp 62–67
Mdhaffar A, Rodriguez IB, Charfi K, Abid L, Freisleben B (2017) CEP4HFP: complex event processing for heart failure prediction. IEEE Trans NanoBiosci
Ishikawa K (1982) Guide to quality control (No. TS156. I3713 1994.)
Dettmer HW (1997) Goldratt’s theory of constraints: a systems approach to continuous improvement. ASQ Quality Press
Elgammal A, Turetken O, Van Den Heuvel WJ (2012) Using patterns for the analysis and resolution of compliance violations. Int J Coop Inf Syst 21(01):31–54
Elgammal A, Turetken O, van den Heuvel WJ, Papazoglou M (2010b) Root-cause analysis of design-time compliance violations on the basis of property patterns. In: Service-oriented computing, pp 17–31
Taghiabadi ER, Fahland D, van Dongen BF, van der Aalst WM (2013) Diagnostic information for compliance checking of temporal compliance requirements. In: International conference on advanced information systems engineering. Springer, Berlin, Heidelberg, pp 304–320
Awad A, Smirnov S, Weske M (2009) Towards resolving compliance violations in business process models. GRCIS. ceur-ws.org
Awad A, Weidlich M, Weske M (2009) Specification, verification and explanation of violation for data aware compliance rules. In: Service-oriented computing, pp 500–515
Ismail A, Yan J, Shen J (2013) Incremental service level agreements violation handling with time impact analysis. J Syst Softw 86(6):1530–1544
Angarita R, Cardinale Y, Rukoz M (2014) Reliable composite web services execution: towards a dynamic recovery decision. Electronic Notes in Theoretical Computer Science 302:5–28
Aschoff RR, Zisman A (2012) Proactive adaptation of service composition. In: 2012 ICSE workshop on software engineering for adaptive and self-managing systems (SEAMS). IEEE, pp 1–10
Ly LT, Maggi FM, Montali M, Rinderle-Ma S, van der Aalst WM (2013) A framework for the systematic comparison and evaluation of compliance monitoring approaches. In: 2013 17th IEEE international enterprise distributed object computing conference (EDOC). IEEE, pp 7–16
Ly LT, Maggi FM, Montali M, Rinderle-Ma S, van der Aalst WM (2015) Compliance monitoring in business processes: functionalities, application, and tool-support. Inf Syst 54:209–234
Maggi FM, Montali M, van der Aalst WM (2012) An operational decision support framework for monitoring business constraints. In: International conference on fundamental approaches to software engineering (FASE), vol 12, pp 146–162
Awad A, Weske M (2009) Visualization of compliance violation in business process models. In: Business process management workshops. Springer, pp 182–193
Abdullah NS, Sadiq S, Indulska M (2010) Information systems research: aligning to industry challenges in management of regulatory compliance. Inf Syst Res 1:1–2010
Hashmi M, Governatori G, Lam HP, Wynn MT (2017) Are we done with business process compliance: state of the art and challenges ahead. Knowl Inf Syst 1–55
Doughty K (2011) Guest editorial: the three lines of defence related to risk governance. ISACA J 5:6
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Saralaya, S., Saralaya, V., D’Souza, R. (2019). Compliance Management in Business Processes. In: Patnaik, S., Yang, XS., Tavana, M., Popentiu-Vlădicescu, F., Qiao, F. (eds) Digital Business. Lecture Notes on Data Engineering and Communications Technologies, vol 21. Springer, Cham. https://doi.org/10.1007/978-3-319-93940-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-93940-7_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-93939-1
Online ISBN: 978-3-319-93940-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)