Enterprise Operational Analysis Using DEMO and the Enterprise Operating System

Dudok, Emmy; Guerreiro, Sérgio; Babkin, Eduard; Pergl, Robert; van Kervel, Steven J. H.

doi:10.1007/978-3-319-19297-0_1

Emmy Dudok⁹,
Sérgio Guerreiro¹⁰,
Eduard Babkin¹¹,
Robert Pergl¹² &
…
Steven J. H. van Kervel¹³

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 211))

Included in the following conference series:

Enterprise Engineering Working Conference

564 Accesses
8 Citations

Abstract

Monitoring and analyzing the operation of enterprises is a key capability of Governance, Risk, and Compliance (GRC) solutions and is relevant for high-risk organizations, such as financial services. The potential of state-of-the-art process mining (data-driven process analysis) is limited by quality issues with transactional data registration and extraction. A novel approach is proposed to address these challenges: the Enterprise Operational Analysis (EOA) founded in DEMO and the Enterprise Operating System (EOS). The EOS is a software system based on enterprise engineering, and stores, interprets, and executes DEMO models as native source code. The EOS provides workflow-like capabilities and supports EOA. Combining the EOS with state-of-the-art process mining offers the following advantages: guaranteed completeness of analysis, elimination of ‘mining’ for events, facilitating process conformance checking, analysis on various levels of granularity from various perspectives. It enables enterprises to systematically analyze, improve and deploy business procedures. A professional business case is analyzed.

Access provided by Autonomous University of Puebla. Download conference paper PDF

A Data Warehouse Model for Business Processes Data Analytics

CRISP-DM/SMEs: A Data Analytics Methodology for Non-profit SMEs

Extracting Event Data from Databases to Unleash Process Mining

Keywords

1 Introduction

The ongoing globalization and international trade gave rise to organizations that must comply with ever more complex regulations such as Sarbanes Oxley [32], also known as the “Public Company Accounting Reform and Investor Protection Act” and Basel III [7], a global regulatory standard on bank adequacy, stress testing and liquidity risk. Digitization of society enabled new vulnerabilities such as malware, identity theft or fraud. This applies especially to large banking conglomerates, “too large to fail”, the financial instability and the global sovereign debts. A similar challenge is found in high-risk organizations such as power plants and chemical refineries where an extremely rigorous compliance to regulations and policies as well as the identification, containment and mitigation of risks are of utmost importance.

These kinds of challenges in multidisciplinary research are captured by the terms “Governance, Risk management, and Compliance” (GRC). Racz et al. [29] observe that this field is still very immature and lacks well-defined shared concepts, definitions and theories. Their framework for GRC and definitions is found suitable by Verwaest [34] for well-founded scientific research and is adopted in this research.

Governance involves generic principles, guidelines, and decisions made by the board for ethical criteria, transparency, protection of reputation and proper treatment of the interests of all stakeholders. It also includes operational supervision of the way these principles, guidelines and decisions are being implemented by the management and if necessary, ad hoc adjustments are made.

Risk denotes any situation or event that may cause harm to the enterprise or any of its stakeholders. In this research we focus on risks that arise from the operation of the enterprise, i.e., human actors following business processes. Financial risks related to stock exchange, currencies etc., are out of scope. Risk involves identifying specific situations in the execution of business procedures and mitigating any consequences, at (business process) design time, runtime and real-time.

Compliance is the implementation of all externally imposed (legal) regulations in day-to-day operation. Violation of compliance exposes the enterprise to legal sanctions and claims of customers and third parties.

In this work we derive certain generic and reusable design principles for GRC. The main challenge is that the daily execution of business procedures should deliver services in such a way that GRC, efficiency and effectiveness topics are well addressed. A new approach, the Enterprise Operational Analysis (EOA), is proposed to support the engineering of enterprises that adhere to these GRC principles. EOA combines process mining with DEMO and the Enterprise Operating System (EOS). EOA provides complete transparency of the daily operation, guarantees completeness and correctness, and supports real-time monitoring and analysis.

The paper is structured as follows: Sect. 2 describes generic and reusable principles of GRC. Section 3 describes state-of-the-art process mining. Section 4 elaborates the problem definition. Section 5 describes the Enterprise Operational Analysis Approach. Section 6 describes a professional business case. Section 7 discusses conclusions and further research.

2 GRC Principles

Given the analysis results of domain-specific foundations of GRC, we derive certain generic reusable design principles of GRC, in addition to the Racz framework [29].

Principle 1: Business-Process Driven. The operation of the enterprise is fully defined by business processes. Since enterprises are complex entities, there are several important quality criteria for the way business processes are defined and specified. Most state-of-the-art BPM methodologies however are not adequate [27]. Hence, there is a need for a high-quality engineering methodology to develop and model business procedures, based on a domain ontology, that provides a complete design of an enterprise, and overcomes the many problems associated with state-of-the-art BPM modeling methods [27], further elaborated in Sect. 5.

Principle 2: Design for GRC. Engineering of business processes should meet the GRC quality criteria and provide a good degree of efficiency and effectiveness. This principle states that business processes must be well designed in a functional sense. This can be achieved only if business process models are constructed and assessed for the GRC quality criteria at design time. An empirical validation is performed using model simulation, before the system is put into operation. Shared reasoning by stakeholders is used to investigate compliance, risk conditions with mitigations and application of general governance principles. If necessary, business procedures are altered and improved, which is a specific design science cycle [22, 23]. In addition to meeting the GRC quality criteria, the daily operation must be effective and efficient. This encompasses topics such as product or service quality, customer satisfaction, production costs and resource utilization, minimizing service time and errors, transparency of production and employees.

Principle 3: Prescriptive Control. Prescriptive control of the enterprise operation compliant with the business processes is put in place. This principle states that any actor of the enterprise must obey to the business procedures, i.e., operate within the allowed state space of the business process. It must be technically impossible for any actor to deviate from the business process. This is one of the capabilities achieved by the Enterprise Operating System (EOS) [19], providing enterprise control [18] elaborated in Sect. 5.

Principle 4: Enterprise Operational Analysis. The operation of the enterprise in full production must be well monitored and analyzed. The appropriate, complete and correct monitoring and analysis of the operation of the enterprise using state-of-the-art process mining at runtime is called Enterprise Operational Analysis (EOA), see Sect. 5 expressed by this principle. With these procedures in place, it is possible to detect, predict, intervene, and prevent noncompliant behavior from taking place.

Principle 5: Enterprise Operational Control. Changing regulations, new market strategies, improved insight in business procedures or the need for any improvements require the daily operation of the organization to be adapted accordingly. This requires a redesign of the business process models, including validation and renewed deployment. This should be a recurring operation, elaborated in Sect. 5. With these capabilities the goal of operational control for organizations has been achieved. It is in fact a classic control system [15] where the organization is subjected to subsequent incremental improvements.

To address GRC, efficiency and effectiveness challenges, EOA is a mandatory capability. Without it one is operating almost in the dark, without knowing what is really happening: management cannot control, steer or improve the enterprise and the operation is prone to failure. Without it, the goal of operational control, the ongoing cycle of designing, implementing, bringing into operation, cannot be reached.

3 State-of-the-Art Process Mining

The extraction of process knowledge from transactional data as registered by corporate systems is commonly known as process mining [1]. The input for process mining is an event log that captures digital footprints on cases being executed in the process. Process mining algorithms consider activities, instances and frequencies to compute the underlying process model. Various algorithms have been developed, e.g. [5, 6, 13, 21, 35], taking different perspectives with respect to dealing with frequencies, incompleteness of data, large and real event logs, support for various workflow patterns, overfitting, underfitting, top-down or bottom-up approach, etc. Some of the latest research includes addressing mining the evolution of a drifting process [8] and reducing complexity of mined declarative process models [28, 30].

Van der Aalst et al. [3] distinguish three types of process mining: (i) discovery of the actual process model without prior knowledge; (ii) conformance of the process model and its performance with a prior known reference model; (iii) enhancement of a prior known process model with process knowledge. They also consider different perspectives for mining: control-flow, organization, case and time. Process mining allows for operational control by gaining impartial insight into the process execution, data-driven process improvement, compliance checking, predictive analysis, and empowering employees in taking control of their work via objective self assessment. This requires a steady connection with a process-aware information system. Process mining supports the design of such a system [2] by identifying process and GRC requirements.

Process mining is more and more applied in practice by auditors to verify compliance of a business process, process execution and governance with rules and regulations such as ISO standards and SOX legislation [32]. It allows for automatic verification of process compliance over the full range of cases instead of random sampling, guaranteeing 100 % confidence. El Kharbili et al. [14] indicate that four aspects need to be covered by business process compliance checking techniques: (i) compliance checking during the entire BPM lifecycle; (ii) compliance checking in perspectives other than the control-flow; (iii) support of visual analytics; (iv) defining and applying semantic technologies for the application of compliance checking. Three compliance perspectives are usually distinguished [31]: (i) correct ongoing business to ensure compliance to rules and regulations, (ii) detect compliancy violations in past instances and (iii) prevent noncompliant behavior from taking place by design. Van der Aalst and Medeiros [4] apply process mining to check for security issues in audit trails. Presence or absence of certain workflow patterns in the actual execution of the process might indicate security issues. Any non-fraudulent behavior could thereafter be supported and fraudulent behavior prevented. They suggest using control-flow simulation of the process to verify conformance to specific ordering patterns.

Process mining is rapidly gaining popularity due to a rapid growth of data, the concept and awareness of Big Data and a rapidly changing and highly competitive market [3]. As it is purely based on data, data quality is of high importance. Several quality criteria for event logs are identified [3]: event logs need to be reliable and complete, events need to be recorded based on predefined semantics and security issues need to be taken care of. Several major challenges with respect to data registration and extraction are also brought to attention [3]: data might reside in any number of IT applications, are often not registered within a process context, might contain outliers, and registration is often incomplete. Other challenges include handling complex event logs, combining with other data mining techniques, cross-organizational process mining, and improved end-user support [3].

Summarizing, process mining provides powerful tools for data-driven process analysis. However, challenges with respect to data limit its potential value.

4 Problem Definition

As evident from Sect. 3, process mining provides deep and objective insight into the operations of an organization, capturing any anomalies in ongoing and past business and providing data-driven support for process definition, monitoring and improvement. It addresses both the design for GRC and the EOA GRC principles as it supports both developing systems that comply with GRC quality criteria at design time, and monitor and analyze compliance in the daily operation of the enterprise. Process mining provides insight into current processes and allows for procedural simulation and validation of the design, eliminating any noncompliant control-flow aspects or other risks at design time. Various perspectives regarding compliance, such as control-flow, resource and data aspects can be taken into account, for example in the form of social network analysis. In addition, it also supports redesign in the context of the EOC GRC principle.

As process mining is purely based on data, challenges with respect to registration and extraction of that data greatly impact the possible application for compliance of past and ongoing business. Scattered over multiple applications, and often not registered in a process-aware manner, data can be difficult to capture and the process of converting it into the required format can have a high impact on resources. When these data registration and extraction issues can be mitigated and extraction and preparation time of data can be drastically reduced, near real-time analysis and monitoring of ongoing business becomes a viable possibility, supporting the EOA GRC principle. This allows red flagging specific procedure states at runtime, ensuring safety and mitigating operational risks.

As indicated in the business-process driven GRC principle, to support compliance of the business operation, we should be able to guarantee that the operation is completely business-process driven. Therefore, a prescriptive enforcement of the operation, or descriptive as it matches the descriptiveness of compliance models has to be put into place, in accordance with the prescriptive control GRC principle. This also mitigates data-extraction challenges in the context of process mining.

Summarizing, process mining provides support for all GRC principles. However, without effective data registration and extraction in a process-aware manner, by itself it will not attain its full potential in supporting GRC. We propose the use of DEMO as a solid foundation, to resolve these aspects. This allows process mining to be used as an effective and impartial solution to GRC. This is detailed in the next section.

5 The Enterprise Operational Analysis Approach

The proposed Enterprise Operational Approach (EOA) is founded on (i) the DEMO methodology and theories [11, 12] to develop high-quality enterprise models, (ii) the Enterprise Operating System [19], a software engine that executes DEMO models “as native source code” and (iii) state of the art process mining tools. Figure 1 depicts an overview of our approach, which allows for analyzing the enterprise’s operations and designing new information systems according to the actual operation and observed GRC principles. First, the various components of Fig. 1 are described below. Then, the five GRC principles of Sect. 2 are instantiated.

5.1 Details of the EOA Approach

Enterprise in Operation. The enterprise in operation is defined as a social system of actors who communicate about their productions [11, 12]. The system is purposefully constructed to fulfill a specific function. Actors communicate about their productions by communication acts, which result in communication facts. All communication facts represent a shared understanding and agreement of all actors about the world of production. The EOA approach is based on event logs of all communicative acts, resulting in communicative facts, of human actors about the world of productions.

DEMO Models. A great demand exists for an adequate and standard formal representation of GRC concepts [29, 33]. Taking into account strategic goals of the research and aforementioned generic principles of GRC, we provide three arguments for the direct correspondence between the conceptual structure of GRC and the foundations of DEMO modeling. First, GRC success is in part determined by the use of a proper modeling technique that reduces complexity. DEMO modeling reduces complexity due to stratification of O-, I- and D- transactions and exploits a proper level of abstraction based on a language-action-perspective. DEMO is based on an ontological theory, as defined by Enterprise Ontology [11] and is well founded on appropriate scientific theories [12]. DEMO models also provide a suitable specification of business processes [16–18] with valuable qualities. The quality of the applied methodology is guaranteed by the underlying theories, methodologies and formal methods [9–12]. The appropriateness of DEMO is shown by business cases and applications in many domains, e.g. [24, 26]. Second, trust relations among participating business actors in the GRC domain should be explicitly determined and analyzed. The generic pattern of DEMO transactions with clear phases of communication (actagenic, action execution, factagenic) provides analysts with a powerful conceptual framework for reflection upon the trust foundations and risks between the initiator and the executor of the transaction. Finally, as the OCEG GRC Capability Model^{Footnote 1} determines, the key GRC activities revolve around such conceptual elements as organization boundaries, business processes, tasks, facts, policies and business rules. For each mentioned element we can easily find a direct correspondence in DEMO nomenclature. This concludes our argumentation. We can systematically apply the DEMO modeling technique for the whole process of model design and analysis activities in our approach.

DEMO Engine. The DEMO Engine is part of the Enterprise Operating System. The formal qualities of DEMO models enable the construction of this software engine that directly executes DEMO models [25] as native source code.

The Enterprise Operating System (EOS). The EOS is analogous to an operating system for a computer and represents the active layer between human actors of the organization and the enterprise information systems. The DEMO engine that executes a DEMO model constitutes the Enterprise Operating System (EOS) [19]. The EOS provides three capabilities of interest for this research: (i) Total prescriptive control [16–18, 20], implying that the whole enterprise, including each actor, can act exclusively within the boundaries of the (DEMO) business process. (ii) Total descriptive knowledge. Each communication act is captured and recorded and completeness and correctness of all acts is guaranteed. (iii) Event Logs, the straightforward generation of suitable event logs from recorded communication acts.

Process Mining Tools. Process mining provides data-driven process analysis and many valuable perspectives on the actual operation. For more details see Sect. 3.

Process Analysis. Process analysis refers to human actors using process mining tools to understand the operation, take appropriate actions and propose improvements for implementation, in this case improved DEMO models.

5.2 Assessment of the GRC Principles

Business-Process Driven Principle. This principle is realized by the application of DEMO modeling, providing high quality process models.

Design for GRC Principle. DEMO models are designed by knowledgeable stakeholders using shared reasoning [11] in a design cycle [22, 23]. Process mining, model simulation and early validation are highly appropriate to design for optimal GRC support, without commitments to programming and resources [19, 25].

Prescriptive Control Principle. The EOS controls precisely which communication acts are allowed for each actor to perform. This is computed directly from the model and its current state.

EOA Principle. The EOS, which has total descriptive knowledge of the enterprise operation, allows for straightforward extraction of a guaranteed complete and correct event logs [20]. Using state-of-the-art process mining this principle is realized.

Enterprise Operational Control Principle. Combining the above principles, we realize a closed loop classical control cycle [15]. In other words, this is realized by (i) DEMO modeling; (ii) DEMO models executed by the EOS; (iii) the EOS driving the operation of the enterprise; (iv) the EOS providing complete event logs; (v) event logs processed by process mining techniques, providing data-driven process analyses that support further model improvements.

A typical challenge for process mining is that many different IT applications must be accessed to create an event log encompassing a complete business process. In the EOA approach we capture communication acts between actors about their productions [11]. It is implicitly assumed that these actors communicate in a truthful way; hence the event logs are assumed to be truthful. To verify correctness, it is recommended to cross-validate the data with various IT systems.

In general terms, EOA supports two design science engineering cycles: the modeling and model validation cycle; and the operational control cycle of model execution, logging, monitoring, analysis and implementation of improvements.

6 Case Study Representation

In this section we discuss a case study that was performed to assess the suitability of EOS as a foundation for GRC, efficiency and effectiveness checking with process mining. This case study was part of a more encompassing study, initiated by Formetis, on the general suitability of DEMO as foundation for process mining. Here we focus on the aspects of process mining relevant to GRC.

The case study was performed on data extracted from the DEMO BPM Engine of Formetis as implemented at one of their customers. It considers a process of connecting households and companies to the energy grid at a semi-public organization that delivers energy and utility services. For this case study, the process mining tool Disco^{Footnote 2} from software developer Fluxicon® was used.

The case study consists of several steps in which the suitability with respect to process mining is checked for: (i) the quality of data registration of the DEMO BPM Engine, (ii) the quality of data extraction from the DEMO BPM Engine and (iii) the application of process mining on data extracted from the DEMO Engine for detective, corrective, and preventive aspects of GRC as defined by El Kharbili et al. [14].

6.1 Transactional Data Registration

As mentioned before, process mining is fully based on transactional data, giving rise to certain challenges with respect to registration of that data. This greatly impacts the application of compliance and assurance of ongoing business. Here we evaluate to what extent the DEMO BPM Engine resolves these challenges.

As mentioned in the previous section, the DEMO BPM Engine automatically registers various atomic communication facts surrounding a specific activity or transaction performed by each individual actor. For example a request, statement of execution, and acceptance of execution of a specific transaction are registered. This way, insight can be gained in both executed transactions as well as initiated but eventually non-executed transactions. All communication surrounding a specific transaction has actually taken place, either manually or automatically. As a result, the data is highly reliable. The only remaining concern is that only communication acts are considered surrounding the actual work performed and that the actual moment of statement of work is only as reliable as the moment the resource enters it into the system. As the system is highly prescriptive, e.g. advancemend might require certain steps to be finished, it is assumed to be quite accurate.

The DEMO BPM Engine registers complete business processes, common behavior as well as exception handling, and drives several business applications. This ensures complete registration of the process within the environment of the DEMO BPM Engine. Any acts that should not be allowed are prohibited by the Engine.

Within the DEMO model, cases, transactions and communication acts are distinguished and all these entities have a predefined set of data registration attributes. This ensures high data consistency. In addition, all transactions are registered within the context of the business process as specified by the DEMO model.

6.2 Data Extraction

Similar to data registration impacting the application of compliance and assurance of ongoing business, also data extraction has to be evaluated.

Since the DEMO BPM Engine drives several business applications within the business process, data does not have to be retrieved from various applications. Instead, all data required for process mining is stored in a single central database. Desired auxiliary data residing in connected applications can also be retrieved when required. In particular, auxiliary data which is typically also used for operational management may be of interest, as they may lead to deeper analyses. However, a trade-off has to be made between required effort and impact. In this case study, we decided to use only the information readily available in the DEMO BPM Engine as implemented at the customer. This ensures generalizability to DEMO BPM Engine implementations at different entreprises.

The quality of an event log for process mining can be assessed according to a scale of maturity as described by Van der Aalst et al. [3]. Due to the complete and consistent registration and its high level of detail and reliability, event logs extracted from the DEMO BPM Engine can be ranked with 4 to 5 stars, i.e., considered to be of high quality. For this specific analysis, data was extracted from the production environment of the DEMO BPM Engine ensuring that the data has not been tempered with for testing. Additionally, data marked as sensitive to the organization (e.g. resource information) has been anonymized. See Fig. 2 for part of the event log.

The data set contained a number of “legacy cases” resulting from migrating to the new system. We discarded these cases as the process execution was done only partially in this system, leading to false information about start points of the process.

6.3 Process Mining for GRC

Now that data from the DEMO BPM Engine can be considered highly suitable as input for process mining, it can be evaluated to what extent GRC is supported by this combination. The three GRC aspects of El Kharbili et al. [14] are considered: detective, corrective, and preventive.

Detective Compliance Perspective. Process mining allows for data-driven analysis of the as-is process model based on historical transactions. The process model resulting from data as registered by the DEMO BPM Engine provides a highly precise control-flow due to the various communication acts surrounding each transaction. In this respect, the actual control-flow can be compared to a reference model indicating deviations from required or agreed upon behavior. Multiple reference models were applicable in our case study, due to its time span: some performed transactions were applicable to a specific reference model and did not occur in other reference models. This allowed us to track the development of the reference models over time. Due to the high precision of data registration, various business rules with respect to control-flow can also be investigated in a highly accurate manner. Also, within the process under consideration several subprocesses were identified, allowing for a compliance check on several granularity levels within the business process (Fig. 3). Also, checks could be performed on process performance with respect to time aspects. Throughput, waiting, and processing times could be identified, again due to the accuracy with which data was available.

See for example Fig. 4, indicating a long waiting time on the connection and a long processing time on the right transaction. Service Level Agreements (SLAs) could be verified in either a visual way in a process model, or in various charts. One of the verified targets was a specific part of the process that had to be performed within 15 days. We found that 96 % of all cases adhered to this SLA. From an auditing point of view, each of these analyses provides a starting point from which easy drill-down and focus on anomalies is supported. Another aspect of compliance checking is the resource aspect, i.e., how resources work together. A well-known compliance check is the segregation of duties or four-eyes principle check. Such a check was performed and a total of 9 violations were found. On specific case level, more details were provided, allowing for further investigation of the root cause of the violation.

Corrective Compliance Perspective. We have also investigated the possibility of monitoring and assuring ongoing business. As both ongoing as well as closed cases are extracted from the DEMO BPM Engine, a map could be created with process mining as to where in the process the ongoing cases reside (see Fig. 5). In addition, it can be verified whether or not they are still within SLA. This allows for corrective actions to be taken whenever a case is on a path or has a performance that is known to result in an SLA violation based on analysis on closed cases.

Preventive Compliance Perspective. Another level within the registration of this particular process in the DEMO BPM Engine is the registration of statuses in which the process can reside (see Fig. 6). We were able to identify the four most frequently occurring statuses (dark color in the figure). This view and the general process view can both be used to verify compliance with rules and regulations of the control flow already at design time based on simulation runs and analyses with process mining. Using process data extracted from the DEMO BPM Engine, process mining leads to an optimal design and a continuous fine-tuning of the WFMS during execution time to the actual behavior of the end users. Formetis is able to anticipate the desires of the end users, which are becoming transparent by analyzing their use of the software. Meaning, process mining with the DEMO Engine increases the harmonization between supplier and customers.

7 Conclusions and Future Work

In order to address the GRC, efficiency and effectiveness challenges, enterprise operational analysis is a mandatory capability. Without it an enterprise cannot control, steer or improve itself and is at risk of not meeting the GRC requirements. To design effective and efficient software systems that facilitate GRC application in organizations, we proposed five GRC principles: Business process driven; Design for GRC; Prescriptive control; Enterprise Operational Analysis; Enterprise Operational Control. A novel approach is described: the Enterprise Operational Analysis (EOA). EOA combines process mining with DEMO and the Enterprise Operating System (EOS). Process mining is driven by transactional data captured from corporate IT systems. As it is a data-driven technique, it relies heavily on the quality of this data. Several quality issues regarding data registration and extraction are overcome in our EOA approach. Based on a case study, we were able to reach the following conclusions. Event logs as extracted from the EOS are complete, consistent, highly detailed and reliable. As such, it is considered to be of 4- to 5-star quality on the scale of maturity of event logs as described by van der Aalst et al. [3]. Extracting these event logs from the EOS is a straightforward and efficient task, due to the full process registration occurring within the engine. Moreover, all process data is recorded in a consistent manner, in a business-process context. Finally, the advantages offered by applying process mining based on the EOS are two-fold. It enables customers to analyze, monitor and optimize their processes in a data-driven way. At the same time, it also increases the harmonization between the software supplier and their customers by providing insight into the use of their software. Moreover, combining the EOS with state-of-the-art process mining offers major advantages: guaranteed completeness of analysis, elimination of ‘mining’ for events, facilitating process conformance checking, analysis on various levels of granularity from various perspectives. It provides a solid foundation, enabling process mining to be used as an effective and impartial solution to GRC.

Future Work. Further research is needed on maturity of the technologies and tools, and on more empirical evidence using this approach. After all, there is only one business case investigated so far. However, the feasibility of EOA has been shown in this paper. Enterprise operational control comes at a low cost, lowering thresholds and encouraging acceptance in the professional world. The design for GRC principle can be further extended to support GRC ontologies at design time. Similarly, Sadiq and Governatori [31] propose aligning the process and control-flow aspects based on ontologies, capturing rules and regulations. Corrective GRC requires predictive analytics in process mining at real-time. Further research and development in software tools is required to further support this in the context of GRC. The proposed method aims at solving GRC, efficiency and effectiveness related issues. The fact that GRC is still considered a rather immature domain emphasizes the need for additional multidisciplinary research on GRC domain itself, and alignment of the GRC framework with the discipline of enterprise engineering.

Notes

References

van der Aalst, W.M.P.: Process Mining: Discovery, Conformance and Enhancement of Business Processes. Springer, Berlin (2011)
Book Google Scholar
van der Aalst, W.M.P.: Process-aware information systems: lessons to be learned from process mining. In: Jensen, K., van der Aalst, W.M. (eds.) Transactions on Petri Nets and Other Models of Concurrency II. LNCS, vol. 5460, pp. 1–26. Springer, Heidelberg (2009)
Chapter Google Scholar
van der Aalst, W., et al.: Process mining manifesto. In: Daniel, F., Barkaoui, K., Dustdar, S. (eds.) BPM Workshops 2011, Part I. LNBIP, vol. 99, pp. 169–194. Springer, Heidelberg (2012)
Chapter Google Scholar
van der Aalst, W.M.P., de Medeiros, A.K.A.: Process mining and security: detecting anomalous process executions and checking process conformance. In: Electronic Notes in Theoretical Computer Science, vol. 121, pp. 3–21 (2005)
Google Scholar
van der Aalst, W.M.P., de Medeiros, A.K.A., Weijters, A.: Genetic process mining. In: Ciardo, G., Darondeau, P. (eds.) ICATPN 2005. LNCS, vol. 3536, pp. 48–69. Springer, Heidelberg (2005)
Chapter Google Scholar
van der Aalst, W.M.P., Weijters, A.J.M.M., Maruster, L.: Workflow mining: discovering process models from event logs. IEEE Trans. Knowl. Data Eng. 16, 1128–1142 (2003)
Article Google Scholar
Basel Committee on Banking Supervision in 2010–11
Google Scholar
Bose, R.P.J.C., van der Aalst, W.M.P., Zliobaite, I., Pechenizkiy, M.: Dealing with concept drifts in process mining. IEEE Trans. Neural Netw. Learn. Syst. 25(1), 154–171 (2014)
Article Google Scholar
Ciao! Consortium; Cooperation & Interoperability - Architecture & Ontology. www.ciaonetwork.org
DEMO Knowledge Centre, Design and Engineering Methodology for Organizations (2012). www.demo.nl
Dietz, J.L.G.: Enterprise Ontology: Theory and Methodology. Springer, Heidelberg (2006)
Book Google Scholar
Dietz, J.L.G., Hoogervorst, J.A.P.: The discipline of enterprise engineering. Int. J. Organ. Des. Eng. 3(1), 86–114 (2013)
Google Scholar
van Dongen, B.F., van der Aalst, W.M.: Multi-phase process mining: building instance graphs. In: Atzeni, P., Chu, W., Lu, H., Zhou, S., Ling, T.-W. (eds.) ER 2004. LNCS, vol. 3288, pp. 362–376. Springer, Heidelberg (2004)
Chapter Google Scholar
El Kharbili, M., de Medeiros, A.K.A., Stein, S., van der Aalst, W.M.P.: Business process compliance checking: current state and future challenges. In: MobIS, vol. 141, pp. 107–113 (2008)
Google Scholar
Franklin, F., Powell, D., Emami, A.: Feedback Control of Dynamic Systems, 6th edition. Addison-Wesley, Massachusetts (2009)
Google Scholar
Guerreiro, S.: Enterprise governance enforcement in the operation of the runtime transactions using DEMO and ACM. In: Enterprise Engineering Working Conference (2011)
Google Scholar
Guerreiro, S., Vasconcelos, A., Tribolet, J.: Adaptive access control modes enforcement in organizations. In: Quintela Varajão, J.E., Cruz-Cunha, M.M., Putnik, G.D., Trigo, A. (eds.) CENTERIS 2010. CCIS, vol. 110, pp. 283–294. Springer, Heidelberg (2010)
Chapter Google Scholar
Guerreiro, S., van Kervel, S.J., Vasconcelos, A., Tribolet, J.: Executing enterprise dynamic systems control with the demo processor: the business transactions transition space validation. In: Rahman, H., Mesquita, A., Ramos, I., Pernici, B. (eds.) MCIS 2012. LNBIP, vol. 129, pp. 97–112. Springer, Heidelberg (2012)
Chapter Google Scholar
Guerreiro, S., Kervel, S., Babkin, E.: Towards devising an architectural framework for enterprise operating systems. In: Proceedings of 8th International Conference on Software Paradigm Trends (2013)
Google Scholar
Guerreiro, S., Tribolet, J.: Conceptualizing enterprise dynamic systems control for run-time business transactions. In: Proceedings of 21st European Conference on Information Systems, paper 56 (2013)
Google Scholar
Günther, C.W., van der Aalst, W.M.: Fuzzy mining – adaptive process simplification based on multi-perspective metrics. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 328–343. Springer, Heidelberg (2007)
Chapter Google Scholar
Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28(1), 75–105 (2004)
Google Scholar
Hevner, A.R.: A three cycle view of design science research. Inf. Syst. Decis. Sci. Scandinavian J. Inf. Syst. 19(2), 87–92 (2007)
Google Scholar
Hintzen, J., van Kervel, S.J.H., van Meeuwen, T., Vermolen, J.A.J., Zijlstra, B.: A professional case management system in production, modeled and implemented using DEMO. In: Proceedings of 16th IEEE Conference on Business Informatics (2014)
Google Scholar
van Kervel, S.J.H., Dietz, J.L.G., Hintzen, J., van Meeuwen, T., Zijlstra, B.: Enterprise ontology driven software engineering. In: Proceedings of 7th International Conference on Software Paradigm Trends (2012)
Google Scholar
van Kervel, S.J.: High quality technical documentation for large industrial plants using an enterprise engineering and conceptual modeling based software solution. In: De Troyer, O., Bauzer Medeiros, C., Billen, R., Hallot, P., Simitsis, A., Van Mingroot, H. (eds.) ER Workshops 2011. LNCS, vol. 6999, pp. 383–388. Springer, Heidelberg (2011)
Google Scholar
Van Nuffel, D., Mulder, H., Van Kervel, S.: Enhancing the formal foundations of BPMN by enterprise ontology. In: Albani, A., Barjis, J., Dietz, J.L. (eds.) CIAO! 2009. LNBIP, vol. 34, pp. 115–129. Springer, Heidelberg (2009)
Chapter Google Scholar
Pesic, M., van der Aalst, W.M.: A declarative approach for flexible business processes management. In: Eder, J., Dustdar, S. (eds.) BPM Workshops 2006. LNCS, vol. 4103, pp. 169–180. Springer, Heidelberg (2006)
Chapter Google Scholar
Racz, N., Weippl, E., Seufert, A.: A frame of reference for research of integrated governance, risk and compliance (GRC). In: De Decker, B., Schaumüller-Bichl, I. (eds.) CMS 2010. LNCS, vol. 6109, pp. 106–117. Springer, Heidelberg (2010)
Chapter Google Scholar
Richetti, P.H., Baião, F.A., Santoro, F.M.: Declarative process mining: reducing discovered models complexity by pre-processing event logs. In: Sadiq, S., Soffer, P., Völzer, H. (eds.) BPM 2014. LNCS, vol. 8659, pp. 400–407. Springer, Heidelberg (2014)
Chapter Google Scholar
Sadiq, S., Governatori, G.: A methodological framework for aligning business processes and regulatory compliance. In: vom Brocke, J., Rosemann, M. (eds.) Handbook of BPM, vol. 2, pp. 159–176. Springer, Heidelberg (2009)
Google Scholar
Sarbanes–Oxley Act of 2002 (2002). Sarbanes-Oxley Act. Pub.L. 107–204, 116 Stat. 745, enacted 30 July 2002
Google Scholar
Spies, M., Tabet, S.: Emerging standards and protocols for governance risk and compliance management. In: Kajan, E., Dorloff, F.D., Bedini, I. (eds.) Handbook of Research on E-Business Standards and Protocols: Documents, Data, and Advanced Web Technologies. IGI Global, Hershey (2012)
Google Scholar
Verwaest, J.: Towards a comprehensive methodology for the implementation of Enterprise Governance & Assurance of IT, based on COBIT5, using the discipline of enterprise engineering. MSc. thesis, Antwerp Management School (2013)
Google Scholar
Weijters, A.J.M.M., van der Aalst, W.M.P., de Medeiros, A.K.A.: Process mining with the heuristics miner-algorithm. In: BETA Working Paper Series, WP 166 (2006)
Google Scholar

Download references

Author information

Authors and Affiliations

ProcessChemistry, Geldrop, The Netherlands
Emmy Dudok
Lusófona University, Lisbon, Portugal
Sérgio Guerreiro
National Research University – Higher School of Economics, Moscow, Russia
Eduard Babkin
Czech Technical University, Prague, Czech Republic
Robert Pergl
Formetis, Boxtel, The Netherlands
Steven J. H. van Kervel

Authors

Emmy Dudok
View author publications
You can also search for this author in PubMed Google Scholar
Sérgio Guerreiro
View author publications
You can also search for this author in PubMed Google Scholar
Eduard Babkin
View author publications
You can also search for this author in PubMed Google Scholar
Robert Pergl
View author publications
You can also search for this author in PubMed Google Scholar
Steven J. H. van Kervel
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Steven J. H. van Kervel .

Editor information

Editors and Affiliations

University of Madeira, Funchal, Portugal
David Aveiro
Czech Technical University in Prague, Prague, Czech Republic
Robert Pergl
Czech Technical University in Prague, Prague, Czech Republic
Michal Valenta

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Dudok, E., Guerreiro, S., Babkin, E., Pergl, R., van Kervel, S.J.H. (2015). Enterprise Operational Analysis Using DEMO and the Enterprise Operating System. In: Aveiro, D., Pergl, R., Valenta, M. (eds) Advances in Enterprise Engineering IX. EEWC 2015. Lecture Notes in Business Information Processing, vol 211. Springer, Cham. https://doi.org/10.1007/978-3-319-19297-0_1

Download citation

DOI: https://doi.org/10.1007/978-3-319-19297-0_1
Published: 03 June 2015
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-19296-3
Online ISBN: 978-3-319-19297-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics