Abstract
By definition, regulatory rules (in legal context called norms) intend to achieve specific behaviour from business processes, and might be relevant to the whole or part of a business process. They can impose conditions on different aspects of process models, e.g., control-flow, data and resources etc. Based on the rules sets, norms can be classified into various classes and sub-classes according to their effects. This paper presents an abstract framework consisting of a list of norms and a generic compliance checking approach on the idea of (possible) execution of processes. The proposed framework is independent of any existing formalism, and provides a conceptually rich and exhaustive ontology and semantics of norms needed for business process compliance checking. Apart from the other uses, the proposed framework can be used to compare different compliance management frameworks (CMFs).
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
The US government. Sarbaes-Oxley Act, Public Law 107-204, 116 Stat. 745, 2002.
Banking Committee on Banking Supervision (SCBS), BASEL-II Accord, 2004.
ISO-9000: www.iso.org/iso/iso_9000
There are other deontic effects, but these can be derived from the basic ones, see Sartor (2005).
Here we consider the definition of such concepts given by the OASIS LegalRuleML working group. The OASIS LegalRuleML glossary is available at http://www.oasis-open.org/apps/org/workgroup/legalruleml/download.php/48435/Glossary.doc.
Notice that we took the most general definition by not imposing any temporal requirements for the compensation, thus the compensation could even precede the violation. Consider the natural language expression: “I apologise in advance for \(\dots \)”.
The policy document is available on the LPMA website: http://www.lpma.nsw.gov.au/_data/assets/pdf_file/0004/25663/rth_Ch26_Aug_2009.pdf
The annotations for each task can be given by domain experts or can be extracted from databases or forms related to the tasks, see Hashmi et al. (2012).
Regorous: Compliance Checker, available at https://www.regorous.com.
From Nov 2012, the name of ConDec language has been changed to Declare see. http://www.win.tue.nl/declare/2011/11/declare-renaming/.
The Hazard Analysis Critical Control Point System, available at http://www.standards.org/standards/listing/haccp, retrieved 20 Feb 2014
References
Accorsi, R., Lowis, L., & Sato, Y. (2011). Automated Certification for Compliant Cloud-based Business Processes. Business & Information Systems Engineering, 3(3), 145–154. doi: 10.1007/s12599-011-0155-7.
Ågotnes, T., van der Hoek, W., Rodríguez-Aguilar, J.A., Sierra, C., & Wooldridge, M. (2007). On the logic of normative systems. In Normative multi-agent systems, 18.03. - 23.03.2007. http: //drops.dagstuhl.de/opus/volltexte/2007/921.
Awad, A. (2010). A compliance management framework for business process models. PhD thesis, HPI, Potsdam University, Germany.
Awad, A., & Weske, M. (2009). Visualisation of compliance violations in business process models. In 5th workshop on business process intelligence (Vol. 9, pp. 182–193).
Awad, A., Decker, G., & Weske, M. (2008). Efficient compliance checking using BPMN-Q and temporal logic. In BPM, LNCS (pp. 326–341). Springer.
Awad, A., Weidlich, M., & Weske, M. (2011). Visually specifying compliance rules and explaining their violations for business processes. Journal of Visual Languages & Computing, 22(1), 30–55.
Becker, J., Delfmann, P., Eggert, M., & Schwittay, S. (2012). Generalizability and applicability of model-based business process compliance-checking approaches – a state-of-the-art analysis and research Roadmap. BuR - Business Research Journal, 5(2), 221–247.
Bonatti, P.A., Shahmehri, N., Duma, C., Olmedilla, D., Nejdl, W., Baldoni, M., Baroglio, C., Martelli, A, Coraggio, P., Antoniou, G., Peer, J, & Fuchs, N.E. (2004). Rule-based policy specification: state of the art and future work. REWERSE Project Report-i2-D1.
Cabannilas, C., Resinas, M., & Ruiz-Cortes, A. (2010). Hints on how to face business process compliance.. In III Taller de Procesos de Negocio e Ingenieria de Servicios PNIS10 in JISBD10 (Vol. 4, pp. 26–32).
Colombo Tosatto, S., Governatori, G., & Kelsen, P. (2014). Business process regulatory compliance is hard. IEEE Transactions on Services Computing PP(99), 1–1. doi: 10.1109/TSC.2014.2341236.
COMPAS (2008). Compliance driven models, languages, and architectures for services. In 7th framework programme for ICT.
Daniel, F., Casati, F., D’Andrea, V., Mulo, E., Zdun, U., Dustdar, S., Strauch, S., Schumm, D., Leymann, F., Sebahi, S., de Marchi, F., & Hacid, M.S. (2009). Business compliance governance in service-oriented architectures. In International conference on advanced information networking and applications, 2009. AINA ’09 (pp. 113–120).
DECLARE (2010). Declarative process models. http://www.win.tue.nl/declare/.
Dijkman, R.M., Dumas, M., & Ouyang, C. (2008). Semantics and analysis of business process models in BPMN. Information and Software Technology, 50(12), 1281–1294.
El Kharbili, M. (2012). Business process regulatory compliance management solution frameworks: a comparative evaluation. In APCCM 2012, CRPIT (Vol. 130, pp. 23–32).
Elgammal, A., Turetken, O., Heuvel, W.J., & Papazoglou, M. (2010). Root-cause analysis of design-time compliance violations on the basis of property patterns. In P. Maglio, M. Weske, J. Yang, & M. Fantinato (Eds.), , Service-oriented computing, lecture notes in computer science. (Vol. 6470, pp. 17–31). Berlin Heidelberg: Springer. doi: 10.1007/978-3-642-17358-5_2.
Elgammal, A., Turetken, O., van den Heuvel, W.J., & Papazoglou, M. (2011). On the formal specification of regulatory compliance: a comparative analysis.. In Proceedings of ICSOC’10 (pp. 27–38).
Elgammal, A., Oktay, T., & Heuvel, W.J. (2012). Using patterns for the analysis and resolution of compliance violations. International Journal of Cooperative Information Systems, 21(31). doi: 10.1142/S0218843012400023.
Elgammal, A., Turetken, O., van den Heuvel, W.J., & Papazoglou, M. (2014). Formalizing and applying compliance patterns for business process compliance. Software & Systems Modeling, 1–28. doi: 10.1007/s10270-014-0395-3.
Fellmann, M., & Zasada, A. (2014). State-of-the-art of business process compliance approaches. In 22st European conference on information systems, ECIS 2014, Tel Aviv, Israel, June 9-11, 2014. http://aisel.aisnet.org/ ecis2014/proceedings/track06/8.
Gambini, M., Rosa, M., Migliorini, S., & Hofstede, A.H.M. (2011). Automated error correction of business process models . In S. Rinderle-Ma, F. Toumani, & K. Wolf (Eds.), Business process management, LNCS (Vol. 6896, pp. 148–165). Berlin Heidelberg: Springer.
Ghose, A., & Koliadis, G. (2007). Auditing business process compliance. In B. Krämer, K.J. Lin, & P. Narasimhan (Eds.), , Service-oriented computing (ICSOC 2007), LNCS (Vol. 4749, pp. 169–180). New York: Springer. doi: 10.1007/978-3-540-74974-5_14.
Goedertier, S., & Vanthienen, J. (2006). Designing compliant business processes with obligations and permissions. In J. Eder & S. Dustdar (Eds.), Business process management workshops, lecture notes in computer science (Vol. 4103, pp. 5–14). Berlin Heidelberg: Springer. doi: 10.1007/11837862_2.
Gordon, T.F., Governatori, G., & Rotolo, A. (2009). Rules and norms: requirements for rule interchange languages in the legal domain. In RuleML 2009, LNCS (Vol. 5858, pp. 282–296). Springer.
Governatori, G. (2005). Representing business contracts in RuleML. International Journal of Cooperative Information Systems, 14(2-3), 181–216. doi: 10.1142/S0218843005001092.
Governatori, G. (2015). Thou Shalt is not you will. In Proceedings of the 15th international conference on artificial intelligence and law (ICAIL 2015). ACM. doi: 10.1145/2746090.2746105.
Governatori, G., & Rotolo, A. (2010a). A conceptually rich model of business process compliance. In Proceedings of APCCM ’10. (Vol. 110, pp. 3–12).
Governatori, G., & Rotolo, A. (2010b). Norm compliance in business process modeling. In RuleML 2010: 4th international web rule symposium (pp. 194–209). Springer. doi: 10.1007/978-3-642-16289-3_17.
Governatori, G. , & Sadiq, S. (2009). The journey to business process compliance.. In Handbook of research on business process management, IGI Global (pp. 426–454).
Governatori, G., Hoffmann, J., Sadiq, S.W., & Weber, I. (2008). Detecting regulatory compliance for business process models through semantic annotations.. In Business process management workshops’08 (pp. 5–17).
Hashmi, M., & Governatori, G. (2013). A methodological evaluation of business process compliance management frameworks. In M. Song, M. Wynn, & J. Liu (Eds.), , Asia pacific business process management, LNBIP (Vol. 159, pp. 106–115). Switzerland: Springer.
Hashmi, M., Governatori, G., & Wynn, M.T. (2012). Business process data compliance.. In Rules on the web: research and applications - 6th international symposium, RuleML 2012, Montpellier, France, August 27-29, 2012. Proceedings (pp. 32–46). doi: 10.1007/978-3-642-32689-9_4.
Hashmi, M., Governatori, G., & Wynn, M.T. (2013). Normative requirements for business process compliance.. In Service research and innovation - third Australian Symposium, ASSRI 2013, Sydney, NSW, Australia, November 27-29, 2013, revised selected papers (pp. 100–116). doi: 10.1007/978-3-319-07950-9_8.
Hashmi, M., Governatori, G., & Wynn, M.T. (2014). Modeling obligations with event-calculus.. In Rules on the web. From theory to applications - 8th International Symposium, RuleML 2014, Prague, Czech Republic, August 18-20, 2014. Proceedings (pp. 296–310). doi: 10.1007/978-3-319-09870-8_22.
Hee, K., Hidders, J., Houben, G.J., Paredaens, J., & Thiran, P. (2010). On-the-fly auditing of business processes In K. Jensen, S. Donatelli, & M. Koutny (Eds.), , Transactions on Petri nets and other models of concurrency IV, LNCS (Vol. 6550, pp. 144–173). New York: Springer.
Herrestad, H. (1991). Norms and formalization. In: ICAIL’91, ACM, (pp. 175–184). doi: 10.1145/112646.112667.
Hinge, K., Ghose, A., & Koliadis, G. (2009). Process SEER: A Tool for Semantic Effect Annotation of Business Process Models.. In EDOC ’09. IEEE international (pp. 54–63). doi: 10.1109/EDOC.2009.24.
Hoffmann, J., Weber, I., & Governatori, G. (2012). On compliance checking for clausal constraints in annotated process models. Information Systems Frontiers, 14(2), 155–177.
Jiang, J., Dignum, V., Aldewereld, H., Dignum, F., & Tan, Y.H. (2013). Norm compliance checking. In Proceedings of the 2013 international conference on autonomous agents and multi-agent systems, international foundation for autonomous agents and multiagent systems, Richland, SC, AAMAS ’13 (pp. 1121–1122). http://dl.acm.org/citation.cfm?id=2484920.2485101.
Jiang, J., Aldewereld, H., Dignum, V., Wang, S., & Baida, Z. (2014). Regulatory Compliance Of Business Processes. AI & SOCIETY, (pp. 1–10). doi: 10.1007/s00146-014-0536-9.
Kiepuszewski, B., Hofstede, A.H.Mt., & Bussler, C. (2000). On structured workflow modeling.. In Proceedings of the 12th international conference on advanced information systems engineering, CAiSE ’00 (pp. 431–445). London: Springer.
Letia, I.A., & Groza, A. (2013). Compliance checking of integrated business processes. Data & Knowledge Engineering, 87(0), 1–18. doi: 10.1016/j.datak.2013.03.002.
Ly, L.T., Knuplesch, D., Rinderle-Ma, S., Goeser, K., Reichert, M., & Dadam, P. (2010). SeaFlows toolset - compliance verification Made Easy.. In CAiSE’10 Demos.
Ly, L.T., Rinderle-Ma, S., Göser, K., & Dadam, P. (2012). On enabling integrated process compliance with semantic constraints in process management systems. Information Systems Frontiers, 14(2), 195–219.
Ly, L.T., Maggi, F.M., Montali, M., Rinderle, S., & vanvan der Aalst, W. (2013). A framework for the systematic comparison and evaluation of compliance monitoring approaches.. In Proceeding of EDOC.
Maggi, F., Montali, M., Westergaard, M., & van der Aalst, W. (2011). Monitoring business constraints with linear temporal logic: an approach based on coloured automata.. In BPM, LNCS 6896 (pp. 132–147). Springer.
Mulo, E., Zdun, U., & Dustdar, S. (2013). Domain-specific language for event-based compliance monitoring in process-driven soas. Service Oriented Computing and Applications, 7(1), 59–73. doi: 10.1007/s11761-012-0121-3.
Murata, T. (1989). Petri nets: properties, analysis and applications. Proceedings of the IEEE, 77(4), 541–580.
Orriëns, B., Yang, J., & Papazoglou, M.P. (2003). A framework for business rule driven service composition. In B. Benatallah , & M.-C. Shan (Eds.), Technologies for e-services, lecture notes in computer science (Vol. 2819, pp. 14–27). Berlin Heidelberg: Springer. doi: 10.1007/978-3-540-39406-8_2.
Ouyang, C., Dumas, M., Breutel, S., & ter Hofstede A.H.M. (2006). Translating Standard Process Models to BPEL.. In CAiSE (pp. 417–432).
Ouyang, C., Dumas, M., van der Aalst, W.M.P., ter Hofstede, A.H.M., & Mendling, J. (2009). From business process models to process-oriented software systems. ACM Trans Softw Eng Methodol, 19(1).
Pesic, M., & van der Aalst, W.M.P. (2006). A declarative approach for flexible business processes management. In J. Eder, & S. Dustdar (Eds.), Business process management workshops, lecture notes in computer science (Vol. 4103, pp. 169–180). Berlin Heidelberg: Springer. doi: 10.1007/11837862_18.
Ramezani, E., Fahland, D., van der Werf, J., & Mattheis, P. (2012). Separating compliance management and business process management. In F. Daniel, K. Barkaoui, & S. Dustdar (Eds.), , Business process management workshops, lecture notes in business information processing (Vol. 100, pp. 459–464). Berlin Heidelberg: Springer. doi: 10.1007/978-3-642-28115-0_43.
Ramezani, E., Fahland, D., van Dongen, B.F., & van der Aalst, W.M.P. (2013). Diagnostic information for compliance checking of temporal compliance requirements.. In CAiSE (pp. 304–320).
Rodrìguez, C., Schleicher, D., Daniel, F., Casati, F., Leymann, F., & Wagner, S. (2013). Soa-enabled compliance management: instrumenting, assessing, and analyzing service-based business processes. Service Oriented Computing and Applications, 7(4), 275–292. doi: 10.1007/s11761-013-0129-3.
Sadiq, S., Governatori, G., & Namiri, K. (2007). Modeling control objectives for business process compliance.. In Proceedings of BPM’07 (pp. 149–164). Springer. http://portal.acm.org/citation.cfm?id=1793114.1793130.
Sartor, G. (2005). Legal reasoning: a cognitive approach to the law. Springer.
Turki, S., & Bjekovic-Obradovic, M. (2010). Compliance in e-government service engineering: state-of-the-art. In Exploring services science, LNBIP (pp. 270–275). Springer.
van der Aalst, W.M.P (1998). The Application of Petri Nets to Workflow Management. Journal of Circuits, Systems, and Computers, 8(1), 21–66.
van der Aalst, W.M.P. (2000). Workflow verification: finding control-flow errors using petri-net-based techniques. In W.M.P. van der Aalst, J. Desel, & A. Oberweis (Eds.), , Business process management: models, techniques, and empirical studies.
van der Aalst, W., Adriansyah, A., & van Dongen, B. (2012). Replaying history on process models for conformance checking and performance analysis. Wiley Int Rev Data Min and Knowl Disc, 2(2), 182–192.
Weigand, H., van den Heuvel, W.J., & Hiel, M. (2011). Business policy compliance in service-oriented systems. Information Systems, 36(4), 791–807.
Wen, L., Wang, J., van der Aalst, W.M., Huang, B., & Sun, J. (2010). Mining process models with prime invisible tasks. Data & Knowledge Engineering, 69(10), 999–1021.
Acknowledgments
This paper revises and extends ASSRI’13 (Hashmi et al. 2013) and AP-BPM 2013 (Hashmi and Governatori 2013) conference papers respectively. NICTA is funded by the Australian Government by the Department of Communication and the Australian Research Council through the ICT center of Excellence program.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Hashmi, M., Governatori, G. & Wynn, M.T. Normative requirements for regulatory compliance: An abstract formal framework. Inf Syst Front 18, 429–455 (2016). https://doi.org/10.1007/s10796-015-9558-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-015-9558-1