Advertisement

Information Systems Frontiers

, Volume 18, Issue 3, pp 429–455 | Cite as

Normative requirements for regulatory compliance: An abstract formal framework

  • Mustafa Hashmi
  • Guido Governatori
  • Moe Thandar Wynn
Article

Abstract

By definition, regulatory rules (in legal context called norms) intend to achieve specific behaviour from business processes, and might be relevant to the whole or part of a business process. They can impose conditions on different aspects of process models, e.g., control-flow, data and resources etc. Based on the rules sets, norms can be classified into various classes and sub-classes according to their effects. This paper presents an abstract framework consisting of a list of norms and a generic compliance checking approach on the idea of (possible) execution of processes. The proposed framework is independent of any existing formalism, and provides a conceptually rich and exhaustive ontology and semantics of norms needed for business process compliance checking. Apart from the other uses, the proposed framework can be used to compare different compliance management frameworks (CMFs).

Keywords

Norms Normative requirements Norms compliance Business process regulatory compliance Compliance frameworks 

Notes

Acknowledgments

This paper revises and extends ASSRI’13 (Hashmi et al. 2013) and AP-BPM 2013 (Hashmi and Governatori 2013) conference papers respectively. NICTA is funded by the Australian Government by the Department of Communication and the Australian Research Council through the ICT center of Excellence program.

References

  1. Accorsi, R., Lowis, L., & Sato, Y. (2011). Automated Certification for Compliant Cloud-based Business Processes. Business & Information Systems Engineering, 3(3), 145–154. doi:  10.1007/s12599-011-0155-7.CrossRefGoogle Scholar
  2. Ågotnes, T., van der Hoek, W., Rodríguez-Aguilar, J.A., Sierra, C., & Wooldridge, M. (2007). On the logic of normative systems. In Normative multi-agent systems, 18.03. - 23.03.2007. http: //drops.dagstuhl.de/opus/volltexte/2007/921.
  3. Awad, A. (2010). A compliance management framework for business process models. PhD thesis, HPI, Potsdam University, Germany.Google Scholar
  4. Awad, A., & Weske, M. (2009). Visualisation of compliance violations in business process models. In 5th workshop on business process intelligence (Vol. 9, pp. 182–193).Google Scholar
  5. Awad, A., Decker, G., & Weske, M. (2008). Efficient compliance checking using BPMN-Q and temporal logic. In BPM, LNCS (pp. 326–341). Springer.Google Scholar
  6. Awad, A., Weidlich, M., & Weske, M. (2011). Visually specifying compliance rules and explaining their violations for business processes. Journal of Visual Languages & Computing, 22(1), 30–55.CrossRefGoogle Scholar
  7. Becker, J., Delfmann, P., Eggert, M., & Schwittay, S. (2012). Generalizability and applicability of model-based business process compliance-checking approaches – a state-of-the-art analysis and research Roadmap. BuR - Business Research Journal, 5(2), 221–247.CrossRefGoogle Scholar
  8. Bonatti, P.A., Shahmehri, N., Duma, C., Olmedilla, D., Nejdl, W., Baldoni, M., Baroglio, C., Martelli, A, Coraggio, P., Antoniou, G., Peer, J, & Fuchs, N.E. (2004). Rule-based policy specification: state of the art and future work. REWERSE Project Report-i2-D1.Google Scholar
  9. Cabannilas, C., Resinas, M., & Ruiz-Cortes, A. (2010). Hints on how to face business process compliance.. In III Taller de Procesos de Negocio e Ingenieria de Servicios PNIS10 in JISBD10 (Vol. 4, pp. 26–32).Google Scholar
  10. Colombo Tosatto, S., Governatori, G., & Kelsen, P. (2014). Business process regulatory compliance is hard. IEEE Transactions on Services Computing PP(99), 1–1. doi:  10.1109/TSC.2014.2341236.
  11. COMPAS (2008). Compliance driven models, languages, and architectures for services. In 7th framework programme for ICT. Google Scholar
  12. Daniel, F., Casati, F., D’Andrea, V., Mulo, E., Zdun, U., Dustdar, S., Strauch, S., Schumm, D., Leymann, F., Sebahi, S., de Marchi, F., & Hacid, M.S. (2009). Business compliance governance in service-oriented architectures. In International conference on advanced information networking and applications, 2009. AINA ’09 (pp. 113–120).Google Scholar
  13. DECLARE (2010). Declarative process models. http://www.win.tue.nl/declare/.
  14. Dijkman, R.M., Dumas, M., & Ouyang, C. (2008). Semantics and analysis of business process models in BPMN. Information and Software Technology, 50(12), 1281–1294.CrossRefGoogle Scholar
  15. El Kharbili, M. (2012). Business process regulatory compliance management solution frameworks: a comparative evaluation. In APCCM 2012, CRPIT (Vol. 130, pp. 23–32).Google Scholar
  16. Elgammal, A., Turetken, O., Heuvel, W.J., & Papazoglou, M. (2010). Root-cause analysis of design-time compliance violations on the basis of property patterns. In P. Maglio, M. Weske, J. Yang, & M. Fantinato (Eds.), , Service-oriented computing, lecture notes in computer science. (Vol. 6470, pp. 17–31). Berlin Heidelberg: Springer. doi:  10.1007/978-3-642-17358-5_2.
  17. Elgammal, A., Turetken, O., van den Heuvel, W.J., & Papazoglou, M. (2011). On the formal specification of regulatory compliance: a comparative analysis.. In Proceedings of ICSOC’10 (pp. 27–38).Google Scholar
  18. Elgammal, A., Oktay, T., & Heuvel, W.J. (2012). Using patterns for the analysis and resolution of compliance violations. International Journal of Cooperative Information Systems, 21(31). doi:  10.1142/S0218843012400023.
  19. Elgammal, A., Turetken, O., van den Heuvel, W.J., & Papazoglou, M. (2014). Formalizing and applying compliance patterns for business process compliance. Software & Systems Modeling, 1–28. doi:  10.1007/s10270-014-0395-3.
  20. Fellmann, M., & Zasada, A. (2014). State-of-the-art of business process compliance approaches. In 22st European conference on information systems, ECIS 2014, Tel Aviv, Israel, June 9-11, 2014. http://aisel.aisnet.org/ ecis2014/proceedings/track06/8.
  21. Gambini, M., Rosa, M., Migliorini, S., & Hofstede, A.H.M. (2011). Automated error correction of business process models . In S. Rinderle-Ma, F. Toumani, & K. Wolf (Eds.), Business process management, LNCS (Vol. 6896, pp. 148–165). Berlin Heidelberg: Springer.Google Scholar
  22. Ghose, A., & Koliadis, G. (2007). Auditing business process compliance. In B. Krämer, K.J. Lin, & P. Narasimhan (Eds.), , Service-oriented computing (ICSOC 2007), LNCS (Vol. 4749, pp. 169–180). New York: Springer. doi:  10.1007/978-3-540-74974-5_14.
  23. Goedertier, S., & Vanthienen, J. (2006). Designing compliant business processes with obligations and permissions. In J. Eder & S. Dustdar (Eds.), Business process management workshops, lecture notes in computer science (Vol. 4103, pp. 5–14). Berlin Heidelberg: Springer. doi:  10.1007/11837862_2.
  24. Gordon, T.F., Governatori, G., & Rotolo, A. (2009). Rules and norms: requirements for rule interchange languages in the legal domain. In RuleML 2009, LNCS (Vol. 5858, pp. 282–296). Springer.Google Scholar
  25. Governatori, G. (2005). Representing business contracts in RuleML. International Journal of Cooperative Information Systems, 14(2-3), 181–216. doi:  10.1142/S0218843005001092.
  26. Governatori, G. (2015). Thou Shalt is not you will. In Proceedings of the 15th international conference on artificial intelligence and law (ICAIL 2015). ACM. doi:  10.1145/2746090.2746105.
  27. Governatori, G., & Rotolo, A. (2010a). A conceptually rich model of business process compliance. In Proceedings of APCCM ’10. (Vol. 110, pp. 3–12).Google Scholar
  28. Governatori, G., & Rotolo, A. (2010b). Norm compliance in business process modeling. In RuleML 2010: 4th international web rule symposium (pp. 194–209). Springer. doi:  10.1007/978-3-642-16289-3_17.
  29. Governatori, G. , & Sadiq, S. (2009). The journey to business process compliance.. In Handbook of research on business process management, IGI Global (pp. 426–454).Google Scholar
  30. Governatori, G., Hoffmann, J., Sadiq, S.W., & Weber, I. (2008). Detecting regulatory compliance for business process models through semantic annotations.. In Business process management workshops’08 (pp. 5–17).Google Scholar
  31. Hashmi, M., & Governatori, G. (2013). A methodological evaluation of business process compliance management frameworks. In M. Song, M. Wynn, & J. Liu (Eds.), , Asia pacific business process management, LNBIP (Vol. 159, pp. 106–115). Switzerland: Springer.Google Scholar
  32. Hashmi, M., Governatori, G., & Wynn, M.T. (2012). Business process data compliance.. In Rules on the web: research and applications - 6th international symposium, RuleML 2012, Montpellier, France, August 27-29, 2012. Proceedings (pp. 32–46). doi:  10.1007/978-3-642-32689-9_4.
  33. Hashmi, M., Governatori, G., & Wynn, M.T. (2013). Normative requirements for business process compliance.. In Service research and innovation - third Australian Symposium, ASSRI 2013, Sydney, NSW, Australia, November 27-29, 2013, revised selected papers (pp. 100–116). doi:  10.1007/978-3-319-07950-9_8.
  34. Hashmi, M., Governatori, G., & Wynn, M.T. (2014). Modeling obligations with event-calculus.. In Rules on the web. From theory to applications - 8th International Symposium, RuleML 2014, Prague, Czech Republic, August 18-20, 2014. Proceedings (pp. 296–310). doi:  10.1007/978-3-319-09870-8_22.
  35. Hee, K., Hidders, J., Houben, G.J., Paredaens, J., & Thiran, P. (2010). On-the-fly auditing of business processes In K. Jensen, S. Donatelli, & M. Koutny (Eds.), , Transactions on Petri nets and other models of concurrency IV, LNCS (Vol. 6550, pp. 144–173). New York: Springer.Google Scholar
  36. Herrestad, H. (1991). Norms and formalization. In: ICAIL’91, ACM, (pp. 175–184). doi:  10.1145/112646.112667.
  37. Hinge, K., Ghose, A., & Koliadis, G. (2009). Process SEER: A Tool for Semantic Effect Annotation of Business Process Models.. In EDOC ’09. IEEE international (pp. 54–63). doi:  10.1109/EDOC.2009.24.
  38. Hoffmann, J., Weber, I., & Governatori, G. (2012). On compliance checking for clausal constraints in annotated process models. Information Systems Frontiers, 14(2), 155–177.CrossRefGoogle Scholar
  39. Jiang, J., Dignum, V., Aldewereld, H., Dignum, F., & Tan, Y.H. (2013). Norm compliance checking. In Proceedings of the 2013 international conference on autonomous agents and multi-agent systems, international foundation for autonomous agents and multiagent systems, Richland, SC, AAMAS ’13 (pp. 1121–1122). http://dl.acm.org/citation.cfm?id=2484920.2485101.
  40. Jiang, J., Aldewereld, H., Dignum, V., Wang, S., & Baida, Z. (2014). Regulatory Compliance Of Business Processes. AI & SOCIETY, (pp. 1–10). doi:  10.1007/s00146-014-0536-9.
  41. Kiepuszewski, B., Hofstede, A.H.Mt., & Bussler, C. (2000). On structured workflow modeling.. In Proceedings of the 12th international conference on advanced information systems engineering, CAiSE ’00 (pp. 431–445). London: Springer.Google Scholar
  42. Letia, I.A., & Groza, A. (2013). Compliance checking of integrated business processes. Data & Knowledge Engineering, 87(0), 1–18. doi:  10.1016/j.datak.2013.03.002.CrossRefGoogle Scholar
  43. Ly, L.T., Knuplesch, D., Rinderle-Ma, S., Goeser, K., Reichert, M., & Dadam, P. (2010). SeaFlows toolset - compliance verification Made Easy.. In CAiSE’10 Demos.Google Scholar
  44. Ly, L.T., Rinderle-Ma, S., Göser, K., & Dadam, P. (2012). On enabling integrated process compliance with semantic constraints in process management systems. Information Systems Frontiers, 14(2), 195–219.CrossRefGoogle Scholar
  45. Ly, L.T., Maggi, F.M., Montali, M., Rinderle, S., & vanvan der Aalst, W. (2013). A framework for the systematic comparison and evaluation of compliance monitoring approaches.. In Proceeding of EDOC.Google Scholar
  46. Maggi, F., Montali, M., Westergaard, M., & van der Aalst, W. (2011). Monitoring business constraints with linear temporal logic: an approach based on coloured automata.. In BPM, LNCS 6896 (pp. 132–147). Springer.Google Scholar
  47. Mulo, E., Zdun, U., & Dustdar, S. (2013). Domain-specific language for event-based compliance monitoring in process-driven soas. Service Oriented Computing and Applications, 7(1), 59–73. doi:  10.1007/s11761-012-0121-3.CrossRefGoogle Scholar
  48. Murata, T. (1989). Petri nets: properties, analysis and applications. Proceedings of the IEEE, 77(4), 541–580.CrossRefGoogle Scholar
  49. Orriëns, B., Yang, J., & Papazoglou, M.P. (2003). A framework for business rule driven service composition. In B. Benatallah , & M.-C. Shan (Eds.), Technologies for e-services, lecture notes in computer science (Vol. 2819, pp. 14–27). Berlin Heidelberg: Springer. doi:  10.1007/978-3-540-39406-8_2.
  50. Ouyang, C., Dumas, M., Breutel, S., & ter Hofstede A.H.M. (2006). Translating Standard Process Models to BPEL.. In CAiSE (pp. 417–432).Google Scholar
  51. Ouyang, C., Dumas, M., van der Aalst, W.M.P., ter Hofstede, A.H.M., & Mendling, J. (2009). From business process models to process-oriented software systems. ACM Trans Softw Eng Methodol, 19(1).Google Scholar
  52. Pesic, M., & van der Aalst, W.M.P. (2006). A declarative approach for flexible business processes management. In J. Eder, & S. Dustdar (Eds.), Business process management workshops, lecture notes in computer science (Vol. 4103, pp. 169–180). Berlin Heidelberg: Springer. doi:  10.1007/11837862_18.
  53. Ramezani, E., Fahland, D., van der Werf, J., & Mattheis, P. (2012). Separating compliance management and business process management. In F. Daniel, K. Barkaoui, & S. Dustdar (Eds.), , Business process management workshops, lecture notes in business information processing (Vol. 100, pp. 459–464). Berlin Heidelberg: Springer. doi:  10.1007/978-3-642-28115-0_43.
  54. Ramezani, E., Fahland, D., van Dongen, B.F., & van der Aalst, W.M.P. (2013). Diagnostic information for compliance checking of temporal compliance requirements.. In CAiSE (pp. 304–320).Google Scholar
  55. Rodrìguez, C., Schleicher, D., Daniel, F., Casati, F., Leymann, F., & Wagner, S. (2013). Soa-enabled compliance management: instrumenting, assessing, and analyzing service-based business processes. Service Oriented Computing and Applications, 7(4), 275–292. doi:  10.1007/s11761-013-0129-3.
  56. Sadiq, S., Governatori, G., & Namiri, K. (2007). Modeling control objectives for business process compliance.. In Proceedings of BPM’07 (pp. 149–164). Springer. http://portal.acm.org/citation.cfm?id=1793114.1793130.
  57. Sartor, G. (2005). Legal reasoning: a cognitive approach to the law. Springer.Google Scholar
  58. Turki, S., & Bjekovic-Obradovic, M. (2010). Compliance in e-government service engineering: state-of-the-art. In Exploring services science, LNBIP (pp. 270–275). Springer.Google Scholar
  59. van der Aalst, W.M.P (1998). The Application of Petri Nets to Workflow Management. Journal of Circuits, Systems, and Computers, 8(1), 21–66.Google Scholar
  60. van der Aalst, W.M.P. (2000). Workflow verification: finding control-flow errors using petri-net-based techniques. In W.M.P. van der Aalst, J. Desel, & A. Oberweis (Eds.), , Business process management: models, techniques, and empirical studies.Google Scholar
  61. van der Aalst, W., Adriansyah, A., & van Dongen, B. (2012). Replaying history on process models for conformance checking and performance analysis. Wiley Int Rev Data Min and Knowl Disc, 2(2), 182–192.CrossRefGoogle Scholar
  62. Weigand, H., van den Heuvel, W.J., & Hiel, M. (2011). Business policy compliance in service-oriented systems. Information Systems, 36(4), 791–807.CrossRefGoogle Scholar
  63. Wen, L., Wang, J., van der Aalst, W.M., Huang, B., & Sun, J. (2010). Mining process models with prime invisible tasks. Data & Knowledge Engineering, 69(10), 999–1021.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  • Mustafa Hashmi
    • 1
  • Guido Governatori
    • 1
  • Moe Thandar Wynn
    • 2
  1. 1.NICTA QueenslandBrisbaneAustralia
  2. 2.Queensland University of Technology (QUT)BrisbaneAustralia

Personalised recommendations