An Universal Approach for Compliance Management Using Compliance Descriptors

  • Falko KoetterEmail author
  • Maximilien Kintz
  • Monika Kochanowski
  • Thatchanok Wiriyarattanakul
  • Christoph Fehling
  • Philipp Gildein
  • Sebastian Wagner
  • Frank Leymann
  • Anette Weisbecker
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 740)


Trends like outsourcing and cloud computing have led to a distribution of business processes among different IT systems and organizations. Still, businesses need to ensure compliance regarding laws and regulations of these distributed processes. This need gave way to many new solutions for compliance management and checking. Compliance requirements arise from legal documents and are implemented in all parts of enterprise IT, creating a business IT gap between legal texts and software implementation. Compliance solutions must bridge this gap as well as support a wide variety of compliance requirements. To achieve these goals, we developed an integrating compliance descriptor for compliance modeling on the legal, requirement and technical level, incorporating arbitrary rule languages for specific types of requirements. Using a modeled descriptor a compliance checking architecture can be configured, including specific rule checking implementations. The graphical notation of the compliance descriptor and the formalism it’s based on are described and evaluated using a prototype as well as expert interviews. Based on evaluation results, an extension for compliance management in unstructured processes is outlined.


Business process management Compliance modeling Model-driven architecture Business process compliance Process mining 



The work published in this article was funded by the Co.M.B. project of the Deutsche Forschungsgemeinschaft (DFG) under the promotional reference SP 448/27-1.


  1. 1.
    Abdullah, N.S., Indulska, M., Sadiq, S.W.: A study of compliance management in information systems research. In: ECIS, pp. 1711–1721 (2009)Google Scholar
  2. 2.
    Aschenbrenner, M., Dicke, R., Karnarski, B., Schweiggert, F.: Informationsverarbeitung in Versicherungsunternehmen. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Awad, A., Decker, G., Weske, M.: Efficient compliance checking using BPMN-Q and temporal logic. In: Dumas, M., Reichert, M., Shan, M.-C. (eds.) BPM 2008. LNCS, vol. 5240, pp. 326–341. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-85758-7_24 CrossRefGoogle Scholar
  4. 4.
    Awad, A., Weske, M.: Visualization of compliance violation in business process models. In: Rinderle-Ma, S., Sadiq, S., Leymann, F. (eds.) BPM 2009. LNBIP, vol. 43, pp. 182–193. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-12186-9_17 CrossRefGoogle Scholar
  5. 5.
    BDO AG Wirtschaftsprüfungsgesellschaft: Compliance Survey bei Versicherungen (2010).
  6. 6.
    Bobrik, R., Reichert, M., Bauer, T.: View-based process visualization. In: Desel, J., Pernici, B., Weske, M. (eds.) BPM 2004. LNCS, vol. 3080. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-75183-0_7 Google Scholar
  7. 7.
    Bundesdatenschutzgesetz (BDSG): Gesetze im Internet - Bundesdatenschutzgesetz (BDSG) (1990). Accessed 19 Jan 2016
  8. 8.
    Comuzzi, M.: Aligning monitoring and compliance requirements in evolving business networks. In: Meersman, R., Panetto, H., Dillon, T., Missikoff, M., Liu, L., Pastor, O., Cuzzocrea, A., Sellis, T. (eds.) OTM 2014. LNCS, vol. 8841, pp. 166–183. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45563-0_10 Google Scholar
  9. 9.
    Dongen, B.F., Medeiros, A.K.A., Verbeek, H.M.W., Weijters, A.J.M.M., Aalst, W.M.P.: The ProM framework: a new era in process mining tool support. In: Ciardo, G., Darondeau, P. (eds.) ICATPN 2005. LNCS, vol. 3536, pp. 444–454. Springer, Heidelberg (2005). doi: 10.1007/11494744_25 CrossRefGoogle Scholar
  10. 10.
    El Kharbili, M., Stein, S., Markovic, I., Pulvermüller, E.: Towards a framework for semantic business process compliance management. In: Proceedings of the 1st GRCIS, pp. 1–15 (2008)Google Scholar
  11. 11.
    El Kharbili, M., Stein, S., Pulvermüller, E.: Policy-based semantic compliance checking for business process management. In: MobIS Workshops, vol. 420, pp. 178–192. Citeseer (2008)Google Scholar
  12. 12.
    Fehling, C., Koetter, F., Leymann, F.: Compliance Modeling - Formal Descriptors and Tools (2014).
  13. 13.
    German Insurance Association (GDV): Verhaltensregeln fuer den Umgang mit personenbezogenen Daten durch die deutsche Versicherungswirtschaft (2012). Accessed 19 Jan 2016
  14. 14.
    Ghose, A., Koliadis, G.: Auditing business process compliance. In: Krämer, B.J., Lin, K.-J., Narasimhan, P. (eds.) ICSOC 2007. LNCS, vol. 4749, pp. 169–180. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74974-5_14 CrossRefGoogle Scholar
  15. 15.
    Goedertier, S., Vanthienen, J.: Designing compliant business processes with obligations and permissions. In: Eder, J., Dustdar, S. (eds.) BPM 2006. LNCS, vol. 4103, pp. 5–14. Springer, Heidelberg (2006). doi: 10.1007/11837862_2 CrossRefGoogle Scholar
  16. 16.
    Karagiannis, D., Moser, C., Mostashari, A.: Compliance evaluation featuring heat maps (CE-HM): a meta-modeling-based approach. In: Ralyté, J., Franch, X., Brinkkemper, S., Wrycza, S. (eds.) CAiSE 2012. LNCS, vol. 7328, pp. 414–428. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31095-9_27 CrossRefGoogle Scholar
  17. 17.
    Kharbili, M.E., de Medeiros, A.K.A., Stein, S., van der Aalst, W.M.P.: Business process compliance checking: current state and future challenges. In: MobIS, LNI, vol. 141, pp. 107–113. GI (2008)Google Scholar
  18. 18.
    Kintz, M.: A semantic dashboard description language for a process-oriented dashboard design methodology. In: Proceedings of 2nd MODIQUITOUS 2012, Copenhagen, Denmark (2012)Google Scholar
  19. 19.
    Kleene, S.C.: Introduction to Metamathematics. North-Holland Publishing Co., Amsterdam (1952)zbMATHGoogle Scholar
  20. 20.
    Knuplesch, D., Reichert, M.: A visual language for modeling multiple perspectives of business process compliance rules. In: Software and Systems Modeling, pp. 1–22. Springer, Heidelberg (2016)Google Scholar
  21. 21.
    Knuplesch, D., Reichert, M., Pryss, R., Fdhila, W., Rinderle-Ma, S.: Ensuring compliance of distributed and collaborative workflows. In: 9th Collaboratecom, pp. 133–142. IEEE (2013)Google Scholar
  22. 22.
    Kochanowski, M., Fehling, C., Koetter, F., Leymann, F., Weisbecker, A.: Compliance in BPM today - an insight into experts’ views and industry challenges. In: Proceedings of INFORMATIK 2014, GI (2014)Google Scholar
  23. 23.
    Koetter, F., Kochanowski, M.: A model-driven approach for event-based business process monitoring. In: Rosa, M., Soffer, P. (eds.) BPM 2012. LNBIP, vol. 132, pp. 378–389. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36285-9_41 CrossRefGoogle Scholar
  24. 24.
    Koetter, F., Kochanowski, M.: A model-driven approach for event-based business process monitoring. In: Information Systems and e-Business Management, pp. 1–32 (2014)Google Scholar
  25. 25.
    Koetter, F., Kochanowski, M., Kintz, M.: Leveraging model-driven monitoring for event-driven business process control. In: Workshop zur Ereignismodellierung und -verarbeitung im Geschaeftsprozessmanagement (EMOV) (2014, to appear)Google Scholar
  26. 26.
    Koetter, F., Kochanowski, M., Renner, T., Fehling, C., Leymann, F.: Unifying compliance management in adaptive environments through variability descriptors (short paper). In: IEEE SOCA 2013, pp. 214–219. IEEE (2013)Google Scholar
  27. 27.
    Koetter, F., Kochanowski, M., Weisbecker, A., Fehling, C., Leymann, F.: Integrating compliance requirements across business and IT. In: 18th EDOC, pp. 218–225. IEEE (2014)Google Scholar
  28. 28.
    Ly, L.T., Knuplesch, D., Rinderle-Ma, S., Göser, K., Pfeifer, H., Reichert, M., Dadam, P.: SeaFlows toolset – compliance verification made easy for process-aware information systems. In: Soffer, P., Proper, E. (eds.) CAiSE Forum 2010. LNBIP, vol. 72, pp. 76–91. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-17722-4_6 CrossRefGoogle Scholar
  29. 29.
    Mietzner, R., Metzger, A., Leymann, F., Pohl, K.: Variability modeling to support customization and deployment of multi-tenant-aware software as a service applications. In: Proceedings of PESOS 2009, pp. 18–25. IEEE Computer Society, Washington, DC (2009)Google Scholar
  30. 30.
    Papazoglou, M.: Making business processes compliant to standards and regulations. In: 2011 15th IEEE International Enterprise Distributed Object Computing Conference (EDOC), pp. 3–13, August 2011Google Scholar
  31. 31.
    Patig, S., Casanova-Brito, V., Vögeli, B.: IT requirements of business process management in practice – an empirical study. In: Hull, R., Mendling, J., Tai, S. (eds.) BPM 2010. LNCS, vol. 6336, pp. 13–28. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-15618-2_4 CrossRefGoogle Scholar
  32. 32.
    Ramezani, E., Fahland, D., Aalst, W.M.P.: Supporting domain experts to select and configure precise compliance rules. In: Lohmann, N., Song, M., Wohed, P. (eds.) BPM 2013. LNBIP, vol. 171, pp. 498–512. Springer, Cham (2014). doi: 10.1007/978-3-319-06257-0_39 CrossRefGoogle Scholar
  33. 33.
    Ramezani, E., Fahland, D., Werf, J.M., Mattheis, P.: Separating compliance management and business process management. In: Daniel, F., Barkaoui, K., Dustdar, S. (eds.) BPM 2011. LNBIP, vol. 100, pp. 459–464. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-28115-0_43 CrossRefGoogle Scholar
  34. 34.
    Reichert, M., Weber, B.: Enabling Flexibility in Process-aware Information Systems: Challenges, Methods, Technologies. Springer, Heidelberg (2012)CrossRefzbMATHGoogle Scholar
  35. 35.
    Sadiq, S., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 149–164. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-75183-0_12 CrossRefGoogle Scholar
  36. 36.
    SAI Global: 2013 Insurance Industry Compliance Benchmark Study (2013).
  37. 37.
    Scherer, G.S.H.: Assekuranz 2015 - Eine Standortbestimmung. Universität Sankt Gallen - Institut für Versicherungswirtschaft, Sankt Gallen, Schweiz (2015)Google Scholar
  38. 38.
    Schleicher, D., Fehling, C., Grohe, S., Leymann, F., Nowak, A., Schneider, P., Schumm, D.: Compliance domains: a means to model data-restrictions in cloud environments. In: 15th EDOC, pp. 257–266. IEEE (2011)Google Scholar
  39. 39.
    Semmelrodt, F., Knuplesch, D., Reichert, M.: Modeling the resource perspective of business process compliance rules with the extended compliance rule graph. In: Bider, I., Gaaloul, K., Krogstie, J., Nurcan, S., Proper, H.A., Schmidt, R., Soffer, P. (eds.) BPMDS/EMMSAD -2014. LNBIP, vol. 175, pp. 48–63. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43745-2_4 Google Scholar
  40. 40.
    Takabi, H., Joshi, J.B., Ahn, G.J.: Security and privacy challenges in cloud computing environments. IEEE Secur. Priv. 8(6), 24–31 (2010)CrossRefGoogle Scholar
  41. 41.
    Wagner, R., Steinhüser, D., Engelbrefcht, O., Meinherz, A.: Agenda 2015: Compliance Management als stetig wachsende Herausforderung für Versicherungen (2010)Google Scholar
  42. 42.
    Waizenegger, T., et al.: Policy4TOSCA: a policy-aware cloud service provisioning approach to enable secure cloud computing. In: Meersman, R., Panetto, H., Dillon, T., Eder, J., Bellahsene, Z., Ritter, N., Leenheer, P., Dou, D. (eds.) OTM 2013. LNCS, vol. 8185, pp. 360–376. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-41030-7_26 CrossRefGoogle Scholar
  43. 43.
    Wei, Y., Blake, M.B.: Service-oriented computing and cloud computing: challenges and opportunities. IEEE Internet Comput. 14(6), 72–75 (2010)CrossRefGoogle Scholar
  44. 44.
    Weigand, H., Elsas, P.: Model-based auditing using REA. Int. J. Account. Inf. Syst. 13(3), 287–310 (2011). Research Symposium on Information Integrity and Information Systems Assurance (2012)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Falko Koetter
    • 1
    Email author
  • Maximilien Kintz
    • 1
  • Monika Kochanowski
    • 1
  • Thatchanok Wiriyarattanakul
    • 1
  • Christoph Fehling
    • 2
  • Philipp Gildein
    • 2
  • Sebastian Wagner
    • 2
  • Frank Leymann
    • 2
  • Anette Weisbecker
    • 1
  1. 1.University of Stuttgart IAT and Fraunhofer IAOStuttgartGermany
  2. 2.University of Stuttgart IAASStuttgartGermany

Personalised recommendations