Compliance Management is Becoming a Major Issue in IS Design

  • R. Bonazzi
  • L. Hussami
  • Y. Pigneur


This article aims at improving the information systems management support to Risk and Compliance Management process, i.e. the management of all compliance imperatives that impact an organization, including both legal and strategically self-imposed imperatives. We propose a process to achieve such regulatory compliance by aligning the Governance activities with the Risk Management ones, and we suggest Compliance should be considered as a requirement for the Risk Management platform. We will propose a framework to align law and IT compliance requirements and we will use it to underline possible directions of investigation resumed in our discussion section. This work is based on an extensive review of the existing literature and on the results of a four-month internship done within the IT compliance team of a major financial institution in Switzerland, which has legal entities situated in different countries.


Business Process Information System Compliance Requirement Organizational Infrastructure Compliance Management 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    IT Policy Compliance Group (2008) 2008 Annual Report: IT Governance, Risk and Compliance Improving Business Results and Mitigating Financial Risk. Retrieved May20, 2008 from
  2. 2.
    Purdy, R. M. (2006) Compliance Initiatives Can Yield IT Opportunities. U.S. Banker. Retrieved from
  3. 3.
    Volonino, L., Gessner, G.H., Kermis, G.F. (2004) Holistic Compliance with Sarbanes-Oxley. Communications of the Association for Information Systems. 14(11): 219–233.Google Scholar
  4. 4.
    Rasmussen, M (2005) Seven habit of highly effective compliance programs. Retrieved from,5110,37240,00.pdf.
  5. 5.
    Gasser, U., Hausermann, D. M. (2007) E-compliance: Towards A Roadmap For Effective Risk Management. Retrieved from
  6. 6.
    Kark, K., Othersen, M. & McClean, C. (2007) Defining IT GRC. Retrieved from,5110,43341,00.pdf.
  7. 7.
    McClean, C., Rasmussen, M. (2007). Topic Overview: Governance, Risk, And Compliance. Retrieved from,5110,39611,00.pdf.
  8. 8.
    Her Majesty Treasury (2004). The Orange Book. Management of Risk – Principles and Concepts. Retrieved from
  9. 9.
    Giblin, C., Liu, A. Y., Müller, S., Pfitzmann, B., & Zhou, X. (2005) Regulations Expressed As Logical Models (REALM). 18th Annual Conference on Legal Knowledge and Information Systems (JURIX 2005), IOS Press, Amsterdam.Google Scholar
  10. 10.
    Sheth, A. (2005) Enterprise Applications of Semantic Web: The Sweet Spot of Risk and Compliance. IFIP International Conference on Industrial Applications of Semantic Web (IASW2005), Jyvaskyla, Finland.Google Scholar
  11. 11.
    El Kharbili, M., Stein, S., Markovic, I., Pulvermueller, E. (2008) Towards a Framework for Semantic Business Process Compliance Management. GRCIS’08 Workshop at 20th International Conference, CAISE 2008, Montpellier, France.Google Scholar
  12. 12.
    Security And Exchange Commission (1993) Reporting Requirements for Brokers or Dealers under the Security Exchange Act of 1934. Retrieved from
  13. 13.
    Federal Rules of Civil Procedure (2007) Rule 34 (a) Retrieved from
  14. 14.
    Henderson, J. C., Venkatraman, H. (1993) “Strategic alignment: Leveraging information technology for transforming organizations.” IBM Systems Journal 32(1): 472–484.CrossRefGoogle Scholar
  15. 15.
    COSO (2004) Enterprise Risk Management Integrated Framework- Executive Summary.. Retrieved from
  16. 16.
    Lau, G. T., Kerrigan, S., Law, K. H. & Wiederhold, G. (2004) An E-Government Information Architecture for Regulation Analysis and Compliance Assistance. 6th International Conference on Electronic Commerce (ICEC), Delft, The Netherlands.Google Scholar
  17. 17.
    Maher, M. M. (2005) “Tips for Managing Relationship with Regulators.” ABA Bank Compliance 26(3): 24-28.Google Scholar
  18. 18.
    ISACA (2007) Control Objectives for Information and related Technology (COBIT) 4.1. Retrieved from
  19. 19.
    Rifaut, A. (2005) Goal-Driven Requirements Engineering for Supporting the ISO 15504 Assessment Process. Software Process Improvement, 12th European Conference, EuroSPI 2005, Budapest, Hungary, Springer.Google Scholar
  20. 20.
    Governatori, G., Milosevic, Z., Sadiq, S: (2006) Compliance Checking between Business Processes and Business Contracts. 10th IEEE Conference on Enterprise Distributed Object Computing.Google Scholar
  21. 21.
    Lezoche, M., Missikoff, M., Tininini, L. (2008) Business Process Evolution: a Rule-based Approach. 20th International Conference, CAISE 2008, Montpellier, France.Google Scholar
  22. 22.
    Namiri, K., Stojanovic, N. (2007) A Semantic-based Approach for Compliance Management of Internal Controls in Business Processes. CAiSE Forum 2007.Google Scholar
  23. 23.
    Agrawal, R., Johnson, C., Kiernan, J., Leymann, F. (2006) Taming Compliance with Sarbanes-Oxley Internal Controls Using Database Technology. 22nd international Conference on Data Engineering., Washington, DC, USA, IEEE Computer Society.Google Scholar
  24. 24.
    Zur Muehlen, M., Rosemann, M. (2005) Integrating Risks in Business Process Models. Australasian Conference on Information Systems (ACIS 2005), Manly, Sydney, Australia.Google Scholar
  25. 25.
    Heiser, J., Perkins, E., Witty, R.J., Williams, B., Miklovic, D., De Lotto, R.J., Vining, J., Van Decker, J.E., Colville, R.J., Nicolett, M., Stevens, L., McKibben, D., Furlonger, D., Caldwell, F., Proctor, P.E., Chin, K., Logan, D., Ouellet, E., Wheatman, J., DiCenzo, C., McDonald, N., Bace, J., Knox, R.E., Noakesfix, K., Allan, A., Eld, T., Kreizman, C., Brittain, K., McNee, S (2008) “Hype Cycle for Governance, Risk and Compliance Technologies, 2008.”. Retrieved from Gartner, Inc.Google Scholar
  26. 26.
    Gangemi, A., Prisco, A., Sagri, M.T., Steve, G., Tiscornia, D. (2003) Some ontological tools to support legal regulatory compliance, with a case study. Workshop on Regulatory Ontologies and the Modeling of Complaint Regulations (WORM CoRe 2003), Catania, Italy, Springer LNCS Catania.Google Scholar
  27. 27.
    Hoekstra, R., Breuker, J., Di Bello, M. & Boer, A. (2007) The LKIF Core ontology of basic legal concepts. Workshop on Legal Ontologies and Artificial Intelligence Techniques (LOAIT 2007).Google Scholar
  28. 28.
    Skinner, C. (2008) Forensically evolving regulations. Retrieved from
  29. 29.
    Hevner, A., March, S., Park J., Ram, S. (2004) “Design Science in Information Systems Research,” MIS Quarterly, Vol. 28 No. 1, pp. 75-105.Google Scholar
  30. 30.
    Gangemi A. (2007). Design Patterns for Legal Ontology Construction. In P. Casanovas, P. Noriega, D. Bourcier, F. Galindo (Ed.), Trends in Legal Knowledge: The Semantic Web and the Regulation of Electronic Social Systems. European Press Academic publishing.Google Scholar

Copyright information

© Physica-Verlag Heidelberg 2009

Authors and Affiliations

  1. 1.HEC LausanneLausanneSwitzerland

Personalised recommendations