ICAIL 2009 Tutorial
Business Process Compliance
12th June 2009
in conjunction with
Twelfth International Conference on Artificial Intelligence and Law
Institute of Law and Technology, Autonomous University of Barcelona
Barcelona, Spain
Motivation and Background
Recent high profile corporate scandals such as Enron (USA) and HIH (Australia) have created unprecedented pressures on compliance and risk management for practically allindustry sectors, but particularly in financial services. Despite mandated deadlines, there is evidence that many organizations are still struggling with their compliance initiatives. Compliance essentially means ensuring that business processes, operations and practice are in accordance with a prescribed and/or agreed set of norms. Compliance requirements may stem from legislature and regulatory bodies (e.g. Sarbanes-Oxley, Basel II, HIPAA), standards and codes of practice (e.g. SCOR, ISO9000) and also business partner contracts.
Compliance directives are complex, vague and require interpretation. Often in legalese, these mandates need to be translated by experts in order to relate them to organizational contexts. Business will typically deal with a number of regulations/standards at one time which may have overlapping and even conflicting requirements.
Compliance is typically managed in conjunction with risk assessment, and is predominantly viewed as a burden, although there are indications that businesses have started tosee the regulations as an opportunity to improve their business processes and operations. Industry reports (BPM forum, 2006) indicate that up to 80% of companies said they expected to reap business benefits from improving their compliance regimens. In general, a compliance regimen must include three interrelated but at the same time rather distinct perspectives on compliance: corrective, detective and preventative procedures that collectively form a holistic approach to compliance management. Corrective measures can be undertaken due to a number of reasons, ranging from the introduction of a new regulation, to breech reporting, to the organization coming under surveillance and scrutiny by a control authority, or in the worst case an enforceable undertaking. Corrective measures undertaken in a proactive manner positions the organization favorably with regulators or other control authorities. Detective measures are typically based on reporting and traditional audits conducted for “after-the-fact” detection, often through manual checks.
Recent tools provide some level of automation wherein proposed solutions hook into variety of enterprise system components (e.g. SAP HR, LDAP Directory, Groupware etc.) and generate audit reports against hard-coded checks performed on the requisite system. Business intelligence (BI) and related technologies are complementary to this activity. However, this approach still resides in the space of “after-the-fact” detection. Although, the assessment time is reduced, and correspondingly the time to remediation and/or mitigation of control deficiencies is also improved. This improvement is much sought after as is evident from the heavy investment in compliance software during the last few years (Hagerty, 2006). A major issue with these two approaches (in varying degrees of impact) is the lack of sustainability. Even with an automated detection facility, the hard coded check repositories can quickly grow out of control making it difficult to evolve and maintain them for changing legislatures and compliance requirements. In addition to external pressures, there is often a company internal push towards quality of service initiatives for process improvement which have similar requirements. The complexity of the situation is exasperated by the presence of dynamically changing collaborative processes shared with business partners. The diversity, scale and complexity of compliance requirements warrant a highly systematic and well-grounded approach.
A sustainable approach for achieving compliance should fundamentally have a Preventative focus, thus achieving compliance by design. One can observe that business process management (BPM) platforms may provide an ideal vehicle for such a model-driven approach. However, research indicates that dealing with compliance may be a rather distinct activity within organizational structures from business process management (Sadiq, Governatori, & Naimiri, 2007). Historically, business process design has been driven by business ob jectives, specifically process improvement, whereas compliance is driven by control ob jectives. The source of objectives for the two will be distinct both from an ownership and governance perspective, as well as from a timeline perspective. Whereas businesses can be expected to have some form of business objectives, control objectives will be dictated by mostly external sources and at different times. Furthermore, there is likelihood of conflicts, inconsistencies and redundancies within the two, and hence the intersection of the two needs to be carefully studied.
Structure of the Tutorial
The tutorial consists of three parts. Each part focuses on a particular aspect of the compliance workspace. The main theme of the first part of the workshop is to establish a holistic ecosystem for compliance. In order to develop a successful framework for compliance of business processes, the right combinations of process modelling languagesand business rule modeling languages must be used. Accordingly, the second part of tutorial focuses on the current state of the art in business rule modeling and identifies strengths and limitations of the current standards and languages. The third and final part of the workshop presents frameworks that overcome some of the major limitations of the approaches discussed in the second part and concentrates on a system for (formal) modelling and monitoring compliance.
1 - BPM as a Driver for Regulatory Compliance (Marta Indulska)
The ever increasing obligations of regulatory compliance are presenting a new breed of challenges for organizations across several industry sectors. Aligning control objectives that stem from regulations and legislation, with business objectives devised for improved business performance, is a foremost challenge. The organizational as well as IT structures for the two classes of objectives are often distinct and potentially in conflict. In this part, we present an overarching methodology for aligning business and control objectives. The various phases of the methodology are then used as a basis for discussing state of the art in compliance management.
2 - Languages for Compliance (Michael zur Muehlen)
Process modeling languages and business rule modeling languages are candidates for the documentation of organizational policies and procedures. While both types of languages are currently used to document organizational practices, little work has been done to understand their synergies and overlap. Accordingly, the aim of this part of the workshopis to present and discuss strengths and weaknesses of both types of languages. In particular, we will focus on four business rule specifications, viz. The Simple Rule Markup Language (SRML), the Semantic Web Rules Language (SWRL), the Production Rule Representation (PRR) and the Semantics of Business Vocabulary and Business Rules (SBVR) specification.
3 - Modelling and Monitoring Compliance (Guido Governatori)
It is a typical scenario that many organisations have their business processes specified independently of relevant normative specifications. This is because of the lack of guidelines and tools that facilitate derivation of processes from normative specifications but also because of the traditional mindset of treating contracts separately from business processes. In this part we provide a solution to one specific problem that arises from this situation, namely the lack of mechanisms to check whether business processes are compliant with business contracts. The central aspect of this part of the workshop focuses on a logic based formalism for describing both the semantics of contracts and the semantics of compliance checking procedures. We will also discuss frameworks to monitor the performance of processes against a set of normative specifications.
Presenters
Guido Governatori
Guido’s main research interest is on models of normative reasoning and their applications, in particular to representation and monitoring of e-contracts.
Marta Indulska
Marta is a Senior Lecturer at the UQ Business School, The University of Queensland. She obtained her PhD in Computer Science at the University of Queensland in 2004. Marta’s main research interests lie in the domains of conceptual modeling, Business Process Management, and Compliance Management. In particular, her current research interests focus on the representation of business rules and the analysis and improvement of process modeling techniques. Her work has appeared in journals such as IEEE Transactions on Knowledge & Data Engineering, Information Systems, Decision Support Systems, and Data & Knowledge Engineering.
Michael zur Muehlen
Michael zur Muehlen directs the Center of Excellence in Business Process Innovation at Stevens Institute of Technology and is responsible for Stevens’ graduate and executive education programs in Business Process Management and Service Innovation. He has over 15 years of experience in the field of process management and workflow automation, and has led numerous process improvement and design projects in the private and public sector both in Germany and the US. Michael actively participates in BPM standardization efforts and in 2004 was named a fellow of the Workflow Management Coalition, where he chairs the working group “Management and Audit”. His research focuses on the practical use of process modeling standards, techniques to manage operational risks in business processes, and the integration of business processes and business rules.