Abstract
The ever-increasing obligations of regulatory compliance are presenting a new breed of challenges for organizations across several industry sectors. Aligning control objectives that stem from regulations and legislation with business objectives devised for improved business performance is a foremost challenge. The organizational as well as IT structures for the two classes of objectives are often distinct and potentially in conflict. In this chapter, we present an overarching methodology for aligning business and control objectives. The various phases of the methodology are then used as a basis for discussing state-of-the-art in compliance management. Contributions from research and academia as well as industry solutions are discussed. The chapter concludes with a discussion on the role of BPM as a driver for regulatory compliance and a presentation of open questions and challenges.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
“The AML/CTF Act is a principles-based piece of legislation. It sets out broad obligations which reporting entities and others affected by the legislation must meet, but leaves the methods of meeting those obligations to be decided by those on whom the obligations fall.” (AUSTRAC 2006)
- 2.
“Internal control is broadly defined as a process effected by an entity's board of directors, management, and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations.” (COSO 1994)
- 3.
Note that obligations allow us to capture prohibitions; a prohibition is an obligation plus negation, for example the prohibition to smoke can be understood as the obligation not to smoke.
- 4.
For more information about BPCC see http://www.nicta.com.au/research/projects/bpc
References
Abdullah NS, Indulska M, Sadiq S (2009) A study of compliance management in information systems research. In: The 17th European conference on information systems. European conference on information systems, Verona, Italy, pp 1–10
Abdullah NS, Indulska M, Sadiq S (2010).Emerging challenges in information systems research for regulatory compliance management. In: Pernici B (ed) Advanced information systems engineering: Proceedings of the 22nd international conference, CAiSE 2010. 22nd international conference on advanced information systems engineering, Hammamet, 7–9 June 2010, pp 251–265
Abdullah NS, Indulska M, Sadiq S (2012) A compliance management ontology: developing shared understanding through models. In: Advanced information systems engineering, Springer, Berlin/Heidelberg, pp 429–444
Agrawal R, Johnson C, Kiernan J, Leymann F (2006) Taming compliance with sarbanes-oxley internal controls using database technology. In: Proceedings of the 22nd international conference on data engineering, IEEE Computer Society, Atlanta, Georgia, USA
Alberti M, Chesani F, Gavanelli M, Lamma E, Mello P, Torroni P (2006) Compliance verification of agent interaction: a logic based tool. Appl Artif Intell 20(2–4):133–157
Antoniou G, Billington D, Governatori G, Maher MJ (2001) Representation results for de- feasible logic. ACM Trans Comput Log 2(2):255–287
ASX (2006) Australian securities exchange principles of good governance, recommendation 7.1, Nov 2006. www.asx.gov.au. Accessed 1 June 2008)
AUSTRAC (2006) Australian transaction reports and analysis centre supervisory framework. www.austrac.gov.au/files/supervisory_framework.pdf. Accessed 1 June 2008
BPM Forum (2006) CEE: the future. Building the compliance enabled enterprise. Report produced by global fluency in partnership with: AXS-One, chief executive magazine and IT compliance institute
Caldwell F, Eid T (2008) Magic quadrant for enterprise governance, risk and compliance platforms. ID. G00158295, Gartner Research, June 2008
Carmo J, Jones AJ (2002) Deontic logic and contrary to duties. In: Gabbay D, Guenther F (eds) Handbook of philosophical logic, vol 8, 2nd edn. Springer, Dordrecht, pp 265–343
Cheng R, Sadiq S, Indulska M (2011) Framework for business process and rule integration: a case of BPMN and SBVR. In: BIS 2011, Poznan, Poland, pp 13–24
Conforti R, Fortino G, Rosa ML, ter Hofstede AHM (2011) A history-aware real-time risk detection in business processes. In: Meersman R et al (eds) Proceedings of the on the move to meaningful internet systems: OTM 2011, Part I, Lecture Notes in Computer Science, vol 7044. Springer, pp 100–118, 2011
COSO –The Committee of Sponsoring Organizations of the Treadway Commission (1994) Internal control – integrated framework. Committee of Sponsoring Organizations of the Treadway Commission, New York. www.coso.org
Desai N, Mallya AU, Chopra AK, Singh MP (2005) Interaction protocols as design abstractions for business processes. IEEE Trans Softw Eng 31(12):1015–1027
Desai N, Nanjangud NC, Singh MP (2008) Checking correctness of business contracts via commitments. In: Padgham L, Parkes DC, Müller J, Parsons S (eds) Proceedings of 7th international conference on autonomous agents and multiagent systems (AAMAS2008), Estoril, 12–16 May 2008
Elgammal A, Türetken O, van den Heuvel W-J (2012) Using patterns for the analysis and resolution of compliance violations. Int J Coop Info Syst 21(1):31–54
Farrell ADH, Sergot MJ, Sallé M, Bartolini C (2005) Using the event-calculus for tracking the normative state in contracts. Int J Coop Info Syst 14(2–3):99–129
Giblin C, Muller S, Pfitzmann B (2006) From regulatory policies to event monitoring rules: towards model driven compliance automation. IBM research report. Zurich Research Laboratory, Zurich, Switzerland
Goedertier S, Vanthienen J (2006) Designing compliant business processes with obligations and permissions. In Eder J, Dustdar S et al (eds) Proceedings of workshop on business process design, LNCS, vol 4103, Springer, Vienna, pp 5–14
Gordon TF, Governatori G, Rotolo A (2009) Rules and norms: requirements for rule inter- change languages in the legal domain. In: Governatori G, Hall J, Paschke A (eds) Rule representation, interchange and reasoning on the web (RuleML 2009), LNCS, vol 5858, Springer, pp 282–296
Governatori G (2005) Representing business contracts in RuleML. Int J Coop Info Syst 14(2–3):181–216
Governatori G, Milosevic Z (2006) A formal analysis of a business contract language. Int J Coop Info Syst 15(4):659–685
Governatori G, Rotolo A (2006) Logic of violations: a gentzen system for reasoning on contrary- to-duty obligations. Austr J Logic 4:193–215
Governatori G, Rotolo A (2008) An algorithm for business process compliance. In: Francesconi E, Sartor G, Tiscornia D (eds) Legal knowledge and information systems, IOS Press, Florence Italy & Brisbane, Australia, pp 186–191
Governatori G, Rotolo A (2010) A Conceptually Rich Model of Business Process Compliance. In Link S, Ghose A (eds) 7th Asia-Pacific conference on conceptual modelling (APCCM 2010), ACS, Florence Italy & Brisbane, Australia, pp 3–12
Governatori G, Sadiq S (2009) The journey to business process compliance. In: Cardoso J, van der Aalst W (eds) Handbook of research on BPM. IGI Global, Hershey, pp 426–454
Governatori G, Shek S (2012) Rule based business process compliance. In: Proceedings of the RuleML2012@ECAI challenge, CEUR workshop proceedings 874, Montpellier, France, article 5
Governatori G, Hoffmann J, Sadiq S, Weber I (2008) Detecting regulatory compliance for business process models through semantic annotations. In: 4th international workshop on business process design (BPD’08). In conjunction with the 6th international conference on business process management, Milan, pp 1–4
Hagerty J, Hackbush J, Gaughan D, Jacobson S (2008) The governance, risk management, and compliance spending report, 2008–2009: inside the $32B GRC market, AMR Research, Boston, 25 Mar 2008
Hashmi M, Governatori G, Wynn MT (2012) Business process data compliance. In: Bikakis A, Giurca A (eds) 6th international symposium on rules on the web: research and applications (RuleML 2012), LNCS, vol 7438, Springer, pp 32–46
Herrestad H (1991) Norms and formalization. In: Proceedings of ICAIL 1991, ACM, New York, pp 175–184
KPMG Advisory (2005) The compliance journey: balancing risk and controls with business improvement, KPMG Australia
Kuster J, Ryndina K, Gall H (2007) Generation of business process models for object life cycle. In: Proceedings of the 5th international conference on business process management, Springer, Brisbane, pp 165–180
Lam H-P, Governatori G (2009) The making of SPINdle. In: Governatori G, Hall J, Paschke A (eds) Rule representation, interchange and reasoning on the web (RuleML 2009), LNCS, vol 5858, Springer, Las Vegas, Nevada, USA, pp. 315–322
Liu Y, Muller S, Xu K (2007) A static compliance checking framework for business process models. IBM Syst J 46:335–361
Lu R, Sadiq S, Governatori G (2008) Compliance aware business process design. Third international workshop on business process design (BPD’07). In: Conjunction with the 5th international conference on business process management, LNCS, Vol 4928/2008. Springer, Berlin, 24–28 Sept 2007, pp 120–131
Ly LT, Rinderle-Ma S, Göser K, Dadam P (2012) On enabling integrated process compliance with semantic constraints in process management systems – requirements, challenges, solutions. Info Syst Front 14(2):195–219
Maggi F, Montali M, Westergaard M, van der Aalst W (2011) Monitoring business constraints with linear temporal logic: an approach based on colored automata. In: BPM 2011, LNCS, vol 6896, Springer, pp 132–147
Neiger D, Churilov L, zur Mühlen M, Rosemann M (2006) Integrating risks in business process models with value focused process engineering. In: Proceedings of the 2006 European conference on information systems (ECIS 2006), Goteborg, 12–14 June 2006
Padmanabhan V, Governatori G, Sadiq S, Colomb R, Rotolo A (2006) Process modeling: the deontic way. In Stumptner M, Hartmann S, Kiyoki Y (eds) Australia–Pacific conference on conceptual modeling, CRPIT, Hobart, Tasmania, Australia, vol 53, pp 75–84
Pesic M, van der Aalst WMP (2006) A declarative approach for flexible business processes. In: Eder J, Dustdar S (eds) Business process management workshops, workshop on dynamic process management (DPM 2006), Lecture notes in computer science, vol 4103. Springer, Berlin, pp 169–180
Rosemann M, vom Brocke J (2014) The six core elements of business process management. In: vom Brocke J, Rosemann M (eds) Handbook on business process management, vol 1, 2nd edn. Springer, Heidelberg, pp 105–122
Sadiq S, Sadiq W, Orlowska M (2005) A framework for constraint specification and validation in flexible workflows. Info Syst 30(5):349–378
Sadiq S, Governatori G, Naimiri K (2007) Modeling control objectives for business process compliance. In: Proceedings of the 5th international conference on business process management, Springer, Brisbane, pp 149–164
Sartor G (2005) Legal reasoning: a cognitive approach to the law. Springer, Berlin
van der Aalst WMP, van Dongen BF, Herbst J, Maruster L, Schimm G, Weijters AJMM (2003) Workflow mining: a survey of issues and approaches. Data Knowl Eng 47:237–267
van Dongen BF, de Medeiros AKA, Verbeek HMW, Weijters AJMM, van der Aalst WMP (2005) The ProM Framework: a new era in process mining tool support. In: Proceedings of 26th international conference applications and theory of Petri nets, Springer, Miami, pp 444–454
zur Mühlen M, Rosemann M (2005) Integrating risks in business process models. In: Proceedings of 16th Australasian conference on information systems, Sydney
zur Mühlen M, Indulska M, Kamp G (2007) Business process and business rule modelling languages for compliance management: a representational analysis. In: 26th international conference on conceptual modelling – ER2007 –tutorials, posters, panels and industrial contributions, Auckland
Acknowledgment
NICTA is funded by the Australian Government as represented by the Department of Broadband, Communications and the Digital Economy and the Australian Research Council through the ICT Centre of Excellence program.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Sadiq, S., Governatori, G. (2015). Managing Regulatory Compliance in Business Processes. In: vom Brocke, J., Rosemann, M. (eds) Handbook on Business Process Management 2. International Handbooks on Information Systems. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-45103-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-45103-4_11
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-45102-7
Online ISBN: 978-3-642-45103-4
eBook Packages: Business and EconomicsBusiness and Management (R0)