nach oben

Artificial Intelligence and Law

Erschienen in:

20.09.2017

Norms modeling constructs of business process compliance management frameworks: a conceptual evaluation

verfasst von: Mustafa Hashmi, Guido Governatori

Erschienen in: Artificial Intelligence and Law | Ausgabe 3/2018

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The effectiveness of a compliance management framework (CMF) can be guaranteed only if the framework is based on sound conceptual and formal foundations. In particular, the formal language used in the CMF is able to expressively represent the specifications of normative requirements (hereafter, norms) that impose constraints on various activities of a business process. However, if the language used lacks expressiveness and the modelling constructs proposed in the CMF are not able to properly represent different types of norms, it can significantly impede the reliability of the compliance results produced by the CMF. This paper investigates whether existing CMFs are able to provide reasoning and modeling support for various types of normative requirements by evaluating the conceptual foundations of the modeling constructs that existing CMFs use to represent a specific type of norm. The evaluation results portray somewhat a bleak picture of the state-of-the-affairs when it comes to represent norms as none of the existing CMFs is able to provide a comprehensive reasoning and modeling support. Also, it points to the shortcomings of the CMFs and emphasises exigent need of new modeling languages with sound theoretical and formal foundations for representing legal norms.

Vorheriger Artikel Dynamic epistemic logic of belief change in legal judgments

Nächster Artikel Eveline T. Feteris: Fundamentals of legal argumentation

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Similarly, a CMF can have several modules and features that might have impact on the effectiveness of the CMF. In this paper, we concentrate only on their ability to correctly represent the legal requirements. If a CMF is not able to properly represent some types of requirements, then human intervention is needed to rectify such situations. This means that, potentially, compliance professionals have to check every single assessment done by the CMF, and nullifying thus the gain in efficiency of using automated support tools for compliance checking.

Notice that, there might be several other works that have been published but do not received enough citations at the time of writing of this paper. We only consider CMFs based on Google Scholar citations between December 2013 and February 2017.

Notice that, a prohibition is also called negative obligation, i.e., obligation not. Hence, whenever we consider obligation, we also include prohibitions (see Hashmi et al. 2014, for details).

A timeline can be infinite and isomorphic to the set of natural numbers. For our analysis; however, we can restrict to a set of natural numbers in case of a finite timeline (Hashmi et al. 2014).

Notice that, all types of obligations have their own deadline (which is the end point of the interval in which an obligation is in force). The deadline can be used to indicate whether the obligation has been violated or not. Perdurant is a special case of obligation, which should have an explicit deadline which does not coincide with the end of the period when the obligation is in force.

For an obligation to be compensable a number of requirements must be followed, see formal definitions of Compensable and compensation for details on the \({ Comp }(o)\) function (Hashmi et al. 2016).

http://www.yawlfoundation.org/files/YAWLDeedOfAssignmentTemplate.pdf, retrieved on March 28, 2013.

A detailed evaluation of semantic properties, and the reasons why EC is not capable of providing a full reasoning and modeling support for all types of obligation, are discussed in (Hashmi et al. 2014).

COMPAS is an EU projects for Compliance-driven Models, Languages and Architectures for Services: http://www.compas-cit.eu.

The BoundedExists pattern can be useful for achievement, only if such conditions are prescribed by the norm. However, in every instance, an obligation can have independent conditions associated with it, with different objectives.

The brackets determine the relative strength of the exception, where [[ ]] indicates strong exception and [ ] represents weak exception respectively.

In Nov 2012, the name of the ConDec language was changed to Declare, see http://www.win.tue.nl/declare/2011/11/declare-renaming/.

ProM Tools: http://www.promtools.org/doku.php.

This is not an exhaustive list of the BPMN-Q patterns, see (Awad et al. 2011) for a detailed list.

Abdullah NS, Sadiq S, Indulska M (2010) Emerging challenges in information systems research for regulatory compliance management. In: Proceedings of the 22nd international conference on advanced information systems engineering. CAiSE’10. Springer, pp 251–265

Allaire M, Governatori G (2014) On the equivalence of defeasible deontic logic and temporal defeasible logic. In: Dam H, Pitt J, Xu Y, Governatori G, Ito T (eds) PRIMA 2014: principles and practice of multi-agent systems, vol 8861. LNCS. Springer, pp 74–90. doi:10.1007/978-3-319-13191-7_7

Antoniou G, Billington D, Governatori G, Maher MJ (2001) Representation results for defeasible logic. ACM Trans Comput Log 2(2):255–287. doi:10.1145/371316.371517 MathSciNetCrossRefMATH

Arbab F (2004) REO: a channel-based coordination model for component composition. Math Struct Comput Sci 14(3):329–366MathSciNetCrossRefMATH

Awad A (2007) BPMN-Q: a language to query business processes. In: Enterprise modelling and information systems architectures—concepts and applications: proceedings of the 2nd international workshop on enterprise modelling and information systems architectures (EMISA’07). St. Goar, Germany, 8–9 Oct 2007, pp 115–128

Awad A (2010) A compliance management framework for business process models. Ph.D. thesis, Hasso Plattner Institute, Potsdam University, Germany

Awad A, Weidlich M, Weske M (2011) Visually specifying compliance rules and explaining their violations for business processes. J Vis Lang Comput 22(1):30–55CrossRef

Awad A, Decker G, Weske M (2008) Efficient compliance checking using BPMN-Q and temporal logic. In: BPM. LNCS. Springer, pp 326–341

Awad A, Polyvyanyy A, Weske M (2008) Semantic querying of business process models. In: 12th international IEEE on enterprise distributed object computing conference, 2008. EDOC ’08, pp 85–94. doi:10.1109/EDOC.2008.11

Awad A, Weske M (2009) Visualisation of compliance violations in business process models. In: 5th workshop on business process intelligence, vol 9, pp 182–193

Bandara W, Miskon S, Fielt E (2011) A systematic, tool-supported method for conducting literature reviews in information systems. In: Virpi T, Joe N, Matti R, Wael S (eds) Proceedings of 19th European conference on information systems. ECIS 2011, Helsinki

Baral C, Zhao J (2007) Non-monotonic temporal logics for goal specification. In: Proceedings of the 20th international joint conference on artificial intelligence (IJCAI 2007). Morgan Kaufmann Publishers Inc, pp 236–242

BCBS (2013) Basel III: the liquidity coverage ratio and liquidity risk monitoring tools. http://www.bis.org/publ/bcbs238.pdf

Becker M, Laue R (2012) A comparative survey of business process similarity measures. Comput Ind 63(2):148–167CrossRef

Becker J, Delfmann P, Eggert M, Schwittay S (2012) Generalizability and applicability of model-based business process compliance-checking approaches—a state-of-the-art analysis and research roadmap. BuR Bus Res J 5(2):221–247CrossRef

Bonatti PA, Shahmehri N, Duma C, Olmedilla D, Nejdl W, Baldoni M, Baroglio C, Martelli A, Coraggio P, Antoniou G, Peer J, Fuchs NE (2004) Rule-based policy specification: state of the art and future work. REWERSE Project Report-i2-D1. Report, Universitá di Napoli Fedrecio II

Cabannilas C, Resinas M, Ruiz-Cortes A (2010) Hints on how to face business process compliance. In: III Taller de Procesos de Negocio e Ingenieria de Servicios PNIS10 in JISBD10, vol 4, pp 26–32

Croitoru M, Oren N, Miles S, Luck M (2012) Graphical norms via conceptual graphs. Knowl Based Syst 29:31–43CrossRef

Daniel F, Casati F, D’Andrea V, Mulo E, Zdun U, Dustdar S, Strauch S, Schumm D, Leymann F, Sebahi S, de Marchi F, Hacid MS (2009) Business compliance governance in service-oriented architectures. In: International conference on advanced information networking and applications, 2009. AINA ’09, pp 113 –120

Dwyer M, Avrunin G, Corbett J (1999) Patterns in property specifications for finite-state verification. In: Proceedings of the 1999 international conference on software engineering, 1999, pp 411–420

El Kharbili M (2012) business process regulatory compliance management solution frameworks: a comparative evaluation. In: APCCM 2012, CRPIT 130, pp 23–32

Elgammal AFSA (2012) Towards a comprehensive framework for business process compliance. Ph.D. thesis, Tiburg University. https://ideas.repec.org/p/tiu/tiutis/a30c4513-4b19-44f1-beb0-00b3c2d6f15e.html

Elgammal A, Turetken O, van den Heuvel WJ, Papazoglou M (2011) On the formal specification of regulatory compliance: a comparative analysis. In: Proceedings of ICSOC’10, pp 27–38

Elgammal A, Turetken O, Heuvel WJ, Papazoglou M (2014) Formalizing and applying compliance patterns for business process compliance. Softw Syst Model 15(1):119–146. doi:10.1007/s10270-014-0395-3 CrossRef

Elgammal A, Türetken O, van den Heuvel WJ, Papazoglou MP (2010) Root-cause analysis of design-time compliance violations on the basis of property patterns. In: ICSOC, pp 17–31

FATF (2017) The FATF recommendations: international standards on combating money laundering and the financing of terrorism and proliferation. http://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html

Figl K, Mandling J, Strembeck M (2009) Towards a usability assessment of process modelling languages. In: Markus N, Rump F, Jan M, Nick G (eds) Geschftsprozessmanagement mit Ereignisgesteuerten Prozessketten (EPK 2009), Ceur workshop proceedings, vol 554, pp 138–156 http://ceur-ws.org/Vol-554/epk2009-paper09.pdf

Fongon P, Grillo K (2004) Corporate implications of Sarbanes Oxley Act: a public policy. http://www.global-trade.law.com/ITRN711

Ghose A, Koliadis G (2007) Auditing business process compliance. In: Krämer B, Lin KJ, Narasimhan P (eds) Service-oriented computing (ICSOC 2007), vol 4749. LNCS. Springer, pp 169–180

Giblin C, Liu AY, Müller S, Pfitzmann B, Zhou X (2005) Regulations expressed as logical models (REALM). In: Proceeding of the 18th annual conference on legal knowledge and information systems (JURIX 2005). IOS Press, pp 37–48

Goedertier S, Vanthienen J (2006) Compliant and flexible business processes with business rules. In: BPMDS, vol 236. CEUR workshop proceedings, CEUR-WS.org

Goedertier S, Vanthienen J (2006) Designing compliant business processes with obligations and permissions. In: Eder J, Dustdar S (eds) Business process management workshops 2006. LNCS 4103. Springer, pp 5–14

Governatori G (2015) Thou shalt is not you will. In: Atkinson K (ed) Proceedings of the fifteenth international conference on artificial intelligence and law. ACM, New York

Governatori G (2005) Representing business contracts in RuleML. Int J Cooper Inf Syst 14(2–3):181–216CrossRef

Governatori G, Rotolo A (2006) Logic of violations: a Gentzen system for reasoning with contrary-to-duty obligation. Australas J Log 4:193–215MathSciNetMATH

Governatori G, Hashmi M (2015) No time for compliance. In: Proceedings of 19th IEEE the enterprise computing conference (EDOC’15)

Governatori G, Milosevic Z, Sadiq S (2006) Compliance checking between business processes and business contracts. In: 10th international enterprise distributed object computing conference (EDOC 2006). IEEE Computing Society, pp 221–232

Governatori G, Rotolo A (2010) A conceptually rich model of business process compliance. In: Proceedings of APCCM ’10, vol 110, pp 3–12

Governatori G, Sadiq S (2009) The journey to business process compliance. In: Cardoso J, van der Aalst W (ed) Handbook of research on business process management, Chap 20. IGI Global, pp 426–454. doi:10.4018/978-1-60566-288-6.ch020

Hashmi M, Governatori G, Wynn MT (2016) Normative requirements for regulatory compliance: an abstract formal framework. Inf Syst Frontiers 18(3):429–455. doi:10.1007/s10796-015-9558-1 CrossRef

Hashmi M, Governatori G, Wynn MT (2012) Business process data compliance. In: Proceedings of 6th international symposium. RuleML 2012, Montpellier, pp 32–46

Hashmi M, Governatori G, Wynn MT (2013) Normative requirements for business process compliance. In: Proceedings of 3rd symposium (ASSRI’13) on service research and innovation, Sydney, pp 100–116

Hashmi M, Governatori G, Wynn MT (2014) Modeling obligations with event-calculus. In: Proceedings of 8th international symposium. RuleML 2014, Prague,, pp 296–310

Herrestad H (1991) Norms and formalization. In: Proceedings of ICAIL 1991, pp 175–184

Hinge K, Ghose A, Koliadis G (2009) Process SEER: a tool for semantic effect annotation of business process models. In: EDOC ’09. IEEE international, pp 54–63

HIPAA TUG (1996) The US Health Insurance Portability and Accountability Act of 1996

IFRS (2014) IFRS 7 international financial reporting standards: financial instruments disclosures. http://www.ifrs.org/IFRSs/Pages/IFRS.aspx

Ingolfo S, Jureta I, Siena A, Perini A, Susi A (2014) Nmos 3: legal compliance of roles and requirements. In: Yu E, Dobbie G, Jarke M, Purao S (eds) Conceptual modeling, vol 8824. Lecture Notes in Computer Science. Springer, pp 275–288

Johansson LO, Wärja M, Carlsson S (2012) An evaluation of business process model techniques, using Moody’s quality criterion for a good diagram. In: BIR12, vol 963. CEUR workshop proceedings, CEUR-WS.org

Karagiannis D (2008) A business process-based modeling extension for regulatory compliance. In: Multikonferenz Wirtschaftsinformatik

Kaźmierczak P, Pedersen T, Ågotnes T (2012) NORMC: a norm compliance temporal logic model checker. In: STAIRS 2012 - Proceedings of the sixth starting AI researchers’ symposium, Montpellier, France, 27–28 August 2012, vol 241. IOS Press, pp 168–179. doi:10.3233/978-1-61499-096-3-168

Lu R, Sadiq S (2007) A survey of comparative business process modeling approaches. In: Abramowicz W (ed) Business information systems, vol 4439. LNCS. Springer, Heidelberg, pp 82–94CrossRef

Lu R, Sadiq S, Governatori G (2007) Compliance aware business process design. In: 3rd international workshop on business process design (BPD’07). Springer, pp 120–131

Ly LT, Knuplesch D, Rinderle-Ma S, Goeser K, Reichert M, Dadam P (2010) SeaFlows toolset—compliance verification made easy. In: CAiSE’10 Demos

Ly LT, Maggi FM, Montali M, Rinderle S, van der Aalst W (2013) A framework for the systematic comparison and evaluation of compliance monitoring approaches. In: Proceeding of EDOC

Ly L, Rinderle-Ma S, Dadam P (2010) Design and verification of instantiable compliance rule graphs in process-aware information systems, vol 6051. Springer, Berlin, pp 9–23. doi:10.1007/978-3-642-13094-6_3

Ly LT, Rinderle-Ma S, Göser K, Dadam P (2012) On enabling integrated process compliance with semantic constraints in process management systems. Inf Syst Frontiers 14(2):195–219CrossRef

Ly LT, Maggi FM, Montali M, Rinderle S, van der Aalst W (2015) Compliance monitoring in business processes: functionalities, application, and tool-support. Inf Syst. doi:10.1016/j.is.2015.02.007

Ly L, Rinderle-Ma S, Knuplesch D, Dadam P (2011) Monitoring business process compliance using compliance rule graphs. In: Meersman R, Dillon T, Herrero P, Kumar A, Reichert M, Qing L, Ooi BC, Damiani E, Schmidt D, White J, Hauswirth M, Hitzler P, Mohania M (eds) On the move to meaningful internet systems: OTM 2011, vol 7044. LNCS. Springer, Berlin, pp 82–99

Maggi F, Montali M, Westergaard M, van der Aalst W (2011) Monitoring business constraints with linear temporal logic: an approach based on colored automata. In: BPM. LNCS 6896. Springer, pp 132–147

Maggi F, Westergaard M, Montali M, van der Aalst W (2011) Runtime verification of LTL-based declarative process models. In: Proceedings of RV. LNCS. Springer

Makinson D, van der Torre L (2003) Permission from an input/output perspective. J Philos Log 32(4):391–416MathSciNetCrossRefMATH

MASTER (2008) Managing assurance, security, and trust for services. FP7-ICT integrated project for secure, dependable, and trusted infrastructures

McIntyre SR (2008) Integrated governance, risk and compliance: improve performance and enhance productivity in federal agencies. Technical report, PricewaterhouseCoopers

Mili H, Tremblay G, Jaoude GB, Lefebvre E, Elabed L, Boussaidi GE (2010) Business process modeling languages: sorting through the alphabet soup. ACM Comput Surv 43(1):1–56. doi:10.1145/1824795.1824799 CrossRef

Montali M (2010) Specification and verification of declarative open interaction models: a logic-based approach, vol 56. LNBIP. Springer, BerlinMATH

Montali M, Pesic M, van der Aalst WMP, Chesani F, Mello P, Storari S (2010) Declarative specification and verification of service choreographiess. ACM Trans Web 4(1):3:1–3:62CrossRef

Olivieri F (2014) Compliance by design. Synthesis of business processes by declarative specifications. Ph.D., Dipartimento di Informatica, Università digli Studi di Verona, Italy and Institute for Integrated and Intelligent Systems, Griffith University, Australia

Otto P, Anton A (2007) Addressing Legal requirements in requirements engineering. In: 15th IEEE international on requirements engineering conference, 2007. RE ’07, pp 5–14

Palmirani M, Governatori G, Contissa G (2011) Modelling temporal legal rules. In: Proceedings of the 13th international conference on artificial intelligence and law (ICAIL 2011). ACM Press

Pesic M, Schonenberg H, van der Aalst W (2007) DECLARE: full support for loosely-structured processes. In: Proceedings of 11th IEEE international conference on enterprise distributed object computing (EDOC’07), pp 287–287

Pesic M, van der Aalst W (2006) A declarative approach for flexible business processes management. In: BPM workshops, vol 4103. LNCS. Springer, pp 169–180

Ramezani E, Fahland D, van der Werf J, Mattheis P (2012) Separating compliance management and business process management. In: Daniel F, Barkaoui K, Dustdar S (eds) Business process management workshops, vol 100. LNBIP. Springer, Berlin, pp 459–464. doi:10.1007/978-3-642-28115-0_43 CrossRef

Ramezani E, Fahland D, van der Aalst W (2012) Where did i misbehave? Diagnostic information in compliance checking. In: Proceedings of business process management, pp 262–278

Ramezani E, Fahland D, van Dongen BF, van der Aalst W (2013) Diagnostic information for compliance checking of temporal compliance requirements. In: CAiSE, pp 304–320

Rieke R, Repp J, Zhdanova M, Eichler J (2014) Monitoring security compliance of critical processes. In: 2014 22nd Euromicro international conference on parallel, distributed and network-based processing (PDP), pp 552–560

Sadiq S, Governatori G (2015) Managing regulatory compliance in business processes. In: vom Brocke J, Rosemann M (eds) Handbook of business process management, vol 2, 2nd edn. International handbooks on information systems. Springer, Berlin, pp 265–288

Sadiq S, Governatori G, Namiri K (2007) Modeling control objectives for business process compliance. In: Proceedings of BPM’07. Springer, pp 149–164

Sartor G (2005) Legal reasoning: a cognitive approach to the law. Springer, Berlin

SCBS (2004) BASEL II accord - International convergence of capital measurement and capital standards: a revised framework. https://www.federalreserve.gov/boarddocs/press/bcreg/2004/20040626/attachment.pdf

Schumm D, Turetken O, Kokash N, Elgammal A, Leymann F, Heuvel WJVD (2010) Business process compliance through reusable units of compliant processes. In: Proceedings of international conference on current trends in web engineering

Türetken O, Elgammal A, van den Heuvel WJ, Papazoglou M (2012) Capturing compliance requirements: a pattern-based approach. Softw IEEE 29(3):28–36. doi:10.1109/MS.2012.45 CrossRef

Türetken O, Elgammal A, van den Heuvel WJ, Papazoglou M (2011) Enforcing compliance on business processes through the use of patterns. In: Proceeding of European conference on information system. http://aisel.aisnet.org/ecis2011/5

Turki S, Bjekovic-Obradovic M (2010) Compliance in e-government service engineering: state-of-the-art. In: Exploring services science. LNBIP. Springer, pp 270–275

US-Government (2002) Public Company Accounting Reforms and Investor Protection Act (Sarbanes-Oxley Act). Public Law 107-204, 116 Stat. 745

van der Aalst W, Pesic M, Schonenberg H (2009) Declarative workflows: balancing between flexibility and support. Comput Sci Res Dev 23:99–113CrossRef

van der Aalst W, ter Hofstede A, Kiepuszewski B, Barros A (2002) Workflow patterns. QUT Technical report. FIT-TR-2002-02, Queensland University of Technology, Brisbane, Australia. http://www.workflowpatterns.com/documentation/documents/wfs-pat-2002.pdf

Titel: Norms modeling constructs of business process compliance management frameworks: a conceptual evaluation
verfasst von: Mustafa Hashmi
Guido Governatori
Publikationsdatum: 20.09.2017
Verlag: Springer Netherlands
Erschienen in: Artificial Intelligence and Law / Ausgabe 3/2018
Print ISSN: 0924-8463
Elektronische ISSN: 1572-8382
DOI: https://doi.org/10.1007/s10506-017-9215-8

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"