Monday, 28 November 2011

Summary: A Methodological Framework for Aligning Business Processes and Regulatory Compliance

S. Sadiq and G. Governatori. A methodological framework for aligning business processes and regulatory compliance. In J. Brocke and M. Rosemann, editors, Handbook of business process management: 2 Strategic alignment, governance, people and culture, International Handbooks on Information Systems, pages 159–176, Berlin and Heidelberg, 2010. Springer-Verlag Berlin Heidelberg.

This chapter focuses on compliance by design. It starts different types of compliance (detective, corrective, and preventive), and show that the best way to have a preventive method is to integrate compliance from the design stage. It also shows that to be able to have compliance first it is important to have a formal representation of the rules and regulations, then need to find an alignment between the two ontology (business rules languages and process model language), then need to have a compliance enforcement framework, and finally, compliance monitoring.

The chapter then reviewed the literature on business rules modeling languages. It stated that (Governatori, 2005), and (Governatori & Milosevic, 2006) have proposed FCL (Formal Contract Language) as a candidate for control modelling, which has proved effective due to its ability to reason with violations. While (Goedertier & Vanthienen, 2006) presents a logical language PENELOPE that provides the ability to verify temporal constraints arising from compliance requirements on affected business processes. (Kuster, Ryndina & Gall, 2007) provide a method to check compliance between object lifecycles that provide reference models for data artifacts e.g. insurance claims and business process models. (Giblin, Muller & Pfitzmann, 2006) who provide temporal rule patterns for regulatory policies, although the objective of this work is to facilitate event monitoring rather than the usage of the patterns for support of design time activities. Furthermore, (Agrawal, Johnson, Kiernan & Leymann, 2006) has presented a workflow architecture for supporting Sarbanes-Oxley Internal Controls, which include functions such as workflow modeling, active enforcement, workflow auditing, as well as anomaly detection. Although several proposals provide a powerful and conceptually faithful means of capturing controls, it still remains to be studied, how these formal models can be deployed in practice.

As shown earlier in the chapter modeling rules is only one step toward compliance, for this reason the chapter then reviewed the literature on enforcing the rules model into the process model (enriching business process models). It stated that the work by (zur Muehlen & Rosemann, 2005) and (Neiger, Churilov, zur Muehlen & Rosemann, 2006) provides an appealing method for integrating risks in business processes. The proposed technique for “risk-aware” business process models is developed for EPCs (Event Process Chains) using an ex- tended notation. (Sadiq, Governatori & Namiri, 2007) propose an approach based on control tags to visualize internal controls on process models. (Liu, Muller & Xu, 2007) takes a similar approach of annotating and checking process models against compliance rules, although the visual rule language, namely BPSL is general purpose and does not directly address the notions representing compliance requirements.

The chapter then concluded by showing that a theoretically rigorous and practically feasible means of control modelling supported by a powerful analysis machinery that provides diagnostic support for comparing business and control objectives has the potential to create a holistic approach to compliance management, by not only providing preventative and detective techniques, but also corrective recommendations. Then indicated that future research in this area should strive towards compliance management frameworks that provide a close integration of the three perspectives namely preventative, detective and corrective. Such a framework can allow organizations to better respond to the changing regulatory demands and also reap the benefits of process improvement.

Sadiq and Governatori in this chapter provided a holistic overview over the ‘business process compliance’ topic. The chapter showed different types of compliance (detective, corrective, and preventive), and showed that compliance by design is the best way to have a preventive compliance method. The authors emphasized at the importance of having formal representations of business rules and then enriching the business process models with compliance requirements. The chapter then provided a literature review for both aspects. The chapter concluded with a discussion showing that a rigorous and feasible formal representation of the business rules that can be used to enrich a business process model and provides a diagnostic support, can potentially provide a holistic approach to compliance management. 


No comments:

Post a Comment