This chapter focuses on compliance by design. It starts different
types of compliance (detective, corrective, and preventive), and show that the
best way to have a preventive method is to integrate compliance from the design
stage. It also shows that to be able to have compliance first it is important to
have a formal representation of the rules and regulations, then need to find an
alignment between the two ontology (business rules languages and process model
language), then need to have a compliance enforcement framework, and finally,
compliance monitoring.
The chapter then reviewed the literature on business rules
modeling languages. It stated that (Governatori, 2005), and (Governatori &
Milosevic, 2006) have proposed FCL (Formal Contract Language) as a candidate
for control modelling, which has proved effective due to its ability to reason
with violations. While (Goedertier & Vanthienen, 2006) presents a logical
language PENELOPE that provides the ability to verify temporal constraints
arising from compliance requirements on affected business processes. (Kuster,
Ryndina & Gall, 2007) provide a method to check compliance between object
lifecycles that provide reference models for data artifacts e.g. insurance
claims and business process models. (Giblin, Muller & Pfitzmann, 2006) who
provide temporal rule patterns for regulatory policies, although the objective
of this work is to facilitate event monitoring rather than the usage of the
patterns for support of design time activities. Furthermore, (Agrawal, Johnson,
Kiernan & Leymann, 2006) has presented a workflow architecture for
supporting Sarbanes-Oxley Internal Controls, which include functions such as
workflow modeling, active enforcement, workflow auditing, as well as anomaly
detection. Although several proposals provide a powerful and conceptually
faithful means of capturing controls, it still remains to be studied, how these
formal models can be deployed in practice.
As shown earlier in the chapter modeling rules is only one
step toward compliance, for this reason the chapter then reviewed the literature
on enforcing the rules model into the process model (enriching business process
models). It stated that the work by (zur Muehlen & Rosemann, 2005) and
(Neiger, Churilov, zur Muehlen & Rosemann, 2006) provides an appealing
method for integrating risks in business processes. The proposed technique for
“risk-aware” business process models is developed for EPCs (Event Process
Chains) using an ex- tended notation. (Sadiq, Governatori & Namiri, 2007)
propose an approach based on control tags to visualize internal controls on
process models. (Liu, Muller & Xu, 2007) takes a similar approach of
annotating and checking process models against compliance rules, although the
visual rule language, namely BPSL is general purpose and does not directly
address the notions representing compliance requirements.
The chapter then concluded by showing that a theoretically
rigorous and practically feasible means of control modelling supported by a
powerful analysis machinery that provides diagnostic support for comparing
business and control objectives has the potential to create a holistic approach
to compliance management, by not only providing preventative and detective
techniques, but also corrective recommendations. Then indicated that future
research in this area should strive towards compliance management frameworks
that provide a close integration of the three perspectives namely preventative,
detective and corrective. Such a framework can allow organizations to better
respond to the changing regulatory demands and also reap the benefits of
process improvement.
Sadiq and Governatori in this chapter provided a
holistic overview over the ‘business process compliance’ topic. The chapter
showed different types of compliance (detective, corrective, and preventive), and showed
that compliance by design is the best way to have a preventive compliance
method. The authors emphasized at the importance of having formal
representations of business rules and then enriching the business process
models with compliance requirements. The chapter then provided a literature
review for both aspects. The chapter concluded with a discussion showing that a
rigorous and feasible formal representation of the business rules that can be
used to enrich a business process model and provides a diagnostic support, can
potentially provide a holistic approach to compliance management.
No comments:
Post a Comment