Business process compliance

IT UNIVERSITY OF COPENHAGEN
BUSINESS PROCESS COMPLIANCE
HUGO A. LÓPEZ
DCR Solutions A/S
IT University of Copenhagen
hual@itu.dk

IS YOUR BUSINESS PROCESS CORRECT?
2

2
Syntactically
correct ✓

2
Sound ✓
Syntactically
correct ✓

2
Sound ✓
Syntactically
correct ✓
And that’s it?

THE ENRON SCANDAL
3

THE ENRON SCANDAL
Enron, the 7th largest US company in 2001, files for bankruptcy in
December 2001.
Investors and retirees are left with worthless stock.
Enron is charged with securities fraud (fraudulent manipulation of
publicly reported financial results, lying to U.S. Securities and Exchange
Commission, etc),
Investigative findings conclude that Enron used complex dubious energy
trading schemes.
3

THE ENRON SCANDAL (II)
“The Death Star” trading scheme: One of the fraudulent schemes used by
Enron
4
Takes advantage of loopholes in
energy trading regulations in
California.
Schedules power transmission from
congested line from bus A to bus
B in the opposite direction of
demand, charging a “congestion
reduction fee”
Reschedules the routing all the way
back to A so no energy was
actually bought or sold by
Enron. It was just a routing
scheme.

CORRECTNESS & COMPLIANCE
Policies and regulations are there to protect users from fraudulent, unethical
and fraudulent behaviour.
The case of Enron and similar companies motivated changes in the regulation.
Sarbanes-Oxley (SOX) Act in 2002:
It provides the foundation for new corporate governance rules, regulations
& standards issued by the Securities and Exchange Commission. It covers
a range of topics from criminal penalties to Corporate Board
responsibilities. SOX also covers issues such as independent auditing
requirements, corporate governance, internal control assessment,
and enhanced ﬁnancial disclosure.
Applicable to “Issuers” as deﬁned in the SEC Act of 1934 (approximately
15,000 public companies by 2002).
5

BUSINESS PROCESS COMPLIANCE
Is it important?
• Siemens growth in compliance importance by 700% 1
Market responds to a need:
• Consulting companies: PriceWaterhouseCoppers, Deloitte etc.
• IBM Lotus workplace for Business Controls & Reporting
• Microsoft Office Solutions Accelerator for Sarbanes-Oxley
• SAP GRC (Governance, Risk and Compliance)
• Niche vendors such as OpenPages, Paisley Consulting, Qumas
Inc,…
New upcoming regulations: GDPR
6
1. Halfmann, A.: Siemens versiebenfacht Zahl der
Compliance-Mitarbeiter (January 2009)

CORRECTNESS IN BUSINESS PROCESSES
7
Compliance
Soundness
Syntax Conformance
(semantic correctness)
(behavioral correctness)
(structural correctness)

A TALE OF USERS
8
business process monitoring will assess the design of internal controls and serve as an
input to internal controls certification.
Fig. 1. Interconnect of Process Management and Controls Management
Given the scale and diversity of compliance requirements and additionally the fact
that these requirements may frequently change, business process compliance is indeed
a large and complex problem area with several challenges. Following our initial
premise that business and control objectives are (or should be) designed separately,
but must converge at some point, we present below a list of essential methods and
techniques that need to be developed to tackle this overall problem.
2.1 Control Directory Management
Regulations and other compliance directives are complex, vague and require
interpretation. Often in legalese, these mandates need to be translated by experts. For
example the COSO framework [6] is recognized by regulatory bodies as a defacto
standard for realizing controls for financial reporting. A company-specific interpret-
tation results in the following (textual) information being created:
<control objective, risk, internal control 1
>
[1]
S. Sadiq, G. Governatori, and K. Namiri, “Modeling Control Objectives for Business
Process Compliance,” in Business Process Management, 2007, pp. 149–164.

A TALE OF USERS
8
the actors’ behavior. On the other hand, governmental
regulations are formulated and imposed by legal authorities
to ensure social welfare, protect local interests, and regu-
et al. 2012). Norm
potential approach
environments where
as autonomous agen
the normative con
agents.
In a nutshell, CC
the notion of agents
of norms (obligatio
not only provides t
normative constrain
To indicate organi
concept of event
behavioral traces th
process. With these
Table 1 Governmental regulations and business processes
Governmental regulations Business processes
Issued by legal authorities Designed and implemented by
organizations
National perspective Organizational perspective
Focus on the effects of actions Focus on the process of actions
Increase social welfare; economics,
safety, environmental concern
Increase the efﬁciency of
organizations to achieve
higher organizational beneﬁt
Legal authority Secondary authority
394
[1]
J. Jiang, H. Aldewereld, V. Dignum, S. Wang, and Z. Baida,
“Regulatory compliance of business processes,” AI & Soc,
vol. 30, no. 3, pp. 393–402, Aug. 2015.
business process monitoring will assess the design of internal controls and serve as an
input to internal controls certification.
Fig. 1. Interconnect of Process Management and Controls Management
Given the scale and diversity of compliance requirements and additionally the fact
that these requirements may frequently change, business process compliance is indeed
a large and complex problem area with several challenges. Following our initial
premise that business and control objectives are (or should be) designed separately,
but must converge at some point, we present below a list of essential methods and
techniques that need to be developed to tackle this overall problem.
2.1 Control Directory Management
Regulations and other compliance directives are complex, vague and require
interpretation. Often in legalese, these mandates need to be translated by experts. For
example the COSO framework [6] is recognized by regulatory bodies as a defacto
standard for realizing controls for financial reporting. A company-specific interpret-
tation results in the following (textual) information being created:
<control objective, risk, internal control 1
>
[1]
S. Sadiq, G. Governatori, and K. Namiri, “Modeling Control Objectives for Business
Process Compliance,” in Business Process Management, 2007, pp. 149–164.

ANATOMY OF COMPLIANCE FRAMEWORKS
9
WI  SCHWERPUNKTAUFSATZ
superordinated level correctly and com-
pletely so that their fulfillment is identical
with the fulfillment of the respective laws.
on the principal of Schneider’s execution
monitor (Schneider 2006) that intercepts
allthosecommandsatprocessor-levelthat
a corresponding log-file. For such valida-
tions, e.g., the Hippocratic database offers
an interface to its query logs, and Delbaere
……
Best practice
Compliance validation
…
Compliance requirements 3
Compliance requirements 2
Compliance
requirements 1 Manually checked
control objectives
Automatable control
objectives
Compliance policy 3
Compliance policy 2
Compliance policy 1
…
…
Forensic
Audit
Control process
Business process management
Log-file
Standards
Laws Contracts
Compliance and risk
management
Fig. 1 Process of compliance validation
[1]
S. Sackmann and M. Kähmer, “ExPDT: A policy-based approach for automating compliance
[ExPDT: Ein Policy-basierter Ansatz zur Automatisierung von Compliance],” Wirtschaftsinformatik,
vol. 50, no. 5, pp. 366–374, 2008.

ANATOMY OF A COMPLIANCE RULE
10
Diagnostic Information in Compliance Checking 267
Fig. 1. Compliance Rule Framework
Furthermore, a compliance rule can
(4) impose time-related constraints (e.g.,
“Within 6 months the claim must be de-
cided.”) or can be untimed,(5) prescribe
properties of a single case or of multiple
cases (e.g., “20% of all claims require a
detailed check.”), and (6) prescribe prop-
erties of the process design (e.g., “The
claim process must have a time-out event
handler.”) or properties of the process ex-
ecutions, which can be observed (i.e.,
recorded in an event log).
These six dimensions give rise to
the framework shown in Fig. 1. In this
paper, we present compliance rules for
control flow, data flow as well as organi-
zational aspects, where we focus on un-
timed, observation-based properties of individual cases. The remainder of this section
presents control flow compliance rules and their formalization. Section 5 presents data
flow rules and organizational rules and their combination with control flow rules.
4.2 Control Flow Compliance Rules
Eliciting and formalizing compliance rules for a business process comprise determining
the laws and regulations that are relevant for this process and formulating these compli-
ance rules in an unambiguous, yet understandable manner [30]. Typically, this involves
expressing a given informal requirement in a formal notation: a task an end user may not
[1]
E. Ramezani, D. Fahland, and W. M. P. van der Aalst,
“Where Did I Misbehave? Diagnostic Information in
Compliance Checking,” in Business Process Management,
2012, pp. 262–278.

ANATOMY OF A COMPLIANCE RULE
10
agnostic Information in Compliance Checking 267
can
(e.g.,
e de-
cribe
ltiple
ire a
prop-
“The
event
s ex-
(i.e.,
e to
this
s for
gani-
n un-
of individual cases. The remainder of this section
es and their formalization. Section 5 presents data
nd their combination with control ﬂow rules.
les
rules for a business process comprise determining
vant for this process and formulating these compli-
derstandable manner [30]. Typically, this involves
ent in a formal notation: a task an end user may not
[1]
E. Ramezani, D. Fahland, and W. M. P. van der Aalst,
“Where Did I Misbehave? Diagnostic Information in
Compliance Checking,” in Business Process Management,
2012, pp. 262–278.
268 E. Ramezani, D. Fahland, W.M.P. van der Aalst
Table 1. Categorization of the 55 Control Flow Compliance Rules
Category (Rules) Description
Existence (2) Limits the occurrence or absence of a given event A within a
scope. [4],[15],[9], [14],[21],[36],[33]
Bounded Existence (6) Limits the number of times a given event A must or must not
occur within a scope. [15],[14]
Bounded Sequence (5) Limits the number of times a given sequence of events must
or must not occur within a scope. [15],[14]
Parallel (1) A speciﬁc set of events should occur in parallel within a scope.
[33]
Precedence (10) Limits the occurrence of a given event A in precedence over
a given event B. [15],[33],[14],[36],[9],[19],[21],[4],[33]
Chain Precedence (4) Limits the occurrence of a sequence of events A1, . . . , An
over a sequence of events B1, . . . , Bn. [15],[14],[21]
Response (10) Limits the occurrence of a given event B in response to a
given event A. [33],[14],[21],[15],[37],[9],[19]
Chain Response (4) Limits the occurrence of a sequence of events B1, . . . , Bn in
response to a sequence of events A1, . . . , An. [15]
Between (7) Limits the occurrence of a given event B between a sequence
of events A and C. [14]
Exclusive (1) Presence of a given event A mandates the absence of an
event B. [15]
Mutual Exclusive (1) Either a given event A or event B must exist but not none of
them or both. [15],[34]
Inclusive (1) Presence of a given event A mandates that event B is also
present. [15]
Prerequisite (1) Absence of a given event A mandates that event B is also
absent. [15]
Substitute (1) A given event B substitutes the absence of event A. [15]
Corequisite (1) Either given events A and B should exist together or to be
absent together. [15]
Petri-net patterns. Although being an unusual choice, we could formalize operational
rules as well as declarative rules in a systematic and understandable way. The complete

COMPLIANCE RULES IN DCR
Occurrence: The occurrence of task A is within the scope of the process.
11

11
Inclusion: Presence of a given task A mandates B to be also present

11
Inclusion: Presence of a given task A mandates B to be also present
Response: Presence of a given task A mandates B to be also present

One must learn by doing the thing;
for though you think you know it,
you have no certainty, until you try.
Sophocles, 496-405 BC.

HANDS-ON
Model the following patterns in a DCR-graph (use the simulator to verify if
your model is right): 
1. Direct Precedence of a Task. “Every time B occurs, it should be directly
preceded by A.” If B occurs without a directly preceding A, the rule is
violated. For instance, ⟨ACCAAC⟩ and ⟨ABCAAB⟩ comply to the rule,
whereas ⟨ABACB⟩ violates the rule.
2. Direct Precedence or Simultaneous Occurrences of Tasks. “Task A
must always be executed simultaneously or directly before task B.” (hint:
consider A/B as non-atomic tasks)
3. Bounded Existence of a Task: Task A should be executed exactly k
times.” If A occurs less than or more than k times, the rule is violated. For
instance, for k = 2, the trace ⟨BCADBCAD⟩ complies to this rule and
⟨BCADBCAAD⟩ violates the rule.
4. Execution in Between. “Task B should be performed not before task A
has been executed, and not later than C.”
13

COMPLIANCE CHECKING
Matches the specification of compliance rules and the executions of
business processes.
- If specifications are satisfied by the runs in a BP, the process is compliant,
otherwise, it is in violation with the compliance rule.
14
are associated with potentially inadvertent behaviour or deliberate viola-
tions while seeking more opportunistic engagements.
Figure 1: Compliance Space
1.1 Compliance Space
Compliance of business processes with normative documents is thus im-
portant to ensure establishing better links between these two traditionally
separate universes of discourse, i.e., legal and business process spaces (see
Figure 1).
[1]
G. Governatori and S. Sadiq, The journey to business process compliance. 2009.

LINEAR TEMPORAL LOGIC
15

COMPLIANCE RULES IN LTL
16

preceded by A.”  
 
(¬Perform_surgery W Prepare_patient) Λ (¬Perform_surgery W
Send_patient_to_surgical_suite) 
16

 
must always be executed simultaneously or directly before task B.”  
 
(Prepare_patient Λ Send_patient_to_surgical_suite) ∨ (Prepare_patient W
16

 
 
16

 
 
 
Exercise.  
16

 
 
 
Exercise.  
4. Mutual Exclusion. “Either tasks A and B must be executed, but no none
of them, or both”.
16

 
 
 
Exercise.  
4. Mutual Exclusion. “Either tasks A and B must be executed, but no none
of them, or both”.
Exercise.
16

COMPLIANCE CHECKING
17
< E, D, F, G, B >
< G, C, F, D, G >
< C, A, B, D, B >
< G, C, B, A, D >
< A, F, A, D, B >
< A, D, B, G, A >
flexible as the generation can be repeated when rules are
added, removed, or changed. Third, the approach is
complete in the sense that an unsuccessful model gen-
eration can be interpreted as ‘‘the business process cannot
be made compliant’’ rather than ‘‘the current model is
brings our approach in the context of related w
Section 8 concludes the paper.
2. Running example: insurance claim handli
We use a simple insurance claim handl
(based on [12]) as running example for this p
process, a customer submits a claim to an i
then prepares a fraud detection check off
external service. Based on the result of this
claim is either (1) assessed and the settlemen
(2) detected fraudulent and reported, or (
incomplete. In the last case, further infor
requested from the customer before the clai
mitted to the fraud detection service. In this s
customer can alternatively decide to withdraw
On successful assessment, a settlement case i
by a financial clerk. The claim is settlement pa
rates or all at once. A single complete paym
requires an authorization of the controlling of
the settlement is finally paid, the claim is arc
One way to model this process is to expli
he actions to be taken and to give an opera
ness process model. An alternative to this
approach offers an artifact-centric framew
starts by identifying what is acted on (noun-
to derive a business process from the life c
Fig. 1. Approaches to achieve compliance. (a) Compliance by detection
and (b) compliance by design.
Compliance Rule  
(Response of a Task) 
G(A F(B))
Executions  
(Generated from the transition
system)

COMPLIANCE CHECKING
17
< E, D, F, G, B >
< G, C, F, D, G >
< C, A, B, D, B >
< G, C, B, A, D >
< A, F, A, D, B >
< A, D, B, G, A >
Compliance Rule  
G(A F(B))
Executions  
system)
☹

COMPLIANCE CHECKING
17
< E, D, F, G, B >
< G, C, F, D, G >
< C, A, B, D, B >
< G, C, B, A, D >
< A, F, A, D, B >
< A, D, B, G, A >
Compliance Rule  
G(A F(B))
Executions  
system)
☹
☹

COMPLIANCE CHECKING
17
< E, D, F, G, B >
< G, C, F, D, G >
< C, A, B, D, B >
< G, C, B, A, D >
< A, F, A, D, B >
< A, D, B, G, A >
Compliance Rule  
G(A F(B))
Executions  
system)
✓
☹
☹

COMPLIANCE CHECKING
17
< E, D, F, G, B >
< G, C, F, D, G >
< C, A, B, D, B >
< G, C, B, A, D >
< A, F, A, D, B >
< A, D, B, G, A >
Compliance Rule  
G(A F(B))
Executions  
system)
✓
☹
☹
☹

COMPLIANCE CHECKING
17
< E, D, F, G, B >
< G, C, F, D, G >
< C, A, B, D, B >
< G, C, B, A, D >
< A, F, A, D, B >
< A, D, B, G, A >
Compliance Rule  
G(A F(B))
Executions  
system)
✓
☹
☹
☹
☹

COMPLIANCE CHECKING
17
< E, D, F, G, B >
< G, C, F, D, G >
< C, A, B, D, B >
< G, C, B, A, D >
< A, F, A, D, B >
< A, D, B, G, A >
Compliance Rule  
G(A F(B))
Executions  
system)
✓
☹
☹
☹
☹
☹

COMPLIANCE CHECKING
All traces satisfy the rule
17
< E, D, F, G, B >
< G, C, F, D, G >
< C, A, B, D, B >
< G, C, B, A, D >
< A, F, A, D, B >
< A, D, B, G, A >
Compliance Rule  
G(A F(B))
Executions  
system)
✓
☹
☹
☹
☹
☹
Full Compliant

COMPLIANCE CHECKING
17
< E, D, F, G, B >
< G, C, F, D, G >
< C, A, B, D, B >
< G, C, B, A, D >
< A, F, A, D, B >
< A, D, B, G, A >
Compliance Rule  
G(A F(B))
Executions  
system)
✓
☹
☹
☹
☹
☹
Full Compliant ☹

COMPLIANCE CHECKING
17
< E, D, F, G, B >
< G, C, F, D, G >
< C, A, B, D, B >
< G, C, B, A, D >
< A, F, A, D, B >
< A, D, B, G, A >
Compliance Rule  
G(A F(B))
Executions  
system)
✓
☹
☹
☹
☹
☹
Full Compliant ☹
Partially (Weakly) Compliant
At least a trace satisfy the rule

COMPLIANCE CHECKING
17
< E, D, F, G, B >
< G, C, F, D, G >
< C, A, B, D, B >
< G, C, B, A, D >
< A, F, A, D, B >
< A, D, B, G, A >
Compliance Rule  
G(A F(B))
Executions  
system)
✓
☹
☹
☹
☹
☹
Full Compliant
☺
☹

COMPLIANCE CHECKING
17
< E, D, F, G, B >
< G, C, F, D, G >
< C, A, B, D, B >
< G, C, B, A, D >
< A, F, A, D, B >
< A, D, B, G, A >
Compliance Rule  
G(A F(B))
Executions  
system)
✓
☹
☹
☹
☹
☹
Full Compliant
☺
☹
Violated
All traces violate the rule

COMPLIANCE CHECKING
17
< E, D, F, G, B >
< G, C, F, D, G >
< C, A, B, D, B >
< G, C, B, A, D >
< A, F, A, D, B >
< A, D, B, G, A >
Compliance Rule  
G(A F(B))
Executions  
system)
✓
☹
☹
☹
☹
☹
Full Compliant
☺
☹
☹
Violated
All traces violate the rule

BUSINESS PROCESS LIFECYCLE
18
(Re-)Design
Simulation/
Validation
Execution
Change in
Processes /
Legislations
Analysis

COMPLIANCE AS PART OF THE LIFECYCLE
19
and parameter thresholds are violated. Adjustments and
corrective actions could effect changes in business process
components in an SOA-based application.
Figure 2. Conceptual architecture for compliance management.
Compliance management commences with compliance
monitoring are two important and compl
process compliance checking phases.
provides a lifetime guaranteed complia
design-time compliance verification, a
considered as complian
relevant compliance re
allows only for the exe
instances not violating
[12]. Consequently, it
ensured that corresp
instances are compli
compliance verification
of detecting and resolvin
violations as early as p
actual business process
providing a preven
support. Design-time com
has lower verification c
the subsequent dynamic
Hence, it is desirable t
compliance requiremen
during design-time. Ho
always feasible to enforc
process models at de
variable instantiations
information that cannot b
design time. Runtime
compliance requirement
checked during design-ti
verified against running
instances during runtime. Runtime comp
and offline compliance analysis and mo
integrated, holistic view of complianc
[1]
M. P. Papazoglou, “Making business processes compliant to standards & regulations,” in
Proceedings - IEEE International Enterprise Distributed Object Computing Workshop, EDOC,
Helsinki, 2011, pp. 3–13.

19
providing a preven
[1]
A Priori

19
providing a preven
[1]
A Priori A Posteriori

RUNTIME COMPLIANCE
Not always feasible to check all the constraints at compile time:
20
264 D. Knuplesch et al.
Fig. 1. Compliance Monitoring [4]
a compliance violation once it has occurred. By contrast, proactive monitoring
aims to preventively avoid any violation; e.g., by recommending appropriate
[1]
D. Knuplesch, M. Reichert, and A. Kumar, “Visually Monitoring Multiple Perspectives
of Business Process Compliance,” in Business Process Management, 2015, pp. 263–279.
if a patient’s leukocyte count suddenly falls below a threshold, a drug for raising the
leukocyte count will have to be administered the same day

COMPLIANCE MONITORING
A monitor keeps track of the state
of each compliance rule:
• It does not apply to the running
process, or Not_Activated.
• It is Activated for the running
process, and it can be:
• Satisﬁed:
• But it is still violable
• Or permanently satisﬁed.
• Violated:
• But healable (pending)
• Or permanently violated.
21
uplesch et al.
Fig. 5. States of compliance rules
ed by the framework. The most fundamental state is Not Activa-
compliance rule does not apply to the running process instance so
ate Activated expresses that the compliance rule is applicable to
stance. Furthermore, this state includes the sub-states Satisfied
[1]

State(c1) =
22
in turn, trigger two diﬀerent instances of compliance rule c1. In both cases, the
amount is greater than 10,000 e and hence a solvency check is required (cf. c1).
However, the latter was only performed for the request item of Mr. Smith, but
not for the one of Mrs. John, i.e., c1 is violated in the latter case. In addition
to the violation of c1, compliance rule c2 is violated twice. While the violated
Fig. 2. Event log of order-to-delivery processes and compliance rules
State(c2) = ?
State(c3) = ?
[1]

State(c1) =
22
State(c2) = ?
State(c3) = ?
Violable
[1]

State(c1) =
22
State(c2) = ?
State(c3) = ?
PerSatisﬁed
[1]

State(c1) =
22
State(c2) = ?
State(c3) = ?
PerViolated
[1]

HANDS-ON
1. Model compliance rules c1, c2 & c3 in a
DCR-graph (use additional activities to
model data/time checks). 
2. Calculate what is the ﬁnal state of rules
c2 & c3 after execution of event 99.
23
case, but violated in another. In particular, the depicted log refers to two diﬀer-
ent request items related to customers Mr. Smith and Mrs. John. These items,

PROCESS AUDIT
Post-mortem analysis:
Given a total execution history (event-log) and a set of compliance rules, decide
whether there has been a violation of the compliance rule.
- The log complies to the rule if each log trace is described by the rule.
- In case a trace is not described, we want to locate where the trace deviates from
the rule.
24
Several figures in the next section show these alignments.
To ease presentation of our results, we abstract long sequences of events that are
not relevant to the compliance rule (i.e., which are mapped to Ω-transitions), to shorter
sequences. This way, order and relative position of compliance-relevant events are pre-
served while irrelevant details are abstracted from.
6.2 Case Study Constraints and Results
In the case study we followed the standard use case for compliance checking: (1) check
relevant regulations and elicit respective compliance requirements, (2) for each require-
ment, identify the patterns that precisely express the requirement from the rule collec-
tion in Tab. 1, (3) take the corresponding Petri-net pattern and map its transitions to the
events in the given log, and (4) run the conformance checker.
In the following, we describe our findings for three compliance requirements that
were derived from the financial department’s internal policies and medical guidelines.
Fig. 8. Non-compliant case for
‘First Visit Registration should
occur exactly once’
Compliance Requirement 1. “The hospital should reg-
ister each visiting patient and prevent duplicate regis-
trations for a patient.” This requirement is formalized
by the compliance rule “Event First Visit Registration
should occur exactly once per case.” from the category
‘bounded existence’ of Table 1. The corresponding pat-
tern is shown in Fig. 2 (left). To obtain a reliable result,
we needed to filter the data for patients who started their
treatment between 2005 and 2008. We checked compliance for 640 cases and identified
622 compliant and 18 non-compliant cases.
Figure 8 shows diagnostic information for a non-compliant case. As described above,
ProM maps the trace on to the compliance-influencing events: First Visit Registration
occurs twice, where the first occurrence is compliant (highlighted green) and the second
one should not have been in the trace (highlighted yellow, move on log).
C1 = “The hospital should register each visiting patient and prevent
duplicate registrations for a patient.”

PROCESS AUDIT
the rule.
24
Fig. 9. Non-compliant case
for ‘First Registration Visit
precedes x-ray’
An example of a non-compliant case is shown in
Fig. 9. The relevant sequence of events in this case is
⟨. . . x-ray . . . FirstVisitRegistration . . .⟩. The compliance
checker identiﬁed the x-ray event as an event that should not
have happened (highlighted yellow, move on log) because it
occurred before the FirstVisitRegistration event). In addi-
tion, the checker highlights the position where x-ray should
have occurred as a move on model (highlighted purple).
Compliance Requirement 3. “For safety reasons,
C2 =“Every time the event ‘x-ray’ occurs, ‘First Visit Registration’ should
have happened before x-ray.”

PROCESS AUDIT
the rule.
24
precedes x-ray’
C2 =“Every time the event ‘x-ray’ occurs, ‘First Visit Registration’ should
have happened before x-ray.”
precedes x-ray’
InitΩ
P1
F
F
MRI Ω
ΩCT
Final
Fig. 10. Petri-net pattern and a non-
compliant case for ‘CT-Scan and MRI
either a CT-Scan or an MRI test of an organ should
be taken from a patient but not both.” The corre-
sponding compliance rule from the Exclusive cat-
egory has the Petri-net pattern of Fig. 10(top).
We checked this rule and identiﬁed 1092 com-
pliant cases out of 1150. Fig. 10(bottom) shows di-
agnostic information for one non-compliant case.
The relevant sequence of events for this case is
⟨...CT.MRI ...CT...MRI ...⟩. The occurrence of
CT together with MRI is a violation. In addi-
tion, the diagnostic information provided by the
checker clearly shows several violations due to
C3 = “For safety reasons, either a CT-Scan or an MRI test of an organ
should be taken from a patient but not both.”

COMPLIANCE AND CHANGE
-
25
C = M=
Compliant

COMPLIANCE AND CHANGE
-
25
C = M=
Compliant
C`= M`=
?

COMPLIANCE AND CHANGES
Compliance with new regulations:
26
?
C =
M=
Compliant
C`=
M`=

Are regulatory changes consistent?
26
?
C =
M=
Compliant
C`=
M`=

• Reﬁnement of C and C’
26
?
C =
M=
Compliant
C`=
M`=

Are changes in M’ consistent with previous regulations?
26
?
C =
M=
Compliant
C`=
M`=

• Process compliance with C and M'
26
?
C =
M=
Compliant
C`=
M`=

Are modiﬁed versions of the regulations and processes still
compliant?
26
?
C =
M=
Compliant
C`=
M`=

Are modiﬁed versions of the regulations and processes still
compliant?
• Process compliance of C’ and M’
26
?
C =
M=
Compliant
C`=
M`=

PROCESS CHANGE COMPLIANCE
27
M complies
with §2
M‘M
M‘
M partially
complies
with §3
M partially
complies
with §4
M‘ complies
with §2
M‘ violates rule
§3
M‘ complies
with §4
M. Reichert, B. Weber. Enabling Flexibility in Process-
Aware Information Systems. 2012
§2: G(¬MakeDecision (ExaminePatient MakeDecision))
§3: G(ExaminePatient (InformAboutRisks))
§4: G(InformAboutAnesthesia (ScheduleSurgery))

TO SUMMARISE
28

TO SUMMARISE
Compliance is a high-level correctness property, apart from semantic
correctness.
28

TO SUMMARISE
correctness.
A legal, ethical, and regulatory view on how business processes are
correct.
28

TO SUMMARISE
correctness.
correct.
Comes from different sources: law, standards, guidelines, common
practices.
28

TO SUMMARISE
correctness.
correct.
practices.
Compliance is a cross-discipline that involves users from law,
consultancy, security together with process designers.
28

TO SUMMARISE
correctness.
correct.
practices.
It must be ensured at all stages in the business process lifecycle:
Design (compliance checking)
Execution (compliance monitoring)
Auditing (compliance audit)
Change.
28

TO SUMMARISE
correctness.
correct.
practices.
It must be ensured at all stages in the business process lifecycle:
Design (compliance checking)
Execution (compliance monitoring)
Auditing (compliance audit)
Change.
It involves studying the process at multiple dimensions: control ﬂow,
data, organisational & time.
28

EXERCISES
Discuss in groups the following questions:
1. In which cases will be important to have full compliance, and in which
cases will be important to have weak compliance with the rules?
2. Describe one scenario where applying process audit will be more
beneficial than applying process monitoring, and vice-versa.
3. According to the dimensions for compliance rules described earlier, give
examples of compliance rules describing each dimension.
• Can you find examples of multi-dimensional rules?
29
Furthermore, a compliance rule can
(4) impose time-related constraints (e.g.,
“Within 6 months the claim must be de-
cided.”) or can be untimed,(5) prescribe
properties of a single case or of multiple
cases (e.g., “20% of all claims require a
detailed check.”), and (6) prescribe prop-
erties of the process design (e.g., “The
claim process must have a time-out event
handler.”) or properties of the process ex-
ecutions, which can be observed (i.e.,
recorded in an event log).
These six dimensions give rise to
the framework shown in Fig. 1. In this
paper, we present compliance rules for
control flow, data flow as well as organi-
zational aspects, where we focus on un-
timed, observation-based properties of individual cases. The remainder of this section

EXERCISES (II)
4. Using the highlighter tool, make a compliance model of the following law
excerptsa:
30
a. Danish Consolidation act on Social Services, §42.
https://danskelove.dk/serviceloven/42
(1) The municipal council shall pay compensation for loss of earnings to persons maintaining a
child under 18 in the home whose physical or mental function is substantially and permanently
impaired, or who is suffering from serious, chronic or long-term illness. Compensation shall be
subject to the condition that the child is cared for at home as a necessary consequence of the
impaired function, and that it is most expedient for the mother or father to care for the child.
5. Deﬁne a DCR graph that implements the case handling of pay
compensation.
6. Verify whether your process description abides the compliance rules
deﬁned. Optionally, exchange your compliance rules with a
neighbouring group, and check whether your process description
abides them

WANT TO KNOW MORE?
Halfmann, A.: Siemens versiebenfacht Zahl der Compliance-Mitarbeiter (January 2009)
31
J. Jiang, H. Aldewereld, V. Dignum, S. Wang, and Z. Baida, “Regulatory compliance of business processes,” AI &
Soc, vol. 30, no. 3, pp. 393–402, Aug. 2015.
S. Sackmann and M. Kähmer, “ExPDT: A policy-based approach for automating compliance [ExPDT: Ein Policy-
basierter Ansatz zur Automatisierung von Compliance],” Wirtschaftsinformatik, vol. 50, no. 5, pp. 366–374, 2008.
E. Ramezani, D. Fahland, and W. M. P. van der Aalst, “Where Did I Misbehave? Diagnostic Information in
Compliance Checking,” in Business Process Management, 2012, pp. 262–278.
G. Governatori and S. Sadiq, The journey to business process compliance. 2009.
N. Lohmann, “Compliance by design for artifact-centric business processes,” Information Systems, vol. 38, no. 4,
pp. 606–618, 2013.
M. P. Papazoglou, “Making business processes compliant to standards & regulations,” in Proceedings - IEEE
International Enterprise Distributed Object Computing Workshop, EDOC, Helsinki, 2011, pp. 3–13.
D. Knuplesch, M. Reichert, and A. Kumar, “Visually Monitoring Multiple Perspectives of Business Process
Compliance,” in Business Process Management, 2015, pp. 263–279.
M. Reichert, B. Weber. “Enabling Flexibility in Process-Aware Information Systems”. Springer, 2012
Danish Consolidation act on Social Services, §42. https://danskelove.dk/serviceloven/42
S. Sadiq, G. Governatori, and K. Namiri, “Modeling Control Objectives for Business Process Compliance,” in Business Process
Management, 2007, pp. 149–164.

Business process compliance

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (14)

Ähnlich wie Business process compliance

Ähnlich wie Business process compliance (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Business process compliance