A Compliance Management Framework for Business Process Models

Ulm University

Ahmed Mahmoud Hany Aly Awad - Hasso-Plattner-Institut Potsdam, Ort: O27/545, Zeit: 11:30 Uhr, Datum: 10. Mai 2010

Companies develop process models to explicitly describe their business operations. In the mean time, business operations, business processes, must adhere to various types of compliance requirements. Regulations, e.g., Sarbanes Oxley Act of 2002, internal policies, best practices are just a few sources of compliance requirements. In some cases, non-adherence to compliance requirements makes the organization subject to legal punishment. In other cases, non-adherence to compliance leads to loss of competitive advantage and thus loss of market share.
Unlike the classical domain-independent notion of correctness of business processes, compliance requirements are domain-specific. Moreover, they are constantly changing. New requirements might appear due to change in Laws and adoption of new policies. They are offered or forced by different entities who have different objectives behind them. Finally, compliance requirements might affect different aspects of business processes. As a result, new approaches and tools are required to cope with these evolving requirements.
This thesis provides a formal approach to support process design-time compliance checking. Using visual patterns, modeling control flow, data flow and conditional rules is possible. Each pattern is mapped into a temporal logic formula. With divergent sources of compliance requirements, the chance to have inconsistent requirements is very likely. As compliance rules are formally expressed in temporal logic, it is possible to automatically decide about consistency among rules as well as automatically checking them against process models using model checking.
In case of violations, we are able to provide a useful feedback to the user. The feedback is in the form of parts of the process model whose execution causes the violation. In some cases, our approach is capable of providing automated remedy of the violation.