ICT Support for Business Process Compliance
-
Upload
guido-governatori -
Category
Business
-
view
383 -
download
1
description
Transcript of ICT Support for Business Process Compliance
![Page 1: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/1.jpg)
ICT Support for Business Process ComplianceCompliance by Design: The Regorous Approach
Guido Governatori
29 WCARS, Brisbane, 26 November 2013
NICTA Funding and Supporting Members and Partners
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 1/34
![Page 2: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/2.jpg)
Product Lifecycle
• Design
• Implementation
• Analysis
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 2/34
![Page 3: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/3.jpg)
GCR Lifecycle
• Compliance
• Conformance/Monitoring
• Auditing
Conformance + Auditiong = Continuous Auditing
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 3/34
![Page 4: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/4.jpg)
What is Compliance?
Compliance is an enterprise’s ABILITY to meet all the governing regula-tions enforced on its business operations
Regulatory• Basel II
• Sarbanes-Oxley
• OFAC (USA PatriotAct)
• OSFI “blocked entity”lists
• HIPAA
• Graham-Leach-Bliley
Standards• Best practice models
• SAP solution maps
• ISO 9000
• Medical guidelines
Contracts• Service Agreement
• Customer Contract
• Warranty
• Insurance Policy
• Business Partnership
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 4/34
![Page 5: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/5.jpg)
How to ensure compliance?
Compliance is a relationship between two sets of specifications
Alignment of formal specifications for business processes and formal spe-cifications for prescriptive (legal) documents.
• Ensuring that business processes are compliant requires a suitablelanguage for expressing normative specifications in such a way as• we can identify formal loopholes, deadlocks and inconsistencies in
normative systems, and• we can make hidden conditions explicit
Without this, we do not have any guarantee that a given businessprocess is compliant, because we do not know if all relevant norms havebeen considered
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 5/34
![Page 6: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/6.jpg)
Compliance Ecosystem
Legal Space Process SpaceCompliance Space
Process Data
BP Execution
Compliance Checking
Regulatory Document
(Formal) Specification
<obligations>;<permissions>;<prohibitions;
Analysis
Translation
Monitoring
ViolationResponse
Domain ExpertsProcess Modellers
BP Models
Design TIme
Run Time
ProcessRole(s)
New or Existing
New or Existing New
Existing
Existing
ExistingExisting
ViolationDetection
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 6/34
![Page 7: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/7.jpg)
Compliance Recipe
1 Formal Model of Business Processes
2 Formal Model of Relevant Norms/Normative Frameworks
3 Combine, shake well and serve!
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 7/34
![Page 8: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/8.jpg)
Part I
Business Process Models
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 8/34
![Page 9: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/9.jpg)
Business Process Model
Self-contained, temporal and logical order in which a set of activities areexecuted to achieve a business goal. It describes:
• What needs be done and when (control flows)
• What we need to work on (data)
• Who is doing the work (human and system resources)
A language for BPM usually has two elements:
• Tasks are activities to be performed• Connectors consist of
• sequence (a task is performed after another task),• parallel—and-split and and-join—(tasks are to be executed in
parallel),• choice—(x)or-split and (x)or-join—(at least (most) one task in a set of
task must be executed).
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 9/34
![Page 10: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/10.jpg)
Business Process Model Example
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 10/34
![Page 11: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/11.jpg)
Execution Traces
A
B
D
C
E
F
G
H
t1 : 〈A, B, C, D, E , F , H〉t2 : 〈A, D, B, C, E , G, H〉t3 : 〈A, D, B, C, E , F , H〉. . .
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 11/34
![Page 12: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/12.jpg)
Extending Traces with Annotations
A B
C
D
Tasks
• A: “turn the light on”
• B: “check if glass is empty”
• C: “fill glass with water”
• D: “turn glass upside-down”
Propositions
• p: “the light is on”
• q: “the glass is full”
Trace 1: 〈A, B, D〉Trace 2: 〈A, B, C, D〉• State(i , 1) = { p }, i ∈ { 1, 2 }
• State(1, 2) = { p, q }
• State(2, 2) = { p,¬q }
• State(2, 3) = { p, q }
• State(1, 3) = { p,¬q }
• State(2, 4) = { p,¬q }
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 12/34
![Page 13: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/13.jpg)
Part II
Modelling Norms
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 13/34
![Page 14: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/14.jpg)
Key components of Normative Systems
A normative system is a set of clauses (norms).Norms are modelled as if . . . then rules
A1, . . . , An ⇒ C
• Definitional clauses (constitutive rules: defining terms used in alegal context)
• Prescriptive clauses (norms defining “normative effects”)• obligations• permissions• prohibitions• violations
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 14/34
![Page 15: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/15.jpg)
Normative Effects
Obligation A situation, an act, or a course of action to which a beareris legally bound, and if it is not achieved or performedresults in a violation.
Prohibition A situation, an act, or a course of action which a bearershould avoid, and if it is achieved results in a violation.
Permission Something is permitted if the obligation or the prohibition tothe contrary does not hold.
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 15/34
![Page 16: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/16.jpg)
Example
Contract fragment
3.1 A “Premium Customer” is a customer who has spent more that$10000 in goods.
3.2 Services marked as “special order” are subject to a 5% surcharge.Premium customers are exempt from special order surcharge.
5.2 The (Supplier) shall on receipt of a purchase order for (Services)make them available within one day.
5.3 If for any reason the conditions stated in 4.1 or 4.2 are not met the(Purchaser) is entitled to charge the (Supplier) the rate of $100 foreach hour the (Service) is not delivered.
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 16/34
![Page 17: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/17.jpg)
Requirements for Modelling Norms
• Norms are subject to exceptions
• Not all obligations are equals
• Norms can be violated (and violations compensated for)
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 17/34
![Page 18: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/18.jpg)
Example: Norms and Exceptions
NATIONAL CONSUMER CREDIT PROTECTION ACT 2009 (Act No. 134of 2009) Section 29
(1) A person must not engage in a credit activity if the person does nothold a licence authorising the person to engage in the credit activity.
(3) For the purposes of subsections (1) and (2), it is a defence if:(a) the person engages in the credit activity on behalf of another person
(the principal); and(b) the person is:
(i) an employee or director of the principal or of a related body corporateof the principal; or
(ii) a credit representative of the principal; and . . .
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 18/34
![Page 19: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/19.jpg)
A Legal Zoo
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 19/34
![Page 20: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/20.jpg)
Example: Different Types of Obligations
Australian Telecommunications Consumers Protection Code 2012(TCPC 2012). Article 8.2.1.A Supplier must take the following actions to enable this outcome:(a) Demonstrate fairness, courtesy, objectivity and efficiency:
Suppliers must demonstrate, fairness and courtesy, objectivity, andefficiency by:
(i) Acknowledging a Complaint:A. immediately where the Complaint is made in person or by telephone;B. within 2 Working Days of receipt where the Complaint is made by:
email; . . . .
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 20/34
![Page 21: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/21.jpg)
Example: Different Types of Obligations
Australian National Consumer Credit Protection Act 2009. Schedule 1,Part 2, Section 20: Copy of contract for debtor.
(1) If a contract document is to be signed by the debtor and returned tothe credit provider, the credit provider must give the debtor a copy tokeep.
(2) A credit provider must, not later than 14 days after a credit contractis made, give a copy of the contract in the form in which it was madeto the debtor.
(3) Subsection (2) does not apply if the credit provider has previouslygiven the debtor a copy of the contract document to keep.
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 21/34
![Page 22: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/22.jpg)
Semantics of Achievement Obligations
Achievement preemptive
t1 n – 1
o /∈ Force
n m m + 1
o /∈ Force
z
o ∈ Force
o /∈ State violation of o
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 22/34
![Page 23: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/23.jpg)
Part III
Business Process Compliance
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 23/34
![Page 24: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/24.jpg)
Business Process Compliance Architecture
Recommendations
Wh
at-if
an
alys
is
Sta
tus
repo
rt
Compliance checker
Obligations
Input
Annotated process model
.
.
.
Logical state representation
FormalisationLegaleseRule1
Rule2
Rule3
Rule4
Rule5
Rule6
Rule7
Rule8
Rule9
...
Compliance rule base & checker
Recommendation sub-system
I*(e1)
I*(e3)
I*(e4)
I*(e2)
T2
Post2
T1
Post1
T4
Post4
T3
Post3
T5
Post5
T6
Post6T7
Post7
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 24/34
![Page 25: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/25.jpg)
The Journey to Compliance
1 Take or design a business process2 Annotate the process
• effects of the tasks (each task is annotated with the effects itproduces)
• rules encoding the norms relevant to the process
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 25/34
![Page 26: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/26.jpg)
Example
A: Enter New Customer
Information
B: Identity Check
J: Notify Customer and Close Case
G: Accept initial Deposit
F: Apply Account Policy
E: Open Account
D: Approve Account Opening
I: Initiate Account
C: Login for Existing
Customer
H: Accept Empty Initial
Balance
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 26/34
![Page 27: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/27.jpg)
Adding Annotations
A: Enter New Customer
Information
B: Identity Check
J: Notify Customer and Close Case
G: Accept initial Deposit
F: Apply Account Policy
E: Open Account
D: Approve Account Opening
I: Initiate Account
C: Login for Existing
Customer
H: Accept Empty Initial
Balance
Task Semantic AnnotationA newCustomer (x)B checkIdentity (x)C checkIdentity (x), recordIdentity (x)E owner (x , y ), account(y )F accountType(y , type)G positiveBalance(y )H ¬positiveBalance(y )I accountActive(y )J notify (x , y )
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 27/34
![Page 28: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/28.jpg)
Rules for the Process
• All new customers must be scanned against provided databases foridentity checks.
r1 : newCustomer (x)⇒ O checkIdentity (x)
• Retain history of identity checks performed.
r2 : checkIdentity (x)⇒ O recordIdentity (x)
• Accounts must maintain a positive balance, unless approved by a bankmanager, or for VIP customers.
r3 : account(x)⇒ O positiveBalance(x)⊗ O approveManager (x)
r4 : account(x), accountType(x , VIP)⇒ P ¬positiveBalance(x)
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 28/34
![Page 29: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/29.jpg)
Finally Compliant!
Definition
• A trace is compliant if no task in the trace results in a violation
• A trace is weakly compliant if every violation is compensated for
• A process is (weakly) compliant iff all its execution traces are (atleast weakly) compliant.
• A process is partially compliant iff there is at least on complianttrace.
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 29/34
![Page 30: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/30.jpg)
Regorous Evaluation
http://www.regorous.com
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 30/34
![Page 31: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/31.jpg)
Evaluation of Regorous
Formalised Chapter 8 (Complaints) of TCPC 2012. Modelled the complianthandling/management processes of an Australian telco.41 tasks, 12 decision points (xor), 2 loopsshortest trace: 6 traces longest trace (loop): 33 taskslongest trace (no loop): 22 tasksover 1000 traces, over 25000 states
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 31/34
![Page 32: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/32.jpg)
Evaluation of Regorous (2)
TCPC 2012 Chapter 8. Contains over 100 commas, plus 120 terms(in Terms and Definition Section).Required 223 propositions, 176 rules.
Punctual Obligation 5 (5)
Achievement Obligation 90 (110)
Preemptive 41 (46)Non preemptive 49 (64)
Non perdurant 5 (7)
Maintenance Obligation 11 (13)
Prohibition 7 (9)Non perdurant 1 (4)
Permission 9 (16)
Compensation 2 (2)
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 32/34
![Page 33: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/33.jpg)
Questions?Guido Governatori
[email protected]://www.regorous.com
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 33/34
![Page 34: ICT Support for Business Process Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051514/549e8e4aac79590b768b476e/html5/thumbnails/34.jpg)
References
Guido Governatori.Representing business contracts in RuleML.International Journal of Cooperative Information Systems, 14(2-3):181–216, 2005.
Guido Governatori.Business Process Compliance: An Abstract Framework.IT: Information Technology, 55(6):1–8, 2013.
Guido Governatori and Antonino Rotolo.Norm Compliance in Business Process Modeling.In RuleML 2010, LNCS 6403, pp. 194–209, Springer, 2010.
Guido Governatori and Shazia Sadiq.The journey to business process compliance.In J. Cardoso and W. van der Aalst (eds) Handbook of Research on BPM, pp. 429–457, IGI Global, 2009.
Guido Governatori and Sideny ShekRule Based Business Process ComplianceIn RuleML2012 Challenge, CEUR 874, paper 5, 2012
Shazia Sadiq and Guido Governatori.Managing regulatory compliance in business processes.In J. van Brocke and M. Rosemann (eds) Handbook of Business Process Management vol. 2, pp. 159-175,Springer, 2009.
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 34/34