ICT Support for Business Process ComplianceCompliance by Design: The Regorous Approach
Guido Governatori
29 WCARS, Brisbane, 26 November 2013
NICTA Funding and Supporting Members and Partners
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 1/34
Product Lifecycle
• Design
• Implementation
• Analysis
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 2/34
GCR Lifecycle
• Compliance
• Conformance/Monitoring
• Auditing
Conformance + Auditiong = Continuous Auditing
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 3/34
What is Compliance?
Compliance is an enterprise’s ABILITY to meet all the governing regula-tions enforced on its business operations
Regulatory• Basel II
• Sarbanes-Oxley
• OFAC (USA PatriotAct)
• OSFI “blocked entity”lists
• HIPAA
• Graham-Leach-Bliley
Standards• Best practice models
• SAP solution maps
• ISO 9000
• Medical guidelines
Contracts• Service Agreement
• Customer Contract
• Warranty
• Insurance Policy
• Business Partnership
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 4/34
How to ensure compliance?
Compliance is a relationship between two sets of specifications
Alignment of formal specifications for business processes and formal spe-cifications for prescriptive (legal) documents.
• Ensuring that business processes are compliant requires a suitablelanguage for expressing normative specifications in such a way as• we can identify formal loopholes, deadlocks and inconsistencies in
normative systems, and• we can make hidden conditions explicit
Without this, we do not have any guarantee that a given businessprocess is compliant, because we do not know if all relevant norms havebeen considered
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 5/34
Compliance Ecosystem
Legal Space Process SpaceCompliance Space
Process Data
BP Execution
Compliance Checking
Regulatory Document
(Formal) Specification
<obligations>;<permissions>;<prohibitions;
Analysis
Translation
Monitoring
ViolationResponse
Domain ExpertsProcess Modellers
BP Models
Design TIme
Run Time
ProcessRole(s)
New or Existing
New or Existing New
Existing
Existing
ExistingExisting
ViolationDetection
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 6/34
Compliance Recipe
1 Formal Model of Business Processes
2 Formal Model of Relevant Norms/Normative Frameworks
3 Combine, shake well and serve!
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 7/34
Part I
Business Process Models
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 8/34
Business Process Model
Self-contained, temporal and logical order in which a set of activities areexecuted to achieve a business goal. It describes:
• What needs be done and when (control flows)
• What we need to work on (data)
• Who is doing the work (human and system resources)
A language for BPM usually has two elements:
• Tasks are activities to be performed• Connectors consist of
• sequence (a task is performed after another task),• parallel—and-split and and-join—(tasks are to be executed in
parallel),• choice—(x)or-split and (x)or-join—(at least (most) one task in a set of
task must be executed).
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 9/34
Business Process Model Example
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 10/34
Execution Traces
A
B
D
C
E
F
G
H
t1 : 〈A, B, C, D, E , F , H〉t2 : 〈A, D, B, C, E , G, H〉t3 : 〈A, D, B, C, E , F , H〉. . .
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 11/34
Extending Traces with Annotations
A B
C
D
Tasks
• A: “turn the light on”
• B: “check if glass is empty”
• C: “fill glass with water”
• D: “turn glass upside-down”
Propositions
• p: “the light is on”
• q: “the glass is full”
Trace 1: 〈A, B, D〉Trace 2: 〈A, B, C, D〉• State(i , 1) = { p }, i ∈ { 1, 2 }
• State(1, 2) = { p, q }
• State(2, 2) = { p,¬q }
• State(2, 3) = { p, q }
• State(1, 3) = { p,¬q }
• State(2, 4) = { p,¬q }
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 12/34
Part II
Modelling Norms
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 13/34
Key components of Normative Systems
A normative system is a set of clauses (norms).Norms are modelled as if . . . then rules
A1, . . . , An ⇒ C
• Definitional clauses (constitutive rules: defining terms used in alegal context)
• Prescriptive clauses (norms defining “normative effects”)• obligations• permissions• prohibitions• violations
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 14/34
Normative Effects
Obligation A situation, an act, or a course of action to which a beareris legally bound, and if it is not achieved or performedresults in a violation.
Prohibition A situation, an act, or a course of action which a bearershould avoid, and if it is achieved results in a violation.
Permission Something is permitted if the obligation or the prohibition tothe contrary does not hold.
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 15/34
Example
Contract fragment
3.1 A “Premium Customer” is a customer who has spent more that$10000 in goods.
3.2 Services marked as “special order” are subject to a 5% surcharge.Premium customers are exempt from special order surcharge.
5.2 The (Supplier) shall on receipt of a purchase order for (Services)make them available within one day.
5.3 If for any reason the conditions stated in 4.1 or 4.2 are not met the(Purchaser) is entitled to charge the (Supplier) the rate of $100 foreach hour the (Service) is not delivered.
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 16/34
Requirements for Modelling Norms
• Norms are subject to exceptions
• Not all obligations are equals
• Norms can be violated (and violations compensated for)
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 17/34
Example: Norms and Exceptions
NATIONAL CONSUMER CREDIT PROTECTION ACT 2009 (Act No. 134of 2009) Section 29
(1) A person must not engage in a credit activity if the person does nothold a licence authorising the person to engage in the credit activity.
(3) For the purposes of subsections (1) and (2), it is a defence if:(a) the person engages in the credit activity on behalf of another person
(the principal); and(b) the person is:
(i) an employee or director of the principal or of a related body corporateof the principal; or
(ii) a credit representative of the principal; and . . .
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 18/34
A Legal Zoo
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 19/34
Example: Different Types of Obligations
Australian Telecommunications Consumers Protection Code 2012(TCPC 2012). Article 8.2.1.A Supplier must take the following actions to enable this outcome:(a) Demonstrate fairness, courtesy, objectivity and efficiency:
Suppliers must demonstrate, fairness and courtesy, objectivity, andefficiency by:
(i) Acknowledging a Complaint:A. immediately where the Complaint is made in person or by telephone;B. within 2 Working Days of receipt where the Complaint is made by:
email; . . . .
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 20/34
Example: Different Types of Obligations
Australian National Consumer Credit Protection Act 2009. Schedule 1,Part 2, Section 20: Copy of contract for debtor.
(1) If a contract document is to be signed by the debtor and returned tothe credit provider, the credit provider must give the debtor a copy tokeep.
(2) A credit provider must, not later than 14 days after a credit contractis made, give a copy of the contract in the form in which it was madeto the debtor.
(3) Subsection (2) does not apply if the credit provider has previouslygiven the debtor a copy of the contract document to keep.
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 21/34
Semantics of Achievement Obligations
Achievement preemptive
t1 n – 1
o /∈ Force
n m m + 1
o /∈ Force
z
o ∈ Force
o /∈ State violation of o
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 22/34
Part III
Business Process Compliance
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 23/34
Business Process Compliance Architecture
Recommendations
Wh
at-if
an
alys
is
Sta
tus
repo
rt
Compliance checker
Obligations
Input
Annotated process model
.
.
.
Logical state representation
FormalisationLegaleseRule1
Rule2
Rule3
Rule4
Rule5
Rule6
Rule7
Rule8
Rule9
...
Compliance rule base & checker
Recommendation sub-system
I*(e1)
I*(e3)
I*(e4)
I*(e2)
T2
Post2
T1
Post1
T4
Post4
T3
Post3
T5
Post5
T6
Post6T7
Post7
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 24/34
The Journey to Compliance
1 Take or design a business process2 Annotate the process
• effects of the tasks (each task is annotated with the effects itproduces)
• rules encoding the norms relevant to the process
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 25/34
Example
A: Enter New Customer
Information
B: Identity Check
J: Notify Customer and Close Case
G: Accept initial Deposit
F: Apply Account Policy
E: Open Account
D: Approve Account Opening
I: Initiate Account
C: Login for Existing
Customer
H: Accept Empty Initial
Balance
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 26/34
Adding Annotations
A: Enter New Customer
Information
B: Identity Check
J: Notify Customer and Close Case
G: Accept initial Deposit
F: Apply Account Policy
E: Open Account
D: Approve Account Opening
I: Initiate Account
C: Login for Existing
Customer
H: Accept Empty Initial
Balance
Task Semantic AnnotationA newCustomer (x)B checkIdentity (x)C checkIdentity (x), recordIdentity (x)E owner (x , y ), account(y )F accountType(y , type)G positiveBalance(y )H ¬positiveBalance(y )I accountActive(y )J notify (x , y )
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 27/34
Rules for the Process
• All new customers must be scanned against provided databases foridentity checks.
r1 : newCustomer (x)⇒ O checkIdentity (x)
• Retain history of identity checks performed.
r2 : checkIdentity (x)⇒ O recordIdentity (x)
• Accounts must maintain a positive balance, unless approved by a bankmanager, or for VIP customers.
r3 : account(x)⇒ O positiveBalance(x)⊗ O approveManager (x)
r4 : account(x), accountType(x , VIP)⇒ P ¬positiveBalance(x)
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 28/34
Finally Compliant!
Definition
• A trace is compliant if no task in the trace results in a violation
• A trace is weakly compliant if every violation is compensated for
• A process is (weakly) compliant iff all its execution traces are (atleast weakly) compliant.
• A process is partially compliant iff there is at least on complianttrace.
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 29/34
Regorous Evaluation
http://www.regorous.com
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 30/34
Evaluation of Regorous
Formalised Chapter 8 (Complaints) of TCPC 2012. Modelled the complianthandling/management processes of an Australian telco.41 tasks, 12 decision points (xor), 2 loopsshortest trace: 6 traces longest trace (loop): 33 taskslongest trace (no loop): 22 tasksover 1000 traces, over 25000 states
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 31/34
Evaluation of Regorous (2)
TCPC 2012 Chapter 8. Contains over 100 commas, plus 120 terms(in Terms and Definition Section).Required 223 propositions, 176 rules.
Punctual Obligation 5 (5)
Achievement Obligation 90 (110)
Preemptive 41 (46)Non preemptive 49 (64)
Non perdurant 5 (7)
Maintenance Obligation 11 (13)
Prohibition 7 (9)Non perdurant 1 (4)
Permission 9 (16)
Compensation 2 (2)
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 32/34
Questions?Guido Governatori
[email protected]://www.regorous.com
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 33/34
References
Guido Governatori.Representing business contracts in RuleML.International Journal of Cooperative Information Systems, 14(2-3):181–216, 2005.
Guido Governatori.Business Process Compliance: An Abstract Framework.IT: Information Technology, 55(6):1–8, 2013.
Guido Governatori and Antonino Rotolo.Norm Compliance in Business Process Modeling.In RuleML 2010, LNCS 6403, pp. 194–209, Springer, 2010.
Guido Governatori and Shazia Sadiq.The journey to business process compliance.In J. Cardoso and W. van der Aalst (eds) Handbook of Research on BPM, pp. 429–457, IGI Global, 2009.
Guido Governatori and Sideny ShekRule Based Business Process ComplianceIn RuleML2012 Challenge, CEUR 874, paper 5, 2012
Shazia Sadiq and Guido Governatori.Managing regulatory compliance in business processes.In J. van Brocke and M. Rosemann (eds) Handbook of Business Process Management vol. 2, pp. 159-175,Springer, 2009.
ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 34/34
Top Related