SeaFlows – A Compliance Checking Framework for Supporting the Process Lifecycle

Compliance-awareness is undoubtedly of utmost importance for companies nowadays. Even though an automated approach to compliance checking and enforcement has been advocated in recent literature as a means to tame the high costs for compliance-awareness, the potential of automated mechanisms for supporting business process compliance is not yet depleted. Business process compliance deals with the question whether business processes are designed and executed in harmony with imposed regulations. In this thesis, we propose a compliance checking framework for automating business process compliance verification within process management systems (PrMSs). Such process-aware information systems constitute an ideal environment for the systematic integration of automated business process compliance checking since they bring together different perspectives on a business process and provide access to process data. The objective of this thesis is to devise a framework that enhances PrMSs with compliance checking functionality. As PrMSs enable both the design and the execution of business processes, the designated compliance checking framework must accommodate mechanisms to support these different phases of the process lifecycle. A compliance checking framework essentially consists of two major building blocks: a compliance rule language to capture compliance requirements in a checkable manner and compliance checking mechanisms for verification of process models and process instances. Key to the practical application of a compliance checking framework will be its ability to provide comprehensive and meaningful compliance diagnoses. Based on the requirements analysis and meta-analyses, we developed the SeaFlows compliance checking framework proposed in this thesis. We introduce the compliance rule graph (CRG) language for modeling declarative compliance rules. The language provides modeling primitives with a notation based on nodes and edges. A compliance rule is modeled by defining a pattern of activity executions activating a compliance rule and consequences that have to apply once a rule becomes activated. In order to enable compliance verification of process models and process instances, the CRG language is operationalized. Key to this approach is the exploitation of the graph structure of CRGs for representing compliance states of the respective CRGs in a transparent and interpretable manner. For that purpose, we introduce execution states to mark CRG nodes in order to indicate which parts of the CRG patterns can be observed in a process execution. By providing rules to alter the markings when a new event is processed, we enable to update the compliance state for each observed event. The beauty of our approach is that both design and runtime can be supported using the same mechanisms. Thus, no transformation of compliance rules in different representations for process model verification or for compliance monitoring becomes necessary. At design time, the proposed approach can be applied to explore a process model and to detect which compliance states with respect to imposed CRGs a process model is able to yield. At runtime, the effective compliance state of process instances can be monitored taking also the future predefined in the underlying process model into account. As compliance states are encoded based on the CRG structure, fine-grained and intelligible compliance diagnoses can be derived in each detected compliance state. Specifically, it becomes possible to provide feedback not only on the general enforcement of a compliance rule but also at the level of particular activations of the rule contained in a process. In case of compliance violations, this can explain and pinpoint the source of violations in a process. In addition, measures to satisfy a compliance rule can be easily derived that can be seized for providing proactive support to comply. Altogether, the SeaFlows compliance checking framework proposed in this thesis can be embedded into an overall integrated compliance management framework

The practice of the ECtHR in economic and civil law and process: international legal experience

The article examines the practice of the European Court of Human Rights (hereinafter referred to as the ECtHR) in commercial and civil law and process, in particular, in the context of implementing compliance in the company. In particular, it is determined which complaints regarding which provisions of the Convention affect business compliance practices and which conclusions from relevant cases the business community implements when building a compliance system. The article examines the question of classifying compliance as an asset that constitutes the company's added value, namely, the category of "goodwill" in accordance with the practice of the European Court of Justice in this area. The purpose of the work is to analyze the international legal experience of using the practice of the ECtHR in economic and civil law and process. The methodological basis of this study is the following methods: methods of analysis and synthesis, methods of induction and deduction, the system method, structural method, functional method, technical-dogmatic method, special-legal method, comparative method, method of legal modeling, method of analysis and synthesis, a method of theoretical generalization and systematization. As a result of the study, the foreign experience of implementing the judicial practice of the ECtHR in economic and civil law and process was analyzed

Fault Detection and Diagnosis for Compliance Monitoring in International Supply Chains

Currently international supply chains are facing risks concerning faults in compliance, such as altering shipping documentations, fictitious inventory, and inter-company manipulations. In this paper a method to detect and diagnose fault scenarios regarding customs compliance in supply chains is proposed. This method forms part of a general approach called model-based auditing, which is based on a normative meta-model of the movement of money and goods or services. The modeling framework is proposed on compliance monitoring of supply chains with focus on information systems and compliance reporting tools. The innovation lies in the application and mapping of modeling techniques from dynamical systems engineering to business process analysis for audit and supervision purposes. Specifically, the application domain is where money, goods as well as information are transferred between international supply chain partners. A case study of a leading company in electronics manufacturing applying the model is analyzed

Obstructions in Security-Aware Business Processes

This Open Access book explores the dilemma-like stalemate between security and regulatory compliance in business processes on the one hand and business continuity and governance on the other. The growing number of regulations, e.g., on information security, data protection, or privacy, implemented in increasingly digitized businesses can have an obstructive effect on the automated execution of business processes. Such security-related obstructions can particularly occur when an access control-based implementation of regulations blocks the execution of business processes. By handling obstructions, security in business processes is supposed to be improved. For this, the book presents a framework that allows the comprehensive analysis, detection, and handling of obstructions in a security-sensitive way. Thereby, methods based on common organizational security policies, process models, and logs are proposed. The Petri net-based modeling and related semantic and language-based research, as well as the analysis of event data and machine learning methods finally lead to the development of algorithms and experiments that can detect and resolve obstructions and are reproducible with the provided software

A Design Theory for Secure Semantic E-Business Processes (SSEBP)

This dissertation develops and evaluates a Design theory. We follow the design science approach (Hevener, et al., 2004) to answer the following research question: "How can we formulate a design theory to guide the analysis and design of Secure Semantic eBusiness processes (SSeBP)?" Goals of SSeBP design theory include (i) unambiguously represent information and knowledge resources involved in eBusiness processes to solve semantic conflicts and integrate heterogeneous information systems; (ii) analyze and model business processes that include access control mechanisms to prevent unauthorized access to resources; and (iii) facilitate the coordination of eBusiness process activities-resources by modeling their dependencies. Business processes modeling techniques such as Business Process Modeling Notation (BPMN) (BPMI, 2004) and UML Activity Diagrams (OMG, 2003) lack theoretical foundations and are difficult to verify for correctness and completeness (Soffer and Wand, 2007). Current literature on secure information systems design methods are theoretically underdeveloped and consider security as a non-functional requirement and as an afterthought (Siponen et al. 2006, Mouratidis et al., 2005). SSeBP design theory is one of the first attempts at providing theoretically grounded guidance to design richer secure eBusiness processes for secure and coordinated seamless knowledge exchange among business partners in a value chain. SSeBP design theory allows for the inclusion of non-repudiation mechanisms into the analysis and design of eBusiness processes which lays the foundations for auditing and compliance with regulations such as Sarbanes-Oxley. SSeBP design theory is evaluated through a rigorous multi-method evaluation approach including descriptive, observational, and experimental evaluation. First, SSeBP design theory is validated by modeling business processes of an industry standard named Collaborative Planning, Forecasting, and Replenishment (CPFR) approach. Our model enhances CPFR by incorporating security requirements in the process model, which is critically lacking in the current CPFR technical guidelines. Secondly, we model the demand forecasting and capacity planning business processes for two large organizations to evaluate the efficacy and utility of SSeBP design theory to capture the realistic requirements and complex nuances of real inter-organizational business processes. Finally, we empirically evaluate SSeBP, against enhanced Use Cases (Siponen et al., 2006) and UML activity diagrams, for informational equivalence (Larkin and Simon, 1987) and its utility in generating situational awareness (Endsley, 1995) of the security and coordination requirements of a business process. Specific contributions of this dissertation are to develop a design theory (SSeBP) that presents a novel and holistic approach that contributes to the IS knowledge base by filling an existing research gap in the area of design of information systems to support secure and coordinated business processes. The proposed design theory provides practitioners with the meta-design and the design process, including the system components and principles to guide the analysis and design of secure eBusiness processes that are secure and coordinated

Supporting Information Systems Analysis Through Conceptual Model Query – The Diagramed Model Query Language (DMQL)

Analyzing conceptual models such as process models, data models, or organizational charts is useful for several purposes in information systems engineering (e.g., for business process improvement, compliance management, model driven software development, and software alignment). To analyze conceptual models structurally and semantically, so-called model query languages have been put forth. Model query languages take a model pattern and conceptual models as input and return all subsections of the models that match this pattern. Existing model query languages typically focus on a single modeling language and/or application area (such as analysis of execution semantics of process models), are restricted in their expressive power of representing model structures, and/or abstain from graphical pattern specification. Because these restrictions may hamper query languages from propagating into practice, we close this gap by proposing a modeling language-spanning structural model query language based on flexible graph search that, hence, provides high structural expressive power. To address ease-of-use, it allows one to specify model queries using a diagram. In this paper, we present the syntax and the semantics of the diagramed model query language (DMQL), a corresponding search algorithm, an implementation as a modeling tool prototype, and a performance evaluation

Improvement of Preventive Maintenance Process Effectiveness in Insourcing and Outsourcing Scheme with House of Risk (HOR) Method Approach (A Case Study)

Outsourcing has become the alternative scheme to gain improvement in several fields within a short time to many enterprises. One power generation in North Java implemented PM as planned maintenance strategy to maintain equipment by conducting insourcing and outsourcing scheme as PM execution. Both conditions must follow the same business process flow in PM execution process and there will occur some obstacles that interrupted PM process. The existing problem will be analyzed with House of Risk (HOR) method approach, supported by Integrated Manufacturing Open Systems Architecture (CIMOSA) process-based function modeling for identification method and Supply Chain Risk Identification System (SCRIS) risk structure identification used for mapping problem, root cause, and its relation. Analysis with HOR results in root causes that occurred within PM implementation process for both of them commonly has the same problem that is process business acknowledgment, but in outsourcing scheme not exist root cause on culture compliance and work task requirement, because they have a descriptive target to obtain service level agreement fulfillment. On both scheme still need an improving method to monitor and evaluate the PM work for better performance

Mine your own business : using process mining to turn big data into real value

Like most IT-related phenomena, also the growth of event data complies with Moore’s Law. Similar to the number of transistors on chips, the capacity of hard disks, and the computing power of computers, the digital universe is growing exponentially and roughly doubling every 2 years. Although this is not a new phenomenon, suddenly many organizations realize that increasing amounts of “Big Data” (in the broadest sense of the word) need to be used intelligently in order to compete with other organizations in terms of efficiency, speed and service. However, the goal is not to collect as much data as possible. The real challenge is to turn event data into valuable insights. Only process mining techniques directly relate event data to end-to-end business processes. Existing business process modeling approaches generating piles of process models are typically disconnected from the real processes and information systems. Data-oriented analysis techniques (e.g., data mining and machines learning) typically focus on simple classification, clustering, regression, or rule-learning problems. This keynote paper provides pointers to recent developments in process mining thereby clearly showing that process mining provides a natural link between processes and data on the one hand and performance and compliance on the other hand

Simulation of professional situations at English classes for students of technical specialties

The paper reveals the role and importance of modeling of professional situations at English classes in higher technical education institutions. The professional situation is defined as purposeful modeling of professionally similar circumstances in the process of learning English and conditions of solving engineering and business tasks, making professional decisions, achieving a successful result of business communication. The purpose of the paper is to analyze the content and requirements for modeling of professional situations in the process of studying English by the future specialists in engineering. Realization of the purpose demands performance of the following tasks: 1) define the essence of modeling of professional situations; 2) substantiate the conditions for effective modeling of professional situations at English classes in higher technical educational institutions; 3) offer examples of modeling professional situations at English classes in higher technical educational institutions. In the process of scientific research the methods of analysis, synthesis, generalization, systematization, inference, observation have been used. The components of the professional educational situation and the factors that need to be taken into account in the process of its use are identified. The examples of modeling professional situations during the study of the discipline “Practical Course of Foreign language for Business Communication” in higher technical education institutions are given. The forms of modeling of professional situations (individual, pair, group) which are directed on the formation of competences of professional English communication according to various roles of professional activity (head – subordinate, subordinate – subordinate, subordinate – collective) are defined. Special emphasis is focused on the examples of modeling of professional situations through the use of game modeling (role-playing games: controlled, improvised), method of case study and discussion. The requirements to be met in the process of modeling of professional situations: compliance with certain goals (formation of knowledge on the topic, development of ability to analyze complex problems; education of a sense of responsibility for their decisions, moral and personal qualities, etc.); compliance with the level of complexity of students’ learning opportunities; illustration of typical situations from the real facts of professional activity; use of discussion method; variability of decisions of a situation are pointed out