STRATIGAKI CHRISTINAPROF. LOUCOPOULOS PERICLES

PROF. NIKOLAIDOU MARAHAROKOPIO UNIVERSITY OF ATHENS

Designing a Meta Model as the Foundation for

Compliance Capability

DIT@HUA 2

Scientific context

Design rationale

Design a compliance meta-model

Testing through a use case

Conclusions & Future work

Overview

DIT@HUA 3

Scientific context-Definitions

1Sadiq, S., et al. (2007). Modeling Control Objectives for Business Process Compliance. 5th International Conference on Business Process Management.2Yapp, C. and Fairman, R. Assessing Compliance with Food Safety Legislation in Small Businesses. British Food Journal, 107, 3 2005), 150-161.3Vickers, I., James, P., Smallbone, D. and Baldock, R. Understanding Small Firm Responses to Regulation: the Case of Workplace Health and Safety. Policy Studies, 26, 2 2005), 149-169.4Small_Business_Research_Centre. The Impact of Regulation on Small Business Performance. 2008. 5Blackburn, R., Hart, M., Smallbone, D., Kitching, J., Eadson, W. and Bannon, K. Analysis of the Impact of the Tax System on the Cash Flow of Small Businesses: A Report for HM Revenue and Customs (HMRC). 2005. 6Edwards, P., Ram, M. and Black, J. The Impact of Employment Legislation on Small Firms: a Case Study Analysis. DTI Employment Relations Research Series No. 202003).

Compliance capabilityHave the ability and the capacity to manage regulations within an organization.

Concept of complianceCompliance denotes that the execution of certain business processes complies with a set of regulations1

Why?It is faced differently across all businesses6.

1. Business owner’s awareness of regulation42. Different attitudes33. Capacity of business owner to discover, interpret and adapt to a regulation5

DIT@HUA 4

Scientific context-Objective

Regulatory Compliance

Capability to manage regulations

Develop a solid

methodology

Concept of compliance

Compliance capability

Objective

Business processes will ensure that enterprise actors conforms to a set of standards

Information system will assist in process enactment.

HOW?

DIT@HUA 5

Scientific context- Primary Scope

1. Define a meta-model that could act as the kernel of a compliance development methodology.

2. To use the meta-model as the means to developing a repository for supporting such a methodology.

DIT@HUA 6

Scientific context-Analysis of existing approaches

1Papazoglou, M. P. (2011). Making Business Processes Compliant to Standards & Regulations. The 16h IEEE International Enterprise Computing Conference (EDOC 2011). Helsinki, Finland.1Turetken, O., et al. (2012). "Capturing Compliance Requirements: A Pattern-Based Approach." IEEE Software May/ June 2012: 28-36.1Turetken, O., et al. (2011). Enforcing compliance on business processes through the use of patterns. European Conference on Information Systems (ECIS 2011). Helsinki, Finland: Paper No. 5.2COSO Internal Control – Integrated Framework. Committee of Sponsoring Organizations of the Treadway Commission City, 1994.3Sadiq, S., et al. (2007). Modeling Control Objectives for Business Process Compliance. 5th International Conference on Business Process Management.

COMPAS1-Focused on compliance awareness. Model-driven engineering approach and used annotation techniques for relating system and requirement models at design-time.

Sadiq, Governatori et al. 20073 Modelling control objectives within BP structures. A basic model to capture compliance requirements.

COSO Framework2 offered the internalization of abstract compliance requirements into a set of organization-specific concrete norms.

DIT@HUA 7

Scientific context-Scope

Design a compliance meta-model with a specific focus on the compliance domain description and identification. It is essential to develop a meta-model for compliance management that will be useful and ready to be applied in all phases of BP lifecycle.

DIT@HUA 8

Proposed meta-model for compliance

1Conklin, E. J. and K. C. B. Yakemovic (1991) A Process-Oriented Approach to Design Rationale, Human-Computer Interaction 6(3,4): 357-391.1Lee, J. and K.-Y Lai (1991) What's in Design Rationale? , Human-Computer Interaction 6(3,4): 251-280.1Jarczyk, A. P. J., P. Loffler and F. M. Shipman III (1992) Design Rationale for Software Engineering: A Survey, 25th Hawaii International Conference on System Sciences, Conference, Kauai, Hawaii, IEEE Computer Society Press: 577-586.1Louridas P.,Loucopoulos P. (2000) A Generic Model for Reflective Design, ACM Transactions, on Software Engineering and Methodology 9(2):199-237

The functionality of the meta-model would be the semantic

definition and description of the notions of compliance

The methodology followed for the construction of the meta-model

is presented as a design rationale1

Hypotheses

Justifications

Design Action

Goal

Problem Analysis Evaluation

ResolutionProblem Setting

Design rationale analysis

DIT@HUA 9

Compendium concepts

DIT@HUA 10

Starting point

Maintain the entities:

Compliance source(further

analysis) Compliance

rule(further analysis)

Examine the section of BPs as a compliance rule

target

DIT@HUA 11

Proposed compliance meta-model

Compendium concepts

DIT@HUA 12

Compliance Meta-model Testing Example

DIT@HUA 13

Use the sections of the meta-

model(teleology, methodology and ontology) as a

conceptual compass Variability and

differentiability among the legal documents

Examine the usability of the proposed

entities

Instantiate the meta-model/ Design Rationale

Port Authority Act-MontserratHealthCare Regulation of Massachusetts SLA-Managed IT Support

Compendium concepts

Healthcare regulation1 instance of Teleology and Methodology sections

Teleology

Methodology

DIT@HUA 141State_of_Massachusetts General Laws-Public Health. City, 2012.

DIT@HUA 15

Ontology/Applicability section-Abortion regulation

Complex rules Simple RulesCR1 Description:

If a pregnancy has existed for less than twenty-four weeks no

abortion may be performed except by a physician and only if, in

the best medical judgment of a physician, the abortion is necessary

under all attendant circumstances.

MTL Expression:

Pregnancy CoExists Judgment_of_Abortion_as_Necessary LeadsTo

Performance_of_Abortion PerformedBy Physician

SR1a Text Description:

If a pregnancy has existed for less than

twenty-four weeks no abortion may be

performed except by a physician.

MTL Expression:

Pregnancy ExistsMax 24 weeks LeadsTo

Performance_of_Abortion PerformedBy Physician

SR1b Text Description:

The abortion may be performed only if the

physician has ruled as necessary under all attendant circumstances.

MTL Expression:

Judgment_of_Abortion_as_Necessary LeadsTo

Performance_of_Abortion PerformedBy Physician

DIT@HUA 16

Remarks about the instantiationsIn every instance the perception for each entity was the same for the modeler

The use of patterns and MTL expressions improve the understanding of rule’s syntax

The methodology section of the meta-model is very important for compliance management and categorization

Complex and simple rule entities are describing accurately the structure of rule as both semantically and lexically.

The applicability section of the meta-model is perfectly defining the factors that a rule affect

Ontological analysis

Evaluation of completeness and expressiveness of the proposed meta-model.

The ontological analysis requires a representation of mapping of the ontological concepts to its corresponding meta-model concepts.

An ontology in OWL will increase the usability of the meta-model

DIT@HUA 17

Ongoing research

DIT@HUA 18

Ongoing research- OWL Ontology

DIT@HUA 19

Open issues

Possible changes and adjustments in the meta-model

Further study and analysis on the methods of extraction rules from a legal document

Combine textual and semantic extraction of rules for robust results

Evolve the OWL ontology Ontology-Reasoning

THANK YOU

1. Bulygin, E. What Can One Expect from Logic in the Law? (Not Everything, but More than Something: A Reply to Susan Haack). Ratio Juris, 21, 1 2008), 150-156.

2. Siena, A., Ingolfo, S., Perini, A., Susi, A. and Mylopoulos, J. Automated Reasoning for Regulatory Compliance. City, 2013.

3. Mitchell, S. and Switzer, C. S. GRC Capability Model "Red Book" 2.0. OCEG, 2009.

4. Ghose, A. K. and Koliadis, G. Auditing business process compliance. City, 2007.

5. Namiri, K. and Stojanovic, N. A Formal Approach for Internal Controls Compliance in Business Processes. In Proceedings of the 8th Workshop on Business Process Modeling, Development and Support (BPMDS'07) (2007)

6. Buksa, I. Business Process and Regulations Compliance Management Technology. In Proceedings of the The CAiSE Doctoral Consortium 2011 (London, UK, 2011). http://ceur-ws.org/Vol-731/, [insert City of Publication].

7. State_of_Massachusetts General Laws-Public Health. City, 2012.

8. BPM_Forum. CEE: the Future. Building the Compliance Enabled Enterprise. Report Produced by Global Fluency in Partnership with: AXS-One. 2006.

9. Ram, M., Gilman, M., Arrowsmith, J. and Edwards, P. Once More into the Sunset? Asian Clothing Firms after the National Minimum Wage. Environment and Planning C: Government and Policy, 21, 1 2003), 71-88.

10. Yapp, C. and Fairman, R. Assessing Compliance with Food Safety Legislation in Small Businesses. British Food Journal, 107, 3 2005), 150-161.

11. Vickers, I., James, P., Smallbone, D. and Baldock, R. Understanding Small Firm Responses to Regulation: the Case of Workplace Health and Safety. Policy Studies, 26, 2 2005), 149-169.

Suggested Bibliography

DIT@HUA 21