ict support for business process compliance

ICT Support for Business Process ComplianceCompliance by Design: The Regorous Approach

Guido Governatori

29 WCARS, Brisbane, 26 November 2013

NICTA Funding and Supporting Members and Partners

ICT Support for Business Process Compliance Copyright NICTA 2013 Guido Governatori 1/34

Product Lifecycle

• Design

• Implementation

• Analysis


GCR Lifecycle

• Compliance

• Conformance/Monitoring

• Auditing

Conformance + Auditiong = Continuous Auditing


What is Compliance?

Compliance is an enterprise’s ABILITY to meet all the governing regula-tions enforced on its business operations

Regulatory• Basel II

• Sarbanes-Oxley

• OFAC (USA PatriotAct)

• OSFI “blocked entity”lists

• HIPAA

• Graham-Leach-Bliley

Standards• Best practice models

• SAP solution maps

• ISO 9000

• Medical guidelines

Contracts• Service Agreement

• Customer Contract

• Warranty

• Insurance Policy

• Business Partnership


How to ensure compliance?

Compliance is a relationship between two sets of specifications

Alignment of formal specifications for business processes and formal spe-cifications for prescriptive (legal) documents.

• Ensuring that business processes are compliant requires a suitablelanguage for expressing normative specifications in such a way as• we can identify formal loopholes, deadlocks and inconsistencies in

normative systems, and• we can make hidden conditions explicit

Without this, we do not have any guarantee that a given businessprocess is compliant, because we do not know if all relevant norms havebeen considered


Compliance Ecosystem

Legal Space Process SpaceCompliance Space

Process Data

BP Execution

Compliance Checking

Regulatory Document

(Formal) Specification

<obligations>;<permissions>;<prohibitions;

Analysis

Translation

Monitoring

ViolationResponse

Domain ExpertsProcess Modellers

BP Models

Design TIme

Run Time

ProcessRole(s)

New or Existing

New or Existing New

Existing

Existing

ExistingExisting

ViolationDetection


Compliance Recipe

1 Formal Model of Business Processes

2 Formal Model of Relevant Norms/Normative Frameworks

3 Combine, shake well and serve!


Part I

Business Process Models


Business Process Model

Self-contained, temporal and logical order in which a set of activities areexecuted to achieve a business goal. It describes:

• What needs be done and when (control flows)

• What we need to work on (data)

• Who is doing the work (human and system resources)

A language for BPM usually has two elements:

• Tasks are activities to be performed• Connectors consist of

• sequence (a task is performed after another task),• parallel—and-split and and-join—(tasks are to be executed in

parallel),• choice—(x)or-split and (x)or-join—(at least (most) one task in a set of

task must be executed).


Business Process Model Example


Execution Traces

A

B

D

C

E

F

G

H

t1 : 〈A, B, C, D, E , F , H〉t2 : 〈A, D, B, C, E , G, H〉t3 : 〈A, D, B, C, E , F , H〉. . .


Extending Traces with Annotations

A B

C

D

Tasks

• A: “turn the light on”

• B: “check if glass is empty”

• C: “fill glass with water”

• D: “turn glass upside-down”

Propositions

• p: “the light is on”

• q: “the glass is full”

Trace 1: 〈A, B, D〉Trace 2: 〈A, B, C, D〉• State(i , 1) = { p }, i ∈ { 1, 2 }

• State(1, 2) = { p, q }

• State(2, 2) = { p,¬q }

• State(2, 3) = { p, q }

• State(1, 3) = { p,¬q }

• State(2, 4) = { p,¬q }


Part II

Modelling Norms


Key components of Normative Systems

A normative system is a set of clauses (norms).Norms are modelled as if . . . then rules

A1, . . . , An ⇒ C

• Definitional clauses (constitutive rules: defining terms used in alegal context)

• Prescriptive clauses (norms defining “normative effects”)• obligations• permissions• prohibitions• violations


Normative Effects

Obligation A situation, an act, or a course of action to which a beareris legally bound, and if it is not achieved or performedresults in a violation.

Prohibition A situation, an act, or a course of action which a bearershould avoid, and if it is achieved results in a violation.

Permission Something is permitted if the obligation or the prohibition tothe contrary does not hold.


Example

Contract fragment

3.1 A “Premium Customer” is a customer who has spent more that$10000 in goods.

3.2 Services marked as “special order” are subject to a 5% surcharge.Premium customers are exempt from special order surcharge.

5.2 The (Supplier) shall on receipt of a purchase order for (Services)make them available within one day.

5.3 If for any reason the conditions stated in 4.1 or 4.2 are not met the(Purchaser) is entitled to charge the (Supplier) the rate of $100 foreach hour the (Service) is not delivered.


Requirements for Modelling Norms

• Norms are subject to exceptions

• Not all obligations are equals

• Norms can be violated (and violations compensated for)


Example: Norms and Exceptions

NATIONAL CONSUMER CREDIT PROTECTION ACT 2009 (Act No. 134of 2009) Section 29

(1) A person must not engage in a credit activity if the person does nothold a licence authorising the person to engage in the credit activity.

(3) For the purposes of subsections (1) and (2), it is a defence if:(a) the person engages in the credit activity on behalf of another person

(the principal); and(b) the person is:

(i) an employee or director of the principal or of a related body corporateof the principal; or

(ii) a credit representative of the principal; and . . .


A Legal Zoo


Example: Different Types of Obligations

Australian Telecommunications Consumers Protection Code 2012(TCPC 2012). Article 8.2.1.A Supplier must take the following actions to enable this outcome:(a) Demonstrate fairness, courtesy, objectivity and efficiency:

Suppliers must demonstrate, fairness and courtesy, objectivity, andefficiency by:

(i) Acknowledging a Complaint:A. immediately where the Complaint is made in person or by telephone;B. within 2 Working Days of receipt where the Complaint is made by:

email; . . . .


Example: Different Types of Obligations

Australian National Consumer Credit Protection Act 2009. Schedule 1,Part 2, Section 20: Copy of contract for debtor.

(1) If a contract document is to be signed by the debtor and returned tothe credit provider, the credit provider must give the debtor a copy tokeep.

(2) A credit provider must, not later than 14 days after a credit contractis made, give a copy of the contract in the form in which it was madeto the debtor.

(3) Subsection (2) does not apply if the credit provider has previouslygiven the debtor a copy of the contract document to keep.


Semantics of Achievement Obligations

Achievement preemptive

t1 n – 1

o /∈ Force

n m m + 1

o /∈ Force

z

o ∈ Force

o /∈ State violation of o


Part III

Business Process Compliance


Business Process Compliance Architecture

Recommendations

Wh

at-if

an

alys

is

Sta

tus

repo

rt

Compliance checker

Obligations

Input

Annotated process model

.

.

.

Logical state representation

FormalisationLegaleseRule1

Rule2

Rule3

Rule4

Rule5

Rule6

Rule7

Rule8

Rule9

...

Compliance rule base & checker

Recommendation sub-system

I*(e1)

I*(e3)

I*(e4)

I*(e2)

T2

Post2

T1

Post1

T4

Post4

T3

Post3

T5

Post5

T6

Post6T7

Post7


The Journey to Compliance

1 Take or design a business process2 Annotate the process

• effects of the tasks (each task is annotated with the effects itproduces)

• rules encoding the norms relevant to the process


Example

A: Enter New Customer

Information

B: Identity Check

J: Notify Customer and Close Case

G: Accept initial Deposit

F: Apply Account Policy

E: Open Account

D: Approve Account Opening

I: Initiate Account

C: Login for Existing

Customer

H: Accept Empty Initial

Balance


Adding Annotations

A: Enter New Customer

Information

B: Identity Check

J: Notify Customer and Close Case

G: Accept initial Deposit

F: Apply Account Policy

E: Open Account

D: Approve Account Opening

I: Initiate Account

C: Login for Existing

Customer

H: Accept Empty Initial

Balance

Task Semantic AnnotationA newCustomer (x)B checkIdentity (x)C checkIdentity (x), recordIdentity (x)E owner (x , y ), account(y )F accountType(y , type)G positiveBalance(y )H ¬positiveBalance(y )I accountActive(y )J notify (x , y )


Rules for the Process

• All new customers must be scanned against provided databases foridentity checks.

r1 : newCustomer (x)⇒ O checkIdentity (x)

• Retain history of identity checks performed.

r2 : checkIdentity (x)⇒ O recordIdentity (x)

• Accounts must maintain a positive balance, unless approved by a bankmanager, or for VIP customers.

r3 : account(x)⇒ O positiveBalance(x)⊗ O approveManager (x)

r4 : account(x), accountType(x , VIP)⇒ P ¬positiveBalance(x)


Finally Compliant!

Definition

• A trace is compliant if no task in the trace results in a violation

• A trace is weakly compliant if every violation is compensated for

• A process is (weakly) compliant iff all its execution traces are (atleast weakly) compliant.

• A process is partially compliant iff there is at least on complianttrace.


Regorous Evaluation

http://www.regorous.com



Evaluation of Regorous

Formalised Chapter 8 (Complaints) of TCPC 2012. Modelled the complianthandling/management processes of an Australian telco.41 tasks, 12 decision points (xor), 2 loopsshortest trace: 6 traces longest trace (loop): 33 taskslongest trace (no loop): 22 tasksover 1000 traces, over 25000 states


Evaluation of Regorous (2)

TCPC 2012 Chapter 8. Contains over 100 commas, plus 120 terms(in Terms and Definition Section).Required 223 propositions, 176 rules.

Punctual Obligation 5 (5)

Achievement Obligation 90 (110)

Preemptive 41 (46)Non preemptive 49 (64)

Non perdurant 5 (7)

Maintenance Obligation 11 (13)

Prohibition 7 (9)Non perdurant 1 (4)

Permission 9 (16)

Compensation 2 (2)


Questions?Guido Governatori

[email protected]://www.regorous.com



References

Guido Governatori.Representing business contracts in RuleML.International Journal of Cooperative Information Systems, 14(2-3):181–216, 2005.

Guido Governatori.Business Process Compliance: An Abstract Framework.IT: Information Technology, 55(6):1–8, 2013.

Guido Governatori and Antonino Rotolo.Norm Compliance in Business Process Modeling.In RuleML 2010, LNCS 6403, pp. 194–209, Springer, 2010.

Guido Governatori and Shazia Sadiq.The journey to business process compliance.In J. Cardoso and W. van der Aalst (eds) Handbook of Research on BPM, pp. 429–457, IGI Global, 2009.

Guido Governatori and Sideny ShekRule Based Business Process ComplianceIn RuleML2012 Challenge, CEUR 874, paper 5, 2012

Shazia Sadiq and Guido Governatori.Managing regulatory compliance in business processes.In J. van Brocke and M. Rosemann (eds) Handbook of Business Process Management vol. 2, pp. 159-175,Springer, 2009.
