Fig 1 - uploaded by Carlos Rodriguez
Content may be subject to copyright.
Source publication
Automatically monitoring and enforcing compliance of service-based business processes with laws, regulations, standards, contracts,
or policies is a hot issue in both industry and research. Little attention has however been paid to the problem of understanding non-compliance and improving business practices to prevent non-compliance in the future,...
Contexts in source publication
Context 1
... KCIs are rendered to the compliance experts by means of a CGD, such as the one depicted in Figure 3 [1]. The CGD features are a graphical representation of KCIs and serves as start point for further root-cause analysis. More specifically, the CGD creates an awareness of possible violations and concentrates the most important in- formation to be evaluated at-a-glance. The interactive table (at the front in Figure 3) provides a drill-down and roll-up mechanism for the compliance status, for example, for the different drug dispensation locations controlled by the hospital (i.e., clinics, laboratories, dispensaries), according to two main analysis perspectives (compliance performance vs. process performance), down to the individual event level (e.g., the list of incomplete records associated to a drug (background of Figure 3). ...
Context 2
... us consider the case of a drug reimbursement process in the healthcare domain. The process is the case study in one of our EU projects, where we cooperate with Hospital San Raffaele (Milan, Italy), which runs the process shown in Figure 1. The overall purpose of this process, from the hospital's point of view, is to obtain reim- bursements from the Italian Health Authority for the drugs dispensed to outpatients (i.e., patients that are not hospitalized). In order to obtain the reimbursement, there are many compliance requirements imposed by the Health Authority, among which we mention privacy preservation in personal information processing, separation of duties, and the adherence of standard template of dispensation ...
Citations
... Out of these, [49] can be classified as PPM approach. [18,88] do not refer to compliance constraints, but rather to SLAs. ...
... An analysis of non-compliance to prevent compliance violations in the future with only limited prediction capabilities is presented in [88] and addresses CMF8. ...
Business process compliance is a key area of business process management and aims at ensuring that processes obey to compliance constraints such as regulatory constraints or business rules imposed on them. Process compliance can be checked during process design time based on verification of process models and at runtime based on monitoring the compliance states of running process instances. For existing compliance monitoring approaches it remains unclear whether and how compliance violations can be predicted, although predictions are crucial in order to prepare and take countermeasures in time. This work, hence, analyzes existing literature from compliance and SLA monitoring as well as predictive process monitoring and provides an updated framework of compliance monitoring functionalities. For each compliance monitoring functionality we elicit prediction requirements and analyze their coverage by existing approaches. Based on this analysis, open challenges and research directions for predictive compliance and process monitoring are elaborated.
... A different approach towards compliance management is taken by Rodríguez et al. (2010) who have developed an analysis algorithm based on decision trees to identify root-causes of non-compliance behaviour by defining metrics named as key compliance indicators (KCIs) which are computed by SQL queries. However the root-causes are not from the perspective of a layered SBS. ...
... A different approach towards compliance management is taken by Rodríguez et al. (2010) who have developed an analysis algorithm based on decision trees to identify root-causes of non-compliance behaviour by defining metrics named as key compliance indicators (KCIs) which are computed by SQL queries. However the root-causes are not from the perspective of a layered SBS. ...
Any business process life-cycle should be monitored for adherence to compliance, so as to detect, analyse and recover from anomalies. Whenever a business process implemented as service-based system (SBS) deviates from compliance obligations, it is imperative to overcome anomalies so that the process is not adversely affected. This necessitates a monitoring and root-cause analysis process. Performance of the SBS is determined by factors such as goals and objectives of business layer; output data, execution time and number of services in service layer; processing load, storage capacity of the infrastructure layer. Current approaches are considered inadequate as they observe and verify adherence to properties in any one of the layers of the SBS. We propose a monitoring and root-cause analysis framework capable of congregating and correlating events from all layers of the SBS. The prototypical implementation based on event paradigm is non-invasive and introduces no overhead to the system under consideration.
... Many of the existing compliance solutions and research prototypes today address only one specific stage in the software development process and one specific kind of compliance artifact or policy-for example, many solutions address only specific kinds of regulatory compliance in business processes at design time. 1,6,7 Other approaches focus on runtime monitoring, 8,9 compliance rules for business processes, 10 or offline compliance monitoring and analysis, 11,12 to name a few examples. So far, however, only a very few approaches address multiple different compliance artifacts throughout the entire compliance life cycle. ...
This special issue of IEEE Software explores the challenges in developing compliant software systems. Typically, organizations face conflicting objectives, with compliance policies possibly hindering innovation, slowing down the product development process, or making the whole process most costly. The goal of software engineering for compliance is to bridge the gap between the software engineering community and the compliance community. The articles in this special issue explain the nature and extent of this domain from different viewpoints, the technical challenges it poses, novel software engineering methods for supporting compliance, and the current state of the art.
... Several types of links between organizational and legal models are defined to detect non-compliant and react to changes in the law. Rodriguez et al. [35] build on the results obtained from CGD [37] using a decision tree algorithm and data mining to analyze, predict, and explain non-compliant process instances. They successfully apply their method to a drug dispensation process. ...
Business process compliance management is an important part of corporate governance as it helps meet objectives while avoiding consequences and penalties. Although there is much research in this area, we believe goal-oriented compliance management using Key Performance Indicators (KPIs) to measure the compliance level of organizations is an area that can be further developed. To investigate this hypothesis, we undertook a systematic literature review, querying four major search engines and performing manual searches in related workshops and citations. From a research body consisting of 198 articles and their references, we have systematically selected 32 papers. We grouped these papers into five categories and highlighted their main contributions. The results show that all selected papers were written in the last five years, and that few effectively represent compliance results using dashboards or similar tools. Although all individual pieces are available, no existing solution yet combines goals with KPIs for measuring the overall compliance level of an organization.
... This paper is continuation of our work on the compliance governance. Previously, we introduced: compliance governance lifecycle and conceptual model [9], which we adapt in the presented framework; a model-aware repository and service environment (MORSE) [25], a licensing DSL [3], an approach for developing compliance governance dashboards [20], and algorithms for root-cause analysis [7], which are used withing the proposed framework. This paper connects the proposed pieces within an integral runtime compliance governance framework and shows how the whole framework is applied in the case study scenario. ...
Compliance governance in organizations has been recently gaining
importance because of new regulations and the diversity of
compliance sources. In this demo we will show an integrated solution
for runtime compliance governance in Service-Oriented Architectures
(SOAs). The proposed solution supports the whole cycle of compliance
management and has been tested in a real world case study.
Digital forensics is an emerging research field involving critical technologies for obtaining evidence in digital crime investigations. Several methodologies, tools, and techniques have been developed to deal with the acquisition, preservation, examination, analysis, and presentation of digital evidence from different sources. However, new emerging infrastructures such as service-oriented architecture has brought new serious challenges for digital forensic research to ensure that evidence will be neutral, comprehensive, and reliable in such complex environment is a challenging research task.
To address this issue, the authors propose in this article a generic conceptual model for digital forensics methodologies to enable their application in a service-oriented architecture. Challenges and requirements to construct a forensically sound evidence management framework for these environments are also discussed. Finally, the authors show how digital forensics standards and recommendations can be mapped to service-oriented architecture.
Assessing whether a company's business practices conform to laws and regulations and follow standards and SLAs, i.e., compliance management, is a complex and costly task. Few software tools aiding compli-ance management exist; yet, they typically do not address the needs of who is actually in charge of assess-ing and understanding compliance. We advocate the use of a compliance governance dashboard and suit-able root cause analysis techniques that are specifically tailored to the needs of compliance experts and auditors. The design and implementation of these instruments are challenging for at least three reasons: (i) it is fundamental to identify the right level of abstraction for the information to be shown; (ii) it is not trivial to visualize different analysis perspectives; and (iii) it is difficult to manage and analyze the large amount of involved concepts, instruments, and data. This chapter shows how to address these issues, which concepts and models underlie the problem, and, eventually, how IT can effectively support compli-ance analysis in Service-Oriented Architectures (SOAs).
In response to recent financial scandals (e.g. those involving Enron, Fortis, Parmalat), new regulations for protecting the
society from financial and operational risks of the companies have been introduced. Therefore, companies are required to assure
compliance of their operations with those new regulations as well as those already in place. Regulations are only one example
of compliance sources modern organizations deal with every day. Other sources of compliance include licenses of business partners
and other contracts, internal policies, and international standards. The diversity of compliance sources introduces the problem
of compliance governance in an organization. In this paper, we propose an integrated solution for runtime compliance governance
in Service-Oriented Architectures (SOAs). We show how the proposed solution supports the whole cycle of compliance management:
from modeling compliance requirements in domain-specific languages through monitoring them during process execution to displaying
information about the current state of compliance in dashboards. We focus on the runtime part of the proposed solution and
describe it in detail. We apply the developed framework in a real case study coming from EU FP7 project COMPAS, and this case
study is used through the paper to illustrate our solution.
Keywordscompliance governance-business process-monitoring-SOA-complex event processing
