www.governatori.net

Publications on Business Process Modelling

Guido Governatori, Jörg Hoffmann, Shazia Sadiq, and Ingo Weber.

Detecting regulatory compliance for business process models through semantic annotations. In 4th International Workshop on Business Process Design, Milan, 1 September 2008 2008.
Abstract: A given business process may face a large number of regulatory obligations the process may or comply with. Providing tools and techniques through which an evaluation of the compliance degree of a given process can be undertaken is seen as a key objective in emerging business process platforms. We address this problem through a diagnostic framework that provides the ability to assess the compliance gaps present in a given process. Checking whether a process is compliant with the rules involves enumerating all reachable states and is hence, in general, a hard search problem. The approach taken here allows to provide useful diagnostic information in polynomial time. The approach is based on two underlying techniques. A conceptually faithful representation for regulatory obligations is firstly provided by a formal rule language based on a non-monotonic deontic logic of violations. Secondly, processes are formalized through semantic annotations that allow a logical state space to be created. The intersection of the two allows us to devise an efficient method to detect compliance gaps; the method guarantees to detect all obligations that will necessarily arise during execution, but that will not necessarily be fulfilled.
 

Guido Governatori, Zoran Milosevic and Shazia Sadiq.

Compliance checking between business processes and business contracts. In Patrick C. K. Hung, editor, 10th International Enterprise Distributed Object Computing Conference (EDOC 2006), Hong Kong, 16-20 October. pages 221-232. IEEE Computing Society, 2006. Copyright © IEEE
Abstract: It is a typical scenario that many organisations have their business processes specified independently of their business contracts. This is because of the lack of guidelines and tools that facilitate derivation of processes from contracts but also because of the traditional mindset of treating contracts separately from business processes. This paper provides a solution to one specific problem that arises from this situation, namely the lack of mechanisms to check whether business processes are compliant with business contracts. The central part of the paper are logic based formalism for describing both the semantics of contract and the semantics of compliance checking procedures.
 

Guido Governatori, Zoran Milosevic, Shazia Sadiq and Maria Orlowska.

On Compliance of business processes with business contracts Technical Report, School of Information Technology and Electrical Engineering, The University of Queensland. 2006.
Abstract: This paper addresses the problem of ensuring compliance of business processes, implemented within and across organisational boundaries, with the constraints stated in related business contracts. In order to deal with the complexity of this problem we propose two solutions that allow for a systematic and increasingly automated support for addressing two specific compliance issues. One solution provides a set of guidelines for progressively transforming contract conditions into business processes that are consistent with contract conditions thus avoiding violation of the rules in contract. Another solution compares rules in business contracts and rules in business processes to check for possible inconsistencies. Both approaches rely on a computer interpretable representation of contract conditions that embodies contract semantics. This semantics is described in terms of a logic based formalism allowing for the description of obligations, prohibitions, permissions and violations conditions in contracts. This semantics was based on an analysis of typical building blocks of many commercial, financial and government contracts. The study proved that our contract formalism provides a good foundation for describing key types of conditions in contracts, and has also given several insights into valuable transformation techniques and formalisms needed to establish better alignment between these two, traditionally separate areas of research and endeavour. The study also revealed a number of new areas of research, some of which we intend to address in near future.
 

Guido Governatori and Antonino Rotolo.

An algorithm for business process compliance. In Enrico Francesconi, Giovani Sartor, and Daniela Tiscornia, editors, Legal Knowledge and Information Systems (Jurix 2008), Frontieres in Artificial Intelligence and Applications 189, pages 186-191. IOS Press, 2008.
Abstract: This paper provides a novel mechanism to check whether business processes are compliant with business rules regulating them. The key point is that compliance is a relationship between two sets of specifications: the specifications for executing a business process and the specifications regulating it.
 

Guido Governatori, Antonino Rotolo and Shazia Sadiq.

A Model of Dynamic Resource Allocation in Workflow Systems. In Klaus-Dieter Schewe and Hugh E. Williams, editors, Database Technology 2004, Dunedin, New Zealand, 19-21 January. pages 197-206. Conference Research and Practice of Information Technology 27. ACS, 2004. Copyright © ACS
Abstract: Current collaborative work environments are characterized by dynamically changing organizational structures. Although there have been several efforts to refine work distribution, especially in workflow management, most literature assumes a static database approach which captures organizational roles, groups and hierarchies and implements a dynamic roles based agent assignment protocol. However, in practice only partial information may be available for organizational models, and in turn a large number of exceptions may emerge at the time of work assignment. In this paper we present an organizational model based on a policy based normative system. The model is based on a combination of an intensional logic of agency and a flexible, but computationally feasible, non-monotonic formalism (Defeasible Logic). Although this paper focuses on the model specification, the proposed approach to modelling agent societies provides a means of reasoning with partial and unpredictable information as is typical of organizational agents in workflow systems.
 

Guido Governatori and Shazia Sadiq.

The journey to business process compliance. In Jorge Cardoso and Wil van der Aalst, editors, Handbook of Research on BPM, IGI Global, 2009.
Abstract: It is a typical scenario that many organisations have their business processes specified independently of their business obligations (which includes contractual obligations to business partners, as well as obligations a business has to fulfil against regulations and industry standards). This is because of the lack of guidelines and tools that facilitate derivation of processes from contracts but also because of the traditional mindset of treating contracts separately from business processes. This chapter will provide a solution to one specific problem that arises from this situation, namely the lack of mechanisms to check whether business processes are compliant with business contracts. The chapter begins by defining the space for business process compliance and the eco-system for ensuring that process are compliant. The key point is that compliance is a relationship between two sets of specifications: the specifications for executing a business process and the specifications regulating a business. The central part of the chapter focuses on a logic based formalism for describing both the semantics of normative specifications and the semantics of compliance checking procedures.
 

Jörg Hoffmann, Ingo Weber, and Guido Governatori.

On compliance checking for clausal constraints in annotated process models. Information Systems Frontieres, 2009.
Abstract: Compliance management is important in several industry sectors where there is a high incidence of regulatory control. It must be ensured that business practices, as reflected in business processes, comply with the rules. Such compliance checks are challenging due to (1) the different life cycles of rules and processes, and (2) their disparate representations. (1) requires retrospective checking of process models. To address (2), we herein devise a framework where processes are annotated to capture the semantics of task execution, and compliance is checked against a set of constraints posing restrictions on the desirable process states. Each constraint is a clause, i.e., a disjunction of literals. If a process can reach a state that falsifies all literals of one of the constraints, then that constraint is violated in that state, and indicates non-compliance. Naively, such compliance can be checked by enumerating all reachable states. Since long waiting times are undesirable, it is important to develop efficient (low-order polynomial time) algorithms that (a) perform exact compliance checking for restricted cases, or (b) perform approximate compliance checking for more general cases. Herein, we observe that methods of both kinds can be defined as a natural extension of our earlier work on semantic business process validation. We devise one method of type (a), and we devise two methods of type (b); both are based on similar restrictions to the processes, where the restrictions made by methods (b) are a subset of those made by method (a). The approximate methods each guarantee either of soundness (finding only non-compliance instances) or completeness (finding all non-compiant states). We describe how one can trace the state evolution back to the process activities which caused the (potential) non-compliant states, and hence provide the user with an error diagnosis.
 

Ruopeng Lu, Shazia Sadiq, and Guido Governatori.

Measurement of compliance distance in business processes. Information Systems Management, 25 no. 4 pp. 344-355, 2008., Copyrigth © 2008 Taylor & Francis.
Abstract: Ensuring that work practice is compliant to regulations and industrial standards is an increasingly important issue in business systems. Whereas as an understanding of control objectives that stem from various legislative, standard and contractual sources may be found at strategic or tactical levels, an assessment of their effective adoption in operational practices is extremely hard. In this paper, we propose a method for assessing the level of compliance in business work practice. The method builds upon business process management platforms, and provides the ability to objectively measure the compliance distance of existing processes within the organization. This in turn empowers process designers and business analysts to quantify the effort required to achieve a compliant process.
 

Ruopeng Lu, Shazia Sadiq, and Guido Governatori.

On managing business processes variants. Data and Knowledge Engineering, 2009.
Abstract: Variance in business process execution can be the result of several situations, such as disconnection between documented models and business operations, workarounds in spite of process execution engines, dynamic change and exception handling, flexible and ad-hoc requirements, and collaborative and/or knowledge intensive work. It is imperative that effective support for managing process variances be extended to organizations mature in their BPM (Business Process Management) uptake so that they can ensure organization wide consistency, promote reuse and capitalize on their BPM investments. This paper presents an approach for managing business processes that is conducive to dynamic change and the need for flexibility in execution. The approach is based on the notion of process constraints. It further provides a technique for effective utilization of the adaptations manifested in process variants. In particular, we will present a facility for discovery of preferred variants through effective search and retrieval based on the notion of process similarity, where multiple aspects of the process variants are compared according to specific query requirements. The advantage of this approach is the ability to provide a quantitative measure for the similarity between process variants, which further facilitates various BPM activities such as process reuse, analysis and discovery.
 

Ruopeng Lu, Shazia Sadiq, and Guido Governatori.

A framework for utilizing preferred work practice for business process evolution. In Witold Abramowicz and Heinrich C. Mayr, editors, Technologies for Business Information Systems, pages 39-50. Springer, Dordrecht, 2007, Copyrigth © 2007 Springer.
Abstract: Many Business Process Management (BPM) systems provide best practice process models, both generic as well as for specific industry sectors. However, it is often the variance from template solutions that provide organizations with intellectual capital and competitive differentiation. Although variance must comply with various contractual, regulatory and operational constraints, it is still an important information resource, representing preferred work practices. In this paper, we present a framework that utilizes desired work practice to support business process evolution. The framework on one hand provides the ability to use domain expert knowledge and experience to tailor individual process instances according to case specific requirements; and on the other, provides a means of using this knowledge through learning techniques to guide subsequent process refinements.
 

Ruopeng Lu, Shazia Sadiq, and Guido Governatori.

Compliance aware business process design. In Arthur H.M. ter Hofstede, Boualem Benatallah, and Hye-Young Paik, editors, 3rd International Workshop on Business Process Design (BPD'07), LNCS 4928, pages 120-131. Springer, 2007. Copyrigth © 2007 Springer.
Abstract: Historically, business process design has been driven by business objectives, specifically process improvement. However this cannot come at the price of control objectives which stem from various legislative, standard and business partnership sources. Ensuring the compliance to regulations and industrial standards is an increasingly important issue in the design of business processes. In this paper, we advocate that control objectives should be addressed at an early stage, i.e., design time, so as to minimize the problems of runtime compliance checking and consequent violations and penalties. To this aim, we propose supporting mechanisms for business process designers. This paper specifically presents a support method which allows the process designer to quantitatively measure the compliance degree of a given process model against a set of control objectives. This will allow process designers to comparatively assess the compliance degree of their design as well as be better informed on the cost of non-compliance.
 

Ruopeng Lu, Shazia Sadiq and Guido Governatori.

Utilizing Successful Work Practice for Business Process Evolution. In Witold Abramowicz and Heinrich C. Mayr, editors, Business Information Systems (BIS 2006), Klagenfurt, Austria, May 31-June 2. pages 58-76. LNI 85. Bonner Köllen Verlag, Berlin, 2006. Copyright © GI.
Abstract: Business process management (BPM) has emerged as a dominant technology in current enterprise systems and business solutions. However, business processes are always evolving in current dynamic business environments where requirements and goals are constantly changing. Whereas literature reports on the importance of domain experts in process modelling and adaptations, current solutions have not addressed this issue effectively. In this paper, we present a framework that utilizes successful work practice to support business process evolution. The framework on one hand provides the ability to use domain expert knowledge and experience to tailor individual process instances according to case specific requirements; and on the other, provides a means of using this knowledge through learning techniques to guide subsequent process changes.
 

Ruopeng Lu, Shazia Sadiq, and Guido Governatori.

Measurement of compliance distance in business processes. Information Systems Management, 25(4): 344-355, 2008. Copyrigth © 2008 Taylor & Francis.
Abstract: Ensuring that work practice is compliant to regulations and industrial standards is an increasingly important issue in business systems. Whereas as an understanding of control objectives that stem from various legislative, standard and contractual sources may be found at strategic or tactical levels, an assessment of their effective adoption in operational practices is extremely hard. In this paper, we propose a method for assessing the level of compliance in business work practice. The method builds upon business process management platforms, and provides the ability to objectively measure the compliance distance of existing processes within the organization. This in turn empowers process designers and business analysts to quantify the effort required to achieve a compliant process.
 

Ruopeng Lu, Shazia Sadiq, Guido Governatori, and Xiaoping Yang.

Defining adaptation constraints for business process variants. In 12th International Conference on Business Information Systems, Lecture Notes in Business Information Processing 7. Springer, 2009, Copyrigth © 2009 Springer.
Abstract: In current dynamic business environment, it has been argued that certain characteristics of ad-hocism in business processes are desirable. Such business processes typically have a very large number of instances, where design decisions for each process instance may be made at runtime. In these cases, predictability and repetitiveness cannot be counted upon, as the complete process knowledge used to define the process model only becomes available at the time after a specific process instance has been instantiated. The basic premise is that for a class of business processes it is possible to specify a small number of essential constraints at design time, but allow for a large number of execution possibilities at runtime. The objective of this paper is to conceptualise a set of constraints for process adaptation at instance level. Based on a comprehensive modelling framework, business requirements can be transformed to a set of minimal constraints, and the support for specification of process constraints and techniques to ensure constraint quality are developed.
 

Ruopeng Lu, Shazia Sadiq, Vineet Padmanabhan and Guido Governatori.

Using a Temporal Constraint Network for Business Process Execution. In Gillian Dobbie and James Bailey, editors, Seventeenth Australasian Database Conference (ADC2006), Hobart, Australia, 16-19 January. pages 157-166. CRPIT 49. ACS, Sydney, 2006. Copyright © ACS
Abstract: Business process management (BPM) has emerged as a dominant technology in current enterprise systems and business solutions. However, the technology continues to face challenges in coping with dynamic business environments where requirements and goals are constantly changing. In this paper, we present a modelling framework for business processes that is conducive to dynamic change and the need for flexibility in execution. This framework is based on the notion of process constraints. Process constraints may be specified for any aspect of the process, such as task selection, control flow, resource allocation, etc. Our focus in this paper is on a set of scheduling constraints that are specified through a temporal constraint network. We will demonstrate how this specification can lead to increased flexibility in process execution, while maintaining a desired level of control. A key feature and strength of the approach is to use the power of constraints, while still preserving the intuition and visual appeal of graphical languages for process modelling.
 

Vineet Padmanabhan, Guido Governatori, Shazia Sadiq, Robert M. Colomb and Antonino Rotolo.

Process Modelling: The Deontic Way. In Markus Stumptner, Sven Hartmann and Yasushi Kiyoki, editors, Conceptual Modelling 2006. Proceedings of the Thirds Asia-Pacific Conference on Conceptual Modelling (APCCM2006), Hobart, 16-19 January. pages 75-84. CRPIT 53. Australian Computer Science Communications, Sydney, 2006. Copyright © ACS
Abstract: Current enterprise systems rely heavily on the modelling and enactment of business processes. One of the key criteria for a business process is to represent not just the behaviours of the participants but also how the contractual relationships among them evolve over the course of an interaction. In this paper we provide a framework in which one can define policies/business rules using deontic assignments to represent the contractual relationships. To achieve this end we use a combination of deontic/normative concepts like proclamation, directed obligation and direct action to account for a deontic theory of commitment which in turn can be used to model business processes in their organisational settings. In this way we view a business process as a social interaction process for the purpose of doing business. Further, we show how to extend the $i*$ framework, a well known organisational modelling technique, so as to accommodate our notion of deontic dependency.
 

Shazia Sadiq and Guido Governatori.

A methodological framework for aligning business processes and regulatory compliance. In Jan van Brocke and Michael Rosemann, editors, Handbook of Business Process Management, Springer, 2009.
Abstract: The ever increasing obligations of regulatory compliance are presenting a new breed of challenges for organizations across several industry sectors. Aligning control objectives that stem from regulations and legislation, with business objectives devised for improved business performance, is a foremost challenge. The organizational as well as IT structures for the two classes of objectives are often distinct and potentially in conflict. In this chapter, we present an overarching methodology for aligning business and control objectives. The various phases of the methodology are then used as a basis for discussing state of the art in compliance management. Contributions from research and academia as well as industry solutions are discussed. The chapter concludes with a discussion on the role of BPM as a driver for regulatory compliance and a presentation of open questions and challenges.
 

Shazia Sadiq, Guido Governatori and Kioumars Niamiri.

Modeling Control Objectives for Business Process Compliance. In 4th International Conference on Business Process Management. LNCS. Springer-Verlag, Berlin 2007. Copyrihgt © Springer-Verlag 2007.
Abstract: Business process design is primarily driven by process improvement objectives. However, the role of control objectives stemming from regulations and standards is becoming increasingly important for businesses in light of recent events that led to some of the largest scandals in corporate history. As organizations strive to meet compliance agendas, there is an evident need to provide systematic approaches that assist in the understanding of the interplay between (often conflicting) business and control objectives during business process design. In this paper, our objective is twofold. We will firstly present a research agenda in the space of business process compliance, identifying major technical and organizational challenges. We then tackle a part of the overall problem space, which deals with the effective modeling of control objectives and subsequently their propagation onto business process models. Control objective modeling is proposed through a specialized modal logic based on normative systems theory, and the visualization of control objectives on business process models is achieved procedurally. The proposed approach is demonstrated in the context of a purchase-to-pay scenario.
 

Ingo Weber, Guido Governatori, and Jörg Hoffmann.

Approximate compliance checking for annotated process models. In Marta Indulska, Shazia Sadiq, and Michael zur Muehlen, editors, Proceedings of CAiSE 2008 Workshop on Governance, Risk and Compliance in Information Systems (GRCIS 2008), Montpellier, 17 June 2008.
Abstract: We describe a method for validating whether the states reached by a process are compliant with a set of constraints. This serves to (i) check the compliance of a new or altered process against the constraints base, and (ii) check the whole process repository against a changed constraints base, e.g., when new regulations come into being. For these purposes we formalize a particular class of compliance rules as well as annotated process models, the latter by combining a notion from the workflow literature with a notion from the AI actions and change literature. The compliance rules in turn pose restrictions on the desirable states. Each rule takes the form of a clausal constraint, i.e., a disjunction of literals. If for a given state there is a grounded clause none of whose literals are true, then the constraint is violated and indicates non-compliance. Checking whether a process is compliant with the rules involves enumerating all reachable states and is in general a hard search problem. Since long waiting times undesirable, it is important to explore restricted classes and approximate methods. We present a polynomial-time algorithm that, for a particular class of processes, computes the sets of literals that are necessarily true at particular points during process execution. Based on this information, we devise two approximate compliance checking methods. One of these is sound but not complete (it guarantees to find only non-compliance instances, but not to find all non-compliance instances); the other method is complete but not sound. We sketch how one can trace the state evolution back to the process activities which caused the (potential) non-compliance, and hence provide the user with some error diagnosis.