1 Introduction

N.A.M.: Programming norm change. Journal of Applied Non

Toward Better Mapping between Regulations and Operational Details of Enterprises Using Vocabularies and Semantic Similarity

Sagar Sunkle

sagar.sunkle@tcs.com 0

Deepali Kholkar

deepali.kholkar@tcs.com 0

Vinay Kulkarni

vinay.vkulkarni@tcs.com 0 0 Tata Research Development and Design Center Tata Consultancy Services 54B, Industrial Estate , Hadapsar Pune, 411013 INDIA

2013

17 6403 15 16

Industry governance, risk, and compliance (GRC) solutions stand to gain from various analyses offered by formal compliance checking approaches. Such adoption is made difficult by the fact that most formal approaches assume that a mapping between concepts of regulations and models of operational specifics exists. We propose to use Semantics of Business Vocabularies and Rules along with similarity measures to create an explicit mapping between concepts of regulations and models of operational specifics of enterprises. We believe that this proposal takes a step toward adapting and leveraging formal compliance checking approaches in industry GRC solutions.

Regulatory Compliance Operational Details Business Process Models SBVR Semantic Similarity

1 Introduction

With non-compliance being penalized severely in most countries and across various business domains [ 1, 2 ], effective and efficient resolution of regulatory compliance is high on priority for modern enterprises. While industry governance, risk, and compliance (GRC) solutions help enterprises in managing regulatory compliance, they are mostly document-oriented and are not as rigorous as formal approaches to compliance checking. Formal compliance checking can offer several analysis benefits to industry GRC solutions such as formally finding out (non-)compliance to regulations [ 3–9 ] against document-based evidence as in industry GRC solutions, computable explanation of proofs of (non-)compliance [ 10, 11 ] against expert’s judgement as in industry GRC, management of frequent changes in regulations [12, 13] against functional heat maps derived from experts’ knowledge as in industry GRC, etc.

Each formal approach ideally requires to relate regulations to operational specifics of enterprises. A terminological mapping would essentially tell where in the operational activities a rule from the regulation becomes applicable. Surprisingly, formal compliance checking approaches implicitly assume such mapping to exist without describing how to arrive at it as also indicated in [14–16].

If some means were provided whereby similarity between concepts from regulations and operational specifics could be formally established, then it would be easier to relate concepts from regulations with operational specifics and indicate where a rule from regulation becomes applicable. This would also make it easier to transfer results in formal compliance checking to practical usage.

We take a step in this direction by using Semantics of Business Vocabularies and Rules (SBVR) to model vocabularies of regulations and operational specifics of enterprises. We also propose to map the concepts from structured SBVR-based vocabularies of regulations and operational specifics using semantic similarity measures.

The paper is arranged as follows. In Section 2, we review several works in formal compliance checking with regards if and how they map concepts from regulations and operational specifics of enterprise and enlist our observations. Based on our observations, we propose the use of SBVR-based vocabularies and semantic similarity measures in Section 3 to map these conceptual realms. Section 4 concludes the paper. 2

Related Work and Motivation

Several formal compliance checking approaches have been presented in literature. These approaches treat business process (BP) models as the de-facto representation of operational specifics of enterprise and check BP models for compliance against regulations. Our specific aim in presenting the related work is to show how these approaches map concepts from regulations with concepts from BP models. We consider five representative formal compliance checking approaches, namely defeasible logic-based [ 9, 17, 18 ], Petri-net based [ 11 ], compliance rule graph-based [ 7, 8, 19 ], extended BP modeling notation (BPMN) query and linear temporal logic (LTL)-based [ 3, 20, 21 ], and Business Property Specification Language (BPSL) and LTL-based approaches [22, 23]. Table 1 illustrates these approaches in two columns. First column shows how each approach maps labels/phrases from regulations to labels/phrases from approach-specific representation of BP models and second column notes formalism in that approach. In the following, we briefly elaborate the formal compliance checking approaches with regards mapping between labels/phrases row by row from Table 1.

First row from Table 1 shows defeasible logic-based approach for checking compliance of BP models against regulations [ 9 ]. Regulations are modeled in Formal Contract Language (FCL) which is a combination of efficient non-monotonic defeasible logic and deontic logic of violations. First row shows a formulation of a regulation the creation and approval of purchase requests must be undertaken by two separate purchase officers. Labels CreatePR and ApprovedPR from FCL expression match with Create Purchase Request and Approve Purchase Request activities from BP model respectively. Label PurchaseOfficer from FCL expression maps to Purchaser from BP model. It is evident that this mapping is presumed to exist implicitly in [ 9 ]. SBVR-based transformation of business rules to FCL expressions is suggested in [18] and semantic annotations of BP models in [17], but a structured terminological mapping of concepts is yet not explored.

Second row from Table 1 shows an approach in which an event log describing the observed operational behavior is aligned with a Petri-net pattern that formalizes a regulation. From the regulation shown in the second row of Table 1, phrases a discount of Regulation: “A discount of 10% is granted if the customer is a gold customer; 5% are granted if the customer is a silver customer.” Regulation: “For paym ent runs with amount beyond euro 10,000, the payment list has to be signed before being transferred to the bank and has to be led afterwards for later audits.” + Event “payment list A is transferred to the bank” Rule 1: Before opening an account, customer information must be obtained and verified.

Rule 2: Whenever a customer requests to open a deposit account, customer information must be recorded before opening the account.

Compliance Rule/Operati

onal Formalism

Formal Contract Language based on Defeasible

Logics; Operational Specifics as a

Business Process Model Rules as Petrinet Patterns,

Operations from the Event

Log Rules in terms of Compliance Rule Graph; Operations in terms of Events

Rules in Business Process Modeling

Notation (BPMN) Query (BPMN-Q), later in Temporal

Logic; operational specifics in terms of BPMN

Models 10% is granted if the customer is a gold customer and 5% are granted if the customer is a silver customer are mapped to phrases grant 10% gold and grant 5% silver. No explicit terminological mapping exists in this approach [ 11 ].

Third row from Table 1 shows an approach where events from operational event trace are checked against graph-based compliance rule language called compliance rule graph that formalizes a regulation. Phrases payment runs, list has to be signed, transferred to the bank from the regulation are presumed to match with similarly named events and are mapped to labels PR, SL, and TB respectively in the compliance rule graphs. No explicit terminological mapping has been suggested in [19] from which this example is taken or other publications from same authors [ 7, 8 ].

Fourth row from Table 1 shows an example from [ 3 ]. It uses BPMN-Q which is a visual language based on BPMN used to query BP models by matching a process graph to a query graph. Visual queries labelled Rule 1 and Rule 2 in the middle indicate BPMN-Q queries adapted to expressing the regulation on left. Interestingly, the concepts from BPMN-Q representation of the regulation match with the BP model shown by process graph on the right. This is to be expected since BPMN-Q visual queries are based on corresponding BP models. Yet, translation of regulations to BPMN-Q queries does not preserve same concepts, for instance, phrase customer information must be obtained is mapped to phrase Obtain Customer Info. Other publications by the same authors [20,21] similarly do not express the need for explicit mapping and presume that terminological mapping from regulation statements to BPMN-Q queries exists.

Finally, fifth row from Table 1 shows an example from [22]. BP models expressed in the Business Process Execution Language are transformed into Pi calculus and then into Finite State Machines. Compliance rules captured in the graphical BPSL are translated into LTL. This way, process models can be verified against these compliance rules by means of model checking technology. The example shows that BPSL formulation of labels RecordCustomerInfo and VerifyCustomerId map to BP labels RecordAccountInfo and VerifyCustomerIdentity respectively. This approach too does not consider an explicit terminological mapping and with several transformations between specifications, lack of explicit mapping is likely to be problematic.

Table 1 essentially shows that most formal compliance checking approaches assume that labels/phrases from regulation statements map to labels/phrases used in various regulation and BP specification languages. There are approaches that recognize the need for explicit mapping between the concepts such as [16] and use word databases which consider co-occurrent words and synonyms of an activity name from the BP models. However, this approach lacks formal compliance checking as in other approaches enumerated so far. Considerable research has been done on semantic similarity of texts outside the context of regulatory compliance. An approach in [24] uses information content of texts to yield similarity judgements that correlate more closely with human assessments than other measures. Since rules and activities are short length pieces of text, it is possible to use method described in [25], which combines corpus- and knowledge-based similarity measures targeted at matching short length pieces of texts more accurately.

Industry models of operational specifics, whether they are BPMN-based BP models or enterprise data, are generally extremely large. Texts of regulations such as SarbanesOxley (SOX), Foreign Account Tax Compliance Act (FATCA), BASEL-III, DoddFrank and various anti money laundering regulations like Know Your Customer (KYC), etc., are similarly large with several interdependent regulations. From semantic similarity point of view, specific and short length pieces of texts need to be matched. Without such an explicit terminological mapping between these two sets of concepts, it is difficult to practically apply formal compliance checking approaches. In the next section, we sketch our proposed approach in this direction. 3

Vocabularies and Semantic Similarity

Our approach for mapping concepts from regulations and operational specifics is illustrated in Figure 1. VocabularyReg and Terminological DictionaryOperations indicate SBVR vocabularies of regulations and operational specifics respectively. Operational specifics may be present in any BP modeling form or as enterprise data. The concepts from individual vocabularies VocabularyReg and Terminological DictionaryOperations are mapped using semantic similarity measures. By expressing these concepts with a predetermined set of synonyms for each pair of concepts from both VocabularyReg and Terminological DictionaryOperations, it is possible to express compliance checking uniformly using a given formalism. We briefly describe next how SBVR can be used to model aforementioned vocabularies.

Regula'on Text

VocabularyReg

Formal Terminological Representa'on Dic'onaryopera'ons

Opera'onal

Specifics

BPMN

Models Petri Net Models Other

Enterprise Data Conceptual Mapping based on Seman'c Similarity

Modeling Concept Vocabularies SBVR vocabularies for regulations and operations can be defined in terms of four sections. First, vocabulary to capture the business context is created, consisting of the semantic community and sub-communities owning the regulation and to which the regulation applies. Each semantic community is unified by shared understanding of an area, i.e., body of shared meanings and a body of shared guidance containing business rules. These concepts are shown as Business Vocabulary in SBVR metamodel in Figure 2.

Second, the body of concepts is modeled by focusing on key terms in regulatory rules. Concepts referred in the rule are modeled as noun concepts. A general concept is defined for an entity that denotes a category. Specific details about an entity are captured as characteristics. Verb concepts capture behavior in which noun concepts play a role. Binary verb concepts capture relations between two concepts. Characteristics are unary verb concepts. The SBVR metamodel for modeling regulation body of concepts are shown as Meaning and Representation Vocabulary in Figure 2.

Third, we build the body of guidance using policies laid down in the regulation. This includes logical formulation of each policy (an obligation formulation for obligatory rules) based on logical operations such as conjunctions, implications and negation. This is shown in Business Rules Vocabulary in Figure 2.

Fourth and lastly, we model the terminological dictionary that contains various representations used by a semantic community for its concepts and rules defined above. These consist of designations or alternate names for various concepts, definitions for concepts and natural language statements for policies stated in the regulation. We also use the terminological dictionary to capture the vocabulary used by the enterprise in its business processes. Each activity in the process becomes a verb concept wording in the terminological dictionary. SBVR concepts for modeling terminological variations are shown as Terminological Dictionary in Figure 2.

Mapping Concepts by Similarity Once the vocabularies of concepts from regulations and BP models are available, we can use similarity measures as in [16, 24, 25]. Note that the SBVR-based vocabularies provide a structured corpus where it is possible to encode domain knowledge including interpretations of regulations by various stakeholders [14]. The intended outcome of using vocabularies of regulations and BP models and similarity measures is that unlike approaches illustrated in Table 1, an explicit mapping between concepts of regulations and BP models will be achieved. 4

Conclusion

We illustrated several formal compliance checking approaches that assume a terminological mapping to exist between concepts of regulations and BP models when checking BP models for compliance against regulations. Structured vocabularies with semantic similarity between concepts would be needed when checking compliance of large BP models in industry against extensive regulations like BASEL-III, Dodd-Frank, FATCA, and various geography-specific KYC regulations. We plan to create an explicit mapping between regulations and BP models concept for which we briefly described how SBVR and semantic similarity measures can be used.

French

Caldwell , J.A.W. : Magic quadrant for enterprise governance, risk and compliance platforms (Gartner) ( 2013 )

2. English , S. , Hammond , S. : Cost of compliance 2014 (Thomson Reuters Accelus) ( 2014 )

3. Awad , A. , Decker , G. , Weske , M. : Efficient compliance checking using BPMN-Q and temporal logic . In Dumas, M. , Reichert , M. , Shan , M., eds.: Business Process Management, 6th International Conference, BPM 2008, Milan, Italy, September 2- 4 , 2008 . Proceedings. Volume 5240 of Lecture Notes in Computer Science., Springer ( 2008 ) 326 - 341

4. Becker , J. , Ahrendt , C. , Coners , A. , Weiß , B. , Winkelmann , A. : Business rule based extension of a semantic process modeling language for managing business process compliance in the financial sector . In Fähnrich, K. , Franczyk , B., eds.: Informatik 2010 . Volume 175 of LNI ., GI ( 2010 ) 201 - 206

Kharbili , M. , Stein , S. , Markovic , I. , Pulvermüller , E.: Towards a framework for semantic business process compliance management . In: The Impact of Governance, Risk, and Compliance on Information Systems (GRCIS) . Volume 339 of CEUR Workshop Proceedings ., Montpellier, France (June 17 2008 ) 1 - 15

6. Hashmi , M. , Governatori , G. , Wynn , M.T.: Normative requirements for business process compliance . In Davis, J.G. , Demirkan , H. , Motahari-Nezhad , H.R., eds.: Service Research and Innovation. Volume 177 of Lecture Notes in Business Information Processing. , Springer ( 2013 ) 100 - 116

7. Knuplesch , D. , Reichert , M. , Ly , L.T. , Kumar , A. , Rinderle-Ma , S.: Visual modeling of business process compliance rules with the support of multiple perspectives . In Ng, W., Storey , V.C. , Trujillo , J., eds.: Conceptual Modeling - 32th International Conference, ER 2013, Hong- Kong , China, November 11-13 , 2013 . Proceedings. Volume 8217 of Lecture Notes in Computer Science., Springer ( 2013 ) 106 - 120

8. Ly , L.T. , Knuplesch , D. , Rinderle-Ma, S. , Göser , K. , Pfeifer , H. , Reichert , M. , Dadam , P. : Seaflows toolset - compliance verification made easy for process-aware information systems . In Soffer, P., Proper , E., eds. : Information Systems Evolution - CAiSE Forum 2010 , Hammamet, Tunisia, June 7-9, 2010 , Selected Extended Papers. Volume 72 of Lecture Notes in Business Information Processing. , Springer ( 2010 ) 76 - 91

9. Sadiq , S.W. , Governatori , G. , Namiri , K. : Modeling control objectives for business process compliance . In Alonso, G., Dadam , P. , Rosemann , M., eds.: Business Process Management, 5th International Conference, BPM 2007, Brisbane, Australia, September 24-28 , 2007 , Proceedings. Volume 4714 of Lecture Notes in Computer Science., Springer ( 2007 ) 149 - 164

10. Antoniou , G. , Bikakis , A. , Dimaresis , N. , Genetzakis , M. , Georgalis , G. , Governatori , G. , Karouzaki , E. , Kazepis , N. , Kosmadakis , D. , Kritsotakis , M. , Lilis , G. , Papadogiannakis , A. , Pediaditis , P. , Terzakis , C. , Theodosaki , R. , Zeginis , D. : Proof explanation for a nonmonotonic semantic web rules language . Data & Knowledge Engineering 64 ( 3 ) ( 2008 ) 662 - 687

11. Ramezani , E. , Fahland , D., van der Aalst, W.M.P. : Where did I misbehave? diagnostic information in compliance checking . In Barros, A.P. , Gal , A. , Kindler , E., eds.: Business Process Management - 10th International Conference, BPM 2012 , Tallinn, Estonia, September 3- 6 , 2012 . Proceedings. Volume 7481 of Lecture Notes in Computer Science., Springer ( 2012 ) 262 - 278