Among the change drivers faced by modern enterprises, compliance to regulations is one of the most complex and multifaceted. Complexity of regulatory compliance is aggravated for modern enterprises due to their global footprints and multiple regulations that they must comply with across domains and geographies. The cost of compliance rises when enterprises also have to keep up with the changes in regulations [ 1, 10 ]. Non-compliance is usually not an option. Most likely, non-compliance results in putting the hard earned reputation of enterprises at stake and may also lead to personal liability and risk for board directors and top management.The traditional compliance model has been realized in Copyright c 2016 for the individual papers by the papers’ authors. Copying permitted for private and academic purposes. This volume is published and copyrighted by its editors. an advisory capacity with limited focus on actual risk identication and management [ 8, 15 ]. The emerging best practice model of compliance hints at understanding business operations and the underlying risk exposures so that compliance requirements can be practically translated into management actions [ 11 ].

This indicates that enterprises need compliance framework using which, enterprises can- (a) accurately and exhaustively relate compliance requirements to business operations [ 10 ], (b) carry out compliance management in an end-to-end fashion, starting right from the regulatory texts and their business and legal interpretations to carrying out compliance reporting [ 3 ], and (c) include suggestive management actions aimed at handling the related risk exposures in an organized and deliberate manner [ 11 ].

To address these requirements, we propose that activities of compliance management should be model-driven. This implies that activities in compliance should be automated to the extent possible, with domain experts' role limited to providing feedback in creating various models to be used for compliance and ne-tuning them to achieve greater accuracy and coverage. A conceptual model containing the necessary and su cient concepts from both the business domain of the enterprise and the regulation domain can be used to generate various requisite artifacts. The generation of such a domain model can be automated using natural language processing (NLP) and machine learning (ML) techniques. Once this model is available, the models of rules and facts as well as other purposive models can be obtain by modelto-text transformation.

Our contributions in this position paper are the detailed descriptions of these problems and our proposal, building on our previous work, of a model-driven compliance framework that is designed to address the aforementioned requirements to enable cost e cient and business e ective compliance management by enterprises. We review our previous work in Section 2 and illustrate a generic set of activities of a compliance framework with clear distinction between manual and (semi-) automated activities. Most industrial and academic solutions provide largely expert-driven specializations of this set of activities in compliance. We put forth exemplars of specializations of this generic set of activities based on what the enterprise has to enact compliance, whether it is business process de nitions or purely data., and what the organization's purpose is in managing compliance. In Section 3, we present another specialization of generic set of activities in compliance, this time suggesting (semi-)automation of largely manual activities. This set of activities is extrapolated from specializations presented in Section 2. We propose exactly how the (semi-)automation may be achieved for each activity in the set using modeldriven techniques. Section 4 discusses how this compliance framework may lead to cost e ciency and business e ectiveness. Section 5 concludes the paper. 2.

In the following, we consider regulatory requirements from external regulatory bodies as the key source, although our discussion is applicable to policies internal to an enterprise. 2.1

Compliance checking can be classi ed based on whether it is design-/run-time depending on whether information required for checking is available only at run-time. It can also be classi ed as forward or backward checking based on whether controls are enacted in processes preemptively or execution traces are checked after business processes have already executed. Another way to classify compliance checking is what the granularity of checks is, i.e., whether business processes, tasks, or attributes or pure data is checked, and nally whether checking takes place by making use of an inference engine and/or queries to models of enterprise information [ 12 ]. Several works have surveyed existing compliance checking approaches from academia based on similar classi cation of compliance checking activities [ 6 ] and also from industry governance, risk, and compliance (GRC) approaches [ 10 ].

For the purpose of this paper, we limit the generic set of activities and artifacts in compliance to those illustrated in Figure 1. Legal text indicates the source of regulations, which could be a document from a regulatory body in a give domain or an interpretation by various stakeholders of an enterprise. The regulations and/or interpretation are predominantly natural language texts. Enterprise information against which regulations speci ed in legal texts are to be checked can manifest in number of forms including natural language texts, operational models including business process de nitions, execution traces, or audit trails, or databases. Compliance checking and report generation involves specifying rules from legal text and facts from enterprise information in a suitable format and performing the checking activity. Note that industry GRC approaches primarily use querying mechanisms as opposed to compliance engines as in academia for checking compliance.

We showed in our earlier works that formal approaches from academia often assume implicitly that terms in legal texts and enterprise information artifacts match [ 24 ]. This is indicated by an optional artifact called vocabulary in Figure 1. Several combinations of rule and operational speci cations exist in academic literature with implicit assumptions about terms in both [ 24 ]. Industry GRC approaches use taxonomy as the collection of prede ned tags available for enterprises to a x to their nancial data [ 4 ]. Tags can be speci c to territories/geographies, time frames, and business units. Tags either do not leverage semantic meanings of terms or the support for such semantics is rudimentary at best in most GRC approaches [ 24 ].

Both kinds of approaches vary based on constituents of compliance, i.e., the legal and enterprise information artifacts, their formats, or formalisms and the purpose of compliance. In the next section, we show variations of both

Rule Language Specifica-on Rules

Facts

Opera-ons Specifica-on Compliance Checking We utilized a specialization of generic set of activities in Figure 1 as illustrated in Figure 2. This was our attempt to leverage the holistic perspective of governance, risk, and compliance from industry GRC approaches along with formal treatments as in academic approaches. In this case, the constituents of compliance are legal text and business process (BP) models. While process models are BP modeling notation 2.0 compliant, we utilize DR-Prolog as the speci cation language for both rules obtained from legal texts and facts extracted from process models. In addition to compliance checking the specialization in Figure 2 enables natural language explanation of proofs of (non-) compliance.

We build the vocabulary model based on Semantics of Business Vocabulary and Rules (SBVR) metamodel from the SBVR speci cation [ 19 ]. The vocabulary model repre

Drools

Java

Path Expression

Query Language Datalog and Proprietary

Tools

Facts

DB DB1

DB2

DB3 sents terms from the legal text and BP models. These terms from legal and business side are reconciled using SEMILAR similarity measurement API [ 20 ]. We use DR-Prolog defeasible compliance engine to express rules from legal text and facts in relational form that we extract from BP models using a proprietary tool. Specialized algorithms using a Prolog-based meta-interpreter emit a suitable trace which is parsed to obtain rules and facts contributing to success or failure of queries of compliant rules. The terms from this subset of rules and facts are matched with the vocabulary to express the natural language explanation using FreeMarker template API where relevant details of terms under consideration are inserted into the variable parts of a template. We redirect the reader to [ 22 ] for details of proof generation and natural language explanation.

This specialization is useful when an enterprise aims at obtaining explanation of proofs of (non-) compliance in addition to checking whether its operational practices are compliant or not with given set of regulations. We demonstrated the utility of this framework on a real world Know Your Customer (KYC) regulations by Reserve Bank of India for Indian Banks [ 22 ]. In this particular case, the bank had business processes where both backward checking (checking data generated by processes) and forward checking (realizing controls on speci c activities) could be achieved. 2.2.2

Report Generation with Multi-source Data

The second specialization that we illustrate is a work-inprogress where the enterprise has data instead of process descriptions. This data is to be obtained from sources in various business units. Figure 3 shows this use case.

The databases DB1 to DBn hold the data which is integrated into the database DB. We use our proprietary tooling for this purpose where a specialization of object query language called path expression query language is used for mapping conceptual models of DBs to the integrated DB. The actual model processing uses Datalog and other proprietary tools described in detail in [ 28 ]. The rule speci cation language used in this case is Drools which takes plain old Java objects (POJOs) as the fact model which is checked against rules implementing Rete pattern matching. Both the vocabularies of legal text and the integrated DB are created and Vocabulary of Integrated DB Conceptual

Mapping DBn reconciled in a manner similar to as detailed in our earlier work [ 24 ]. The reports are generated using Drools reporting features, but mostly contain information of checked passed and failed rather than explanations of the same.

Two specializations we described in Figures 2 and 3 show that depending on the enterprises' purpose and the form of operational speci cs it has, the generic set of activities in Figure 1 can be specialized. Referring back to Section 1, our specializations use models for representing rules and facts and also for expressing semantic similarity between the vocabularies of legal texts and enterprise information. More information about how we create SBVR-based models and how we utilize SEMILAR for contextual similarity measurement can be found in [ 24 ]. To some extent, this satis es requirement (a) that of relating compliance requirements to business operations. These models together enable end-toend compliance management in various combinations of rule and operation speci cations as described in the previous section and thereby satis es requirement (b) to a large extent. Similarly, we demonstrated in [ 23 ], how risks pertaining to the compliance of given set of regulations and corresponding mitigation activities can be modeled and how to utilize these models. This satis es requirement (c) to some extent.

Yet, most of the activities continue be manual as evident in Figures 2 and 3, which need to be automated to the extent possible. Also, to e ectively relate business objectives to compliance, further modeling and model processing machinery is required. We propose how this can be done next. 3.1

To represent rules and facts from legal text and enterprise information, it might be possible to extract each using natural language processing (NLP) and machine learning (ML). There exists sizable literature on extracting conceptual models of regulation or rules from legal/regulatory texts. Most of these approaches focus on using either a simpli ed representations of natural language texts or making assumption about structural aspects of the texts or both. We review such proposals next brie y.

An approach presented in [ 27 ] uses a modeling interface that the domain expert (referred to as a knowledge engineer in [ 27 ]) can use to build the conceptual model and norms incrementally. At the back of this interface are a set of NLP components including a parser, a grammar, a lexicon, and a lexicon supplementor for identifying grammatical categories, all of which are speci c to Dutch language. They make a suitable assumption that a set of possible juridical natural language constructs (JNLC) can describe categories like definitions, value assignments, and conditions. If the regulation text does not contain presumed syntactic structures then it has to be rewritten to make the syntactic structures explicit. Only when the syntactic structures are explicit that a parser written to identify them can be actually used.

A similar approach for Italian language is presented in [ 18 ] which uses articles, sections, and paragraphs to identify especially the amendments to original laws. Breaux et al. propose a systematic manual process [ 7 ], in which the domain expert marks the text using phrase heuristics and a frame-based model to identify rights or obligations, associated constraints, and condition keywords including natural language conjunctions. These rights and obligations are restated into restricted natural language statements (RNLS). The RNLS can be modeled as description logic rules using semantic parameterization process. Kiyavitskaya et al. proposed to add tool support to this process [ 13 ], which was carried out in work by Zeni et al. [ 29 ]. In this work, a document structure is assumed with varying granularity from words and phrases to sections and documents. Various syntactic indicators are used to capture deontic concepts and exceptions. For instance, the concept of right is identi ed in the text via indicators like may, can, could, permit, to have a right to, should be able to. Some of the indicators could be complex patterns that combine literal phrases and basic concepts. The annotation schema that speci es rules for identifying domain concepts via indicators is nevertheless created mostly manually, whereby authors plan to use clustering techniques to automate the same.

In these approaches, domain experts are required to annotate the text initially to explicate the core concepts, syntactic structures, or patterns which are then incorporated in parsing. Domain experts may also have to rewrite the text in a simpler form for it to become amenable to specialized parsing mechanisms. The problem with these approaches is that they are very speci c to a kind of regulation with parsing mechanisms specialized around the syntactic structures of that regulation. A generic set of NLP-ML techniques is more amenable than coming up with individual set of techniques for each. There are several pointers for improvement with this state of the art:

We may take a clue from taxonomy tagging tools from industry such as OpenCalais1, Active Tags2, and Compliance Guardian3 to initially present a list of important concepts from the text to the domain expert. These concepts could be top-k concepts frequency distribution-wise.

Alternatively, domain experts may suggest a few concepts core to the regulation which can be used as seeds to obtain an initial conceptual model which can be incrementally built to include necessary and su cient concepts.

Instead of using regulation-speci c heuristics, one could use phrase heuristics for building domain models based on identi cation of entities, attributes, and relations as applied to regular text. There are several works in NLP-ML, which use a variety of heuristics and training methods targeted at creating concept hierarchies via syntactic heuristics, semantic patterns, and un- and (semi-) supervised methods [ 2, 9, 21, 14 ].

Note that most of works on legal text extraction do not consider enterprise information against which regulations are to be checked. The NLP-ML techniques need to be applied to enterprise information as well, available in the form of business process de nitions, data, or audit trails, to obtain a conceptual model with which to map regulation concepts.

Once the NLP-ML techniques are applied to obtain con1OpenCalais (Thomson Reuters) http://new.opencalais. com/opencalais-api/ 2Active Tags http://www.wavetrend.net/activ-tags.php 3Compliance Guardian http://www.avepoint.com/ products/compliance-management/

Purposive Rule Language Specifica-on DR-Prolog/Drools

Purposive Opera-ons

Specifica-on

Business Process Defini-ons/Data/Audit

Trails Rules

Facts

Simula'on of Business Opera'ons Compliance Checking [+Proof Explana-on] ceptual models and a mapping between them, this model can be used to generate rules and facts in the desired speci cation language. We presented early manifestation of the idea of generating requisite artifact speci cations from a conceptual model in [ 23 ]. At this stage, a (semi-)automated specialization of generic set of activities in Figure 1 could be imagined as illustrated in Figure 4.

Compared to the generic set of activities for compliance management and its specializations presented in Section 2, the framework illustrated in Figure 4, restricts the role of domain experts in conceptual model making. The process of generation of model is (semi-)automated since we envision that such a model will be built incrementally along the lines of approach presented in [ 27 ] which we reviewed earlier. This conceptual model needs to incorporate concepts of risks and governance as we indicated in [ 23 ]. With this set of concepts, it might be possible to simulate operations of enterprise to get a better t between compliance and business objectives as described next. 3.2

According to the recent Mckinsey report on global risk practice [ 11 ], in the traditional compliance management, business managers are left to their own devices to gure out speci c controls required to address regulatory requirements, leading to build up of labor-intensive control activities with uncertain e ectiveness. Compliance activities tend to be isolated, lacking a clear link to the broader framework of underlying risks and business goals with a dramatic increase in compliance and control spend with either limited or unproved impact on the residual risk pro le of given enterprise.

In our prior work, we modeled existing operational practices of enterprises using enterprise architecture and business motivation models [ 26 ]. We also showed how to incorporate directives such as internal policies and external regulations in enterprises' to-be architecture [ 25 ]. An enterprise needs to maintain both its business as usual state and to keep it optimum with regards certain criteria and it is also involved in transformational activities in the presence of other change drivers in its environment. When making the enterprise compliant to certain regulations, it has to change its operations. This results in systemic change ripples across all of its concerns. This is why it is often desirable to play out change scenarios in the presence of compliance to regulations by linking them to business goals.

In an ongoing work within our group, on arriving at a language called Enterprise Simulation Language (ESL), we provide a coordinated simulation facility for models representing why, what, how, and who aspects of enterprise [ 16 ]. The core abstraction used in ESL is that of actor model of computation. We believe that ESL is appropriate in simulating enactment of compliance and checking how to optimally implement compliance such that it does not negatively affect an enterprises' business goals. In ESL, actors are used to represent various levels of abstractions in enterprise models in terms of systems, subsystems, and components. Events capture various events expected by and output by these systems as well as the events internal to the systems. If various conditions under which regulatory rules become active are imagined as compliance events, then we can model such events at appropriate abstraction levels. The data and traces required for compliance can be modeled as state variables of actors. Finally, remediation behaviors can be modeled as expressions over compliance events and states. ESL models business goals in terms of various measures and levers wherein levers can be events, structures, state variables, and expressions over these that can be tuned for simulating the optimum measures.

Figure 4 shows this as simulation of business operations, where regulatory rules and operational facts are transformed into ESL speci cations which can be simulated to obtain insights into how compliance or non-compliance of certain regulations will a ect the enterprise's risk pro le and business goals at large.

In practice, enterprises rely on domain experts to enact compliance controls in their business operations. This introduces a major bottleneck in compliance because manual treatment of compliance requirements lacks substantially in accuracy and coverage of compliance requirements [ 5 ]. We believe that with a model-driven framework we proposed in Section 3.1, wherein domain experts' role is restricted to model making on top of NLP-ML techniques, the accuracy and coverage can be imparted at the right juncture in compliance management.

Enterprises also often implement compliance after the fact using point solutions in combination, which restrict their ability to address regulatory changes [ 1, 10 ]. Also, enterprises implement compliance mostly in content rather than in intent, wherein neither enactment nor remediation results in substantive management actions. This leaves certain business operations exposed to underlying risks in spite of being compliant in word [ 11 ]. We believe that an end-to-end compliance framework with the ability to simulate compliance along with risks and business goals as proposed in Section 3.2 can achieve coordinated compliance.

Contrary to approaches in the literature on compliance management, instead of focusing just on extraction of rules from legal text, or compliance checking with a speci c set of speci cations for rules and operations, we propose a framework that carries out all of these activities and leaves room for any combination of speci cations for rules and operations. Additionally, simulation abilities imparted by ESL enable a more holistic treatment of compliance by linking it to underlying risks and business goals. The proposed framework builds on our earlier works [ 22 ] by adding NLP-MLbased automation in conceptual model making and ESLbased simulation. Compared to industrial GRC solutions, the proposed approach provides an end-to-end compliance management framework. 5.

In spite of considerable research in academia and the advent of industry GRC solutions, much of the state of the art and practice relies heavily on experts for manually conducting various activities within compliance management. (Semi-) automation that we proposed aims at reducing the burden of relying on domain experts; when applied to endto-end activities, also has the potential to reduce costs of compliance and improve accuracy and coverage. Furthermore, holistic treatment of GRC facets and simulation thereof ensure that compliance activities are not a bottleneck to business goals. We believe that our ongoing work with KYC4 as well as MiFID5 and HIPAA6 regulations will enable us to actually realize these bene ts on ground.