=Paper=
{{Paper
|id=Vol-1561/paper6
|storemode=property
|title=Toward (Semi-) Automated End-to-End Model-driven Compliance Framework
|pdfUrl=https://ceur-ws.org/Vol-1561/paper6.pdf
|volume=Vol-1561
|dblpUrl=https://dblp.org/rec/conf/indiaSE/SunkleK16
}}
==Toward (Semi-) Automated End-to-End Model-driven Compliance Framework==
https://ceur-ws.org/Vol-1561/paper6.pdf
Toward (Semi-) Automated End-to-End Model-driven
Compliance Framework
Sagar Sunkle and Deepali Kholkar
Tata Consultancy Services Research
54B, Hadapsar Industrial Estate
Pune, India, 411028
sagar.sunkle,deepali.kholkar@tcs.com
ABSTRACT an advisory capacity with limited focus on actual risk identi-
For modern enterprises, compliance to regulations has be- fication and management [8, 15]. The emerging best practice
come increasingly important. Yet, substantial manual inter- model of compliance hints at understanding business opera-
ventions and lack of interoperable models of various com- tions and the underlying risk exposures so that compliance
pliance aspects contribute to an ineffective implementation requirements can be practically translated into management
and rising costs of compliance. We propose a (semi-) au- actions [11].
tomated end-to-end compliance framework that has the po- This indicates that enterprises need compliance frame-
tential to address these challenges. Our contributions are work using which, enterprises can- (a) accurately and ex-
twofold. We first describe how reliance on domain experts haustively relate compliance requirements to business op-
and non-holistic treatment of compliance poses severe prob- erations [10], (b) carry out compliance management in an
lems. We then propose a framework on top of our prior work end-to-end fashion, starting right from the regulatory texts
to address the same. Ongoing explorations suggest that such and their business and legal interpretations to carrying out
a framework can better equip enterprises for efficient and ef- compliance reporting [3], and (c) include suggestive manage-
fective compliance. ment actions aimed at handling the related risk exposures
in an organized and deliberate manner [11].
To address these requirements, we propose that activities
CCS Concepts of compliance management should be model-driven. This
•Computing methodologies → Information extrac- implies that activities in compliance should be automated
tion; •Applied computing → IT governance; to the extent possible, with domain experts’ role limited to
providing feedback in creating various models to be used for
compliance and fine-tuning them to achieve greater accuracy
Keywords and coverage. A conceptual model containing the necessary
Regulatory Compliance; Enterprise Modeling; Natural Lan- and sufficient concepts from both the business domain of
guage Processing; Simulation the enterprise and the regulation domain can be used to
generate various requisite artifacts. The generation of such
a domain model can be automated using natural language
1. INTRODUCTION processing (NLP) and machine learning (ML) techniques.
Among the change drivers faced by modern enterprises, Once this model is available, the models of rules and facts
compliance to regulations is one of the most complex and as well as other purposive models can be obtain by model-
multifaceted. Complexity of regulatory compliance is aggra- to-text transformation.
vated for modern enterprises due to their global footprints Our contributions in this position paper are the detailed
and multiple regulations that they must comply with across descriptions of these problems and our proposal, building
domains and geographies. The cost of compliance rises when on our previous work, of a model-driven compliance frame-
enterprises also have to keep up with the changes in regula- work that is designed to address the aforementioned require-
tions [1, 10]. Non-compliance is usually not an option. Most ments to enable cost efficient and business effective compli-
likely, non-compliance results in putting the hard earned ance management by enterprises. We review our previous
reputation of enterprises at stake and may also lead to per- work in Section 2 and illustrate a generic set of activities
sonal liability and risk for board directors and top manage- of a compliance framework with clear distinction between
ment.The traditional compliance model has been realized in manual and (semi-) automated activities. Most industrial
and academic solutions provide largely expert-driven spe-
cializations of this set of activities in compliance. We put
forth exemplars of specializations of this generic set of activ-
ities based on what the enterprise has to enact compliance,
whether it is business process definitions or purely data.,
and what the organization’s purpose is in managing com-
pliance. In Section 3, we present another specialization of
Copyright c 2016 for the individual papers by the papers’ authors. Copy-
generic set of activities in compliance, this time suggesting
ing permitted for private and academic purposes. This volume is published (semi-)automation of largely manual activities. This set of
and copyrighted by its editors.
2nd Modelling Symposium (ModSym 2016) - colocated with ISEC 2016, Goa, India, Feb 18, 2016
33
�activities is extrapolated from specializations presented in
Section 2. We propose exactly how the (semi-)automation Legal
Vocabulary
Enterprise
Text Opera-ons
may be achieved for each activity in the set using model-
driven techniques. Section 4 discusses how this compliance
Rule Language Opera-ons
framework may lead to cost efficiency and business effective- Specifica-on Specifica-on
ness. Section 5 concludes the paper. Rules Facts
2. RELATED AND PREVIOUS WORK Compliance Report
Checking Genera-on
In the following, we consider regulatory requirements from
external regulatory bodies as the key source, although our
discussion is applicable to policies internal to an enterprise. Manual Various Op-onal
Specifica-on Models Ar-fact
2.1 Generic Set of Activities in Compliance
Compliance checking can be classified based on whether Figure 1: Generic Set of Activities and Artifacts in
it is design-/run-time depending on whether information re- Compliance Management.
quired for checking is available only at run-time. It can
also be classified as forward or backward checking based on
EMF Ecore Assurance
whether controls are enacted in processes preemptively or Legal SBVR Workbench TCS Business Process
Editor Vocabulary
execution traces are checked after business processes have Text BPMN 2.0 Models
OMG SBVR
already executed. Another way to classify compliance check- Metamodel
DR-Prolog DR-Prolog
ing is what the granularity of checks is, i.e., whether busi- TuProlog TuProlog
ness processes, tasks, or attributes or pure data is checked, Rules Facts
and finally whether checking takes place by making use of
an inference engine and/or queries to models of enterprise Queries with XML
information [12]. Several works have surveyed existing com- TuProlog SEMILAR Apache Representa-on
pliance checking approaches from academia based on similar Metainterpreter Metamodel API of SBVR
Success Rules
classification of compliance checking activities [6] and also Interpreta-on Java and Facts FreeMarker API Natural
from industry governance, risk, and compliance (GRC) ap- Trace Language
Procedure Box Failure Rules Natural Language Explana-on
proaches [10]. Abstrac(on in and Facts Templates
Trace
For the purpose of this paper, we limit the generic set
of activities and artifacts in compliance to those illustrated
in Figure 1. Legal text indicates the source of regulations, Manual Implementa)on Specifica(on Language/ Various
Specifica-on Technology in boldface format in Italics Models
which could be a document from a regulatory body in a
give domain or an interpretation by various stakeholders
of an enterprise. The regulations and/or interpretation are Figure 2: Explanation of Proof/Evidence of Com-
predominantly natural language texts. Enterprise informa- pliance.
tion against which regulations specified in legal texts are
to be checked can manifest in number of forms including
natural language texts, operational models including busi- constituents and purposes as specialization of generic set of
ness process definitions, execution traces, or audit trails, or activities from our previous work.
databases. Compliance checking and report generation in-
volves specifying rules from legal text and facts from enter- 2.2 Purpose and Constituents of Compliance
prise information in a suitable format and performing the We show two specializations where the enterprises may
checking activity. Note that industry GRC approaches pri- have process or just the data and the purpose may be to
marily use querying mechanisms as opposed to compliance obtain proof/evidence of (non-)compliance or to generate
engines as in academia for checking compliance. reports of violation based on auditors’ demand.
We showed in our earlier works that formal approaches
from academia often assume implicitly that terms in legal 2.2.1 Explanation of Proof/Evidence of Compliance
texts and enterprise information artifacts match [24]. This is We utilized a specialization of generic set of activities in
indicated by an optional artifact called vocabulary in Figure Figure 1 as illustrated in Figure 2. This was our attempt
1. Several combinations of rule and operational specifica- to leverage the holistic perspective of governance, risk, and
tions exist in academic literature with implicit assumptions compliance from industry GRC approaches along with for-
about terms in both [24]. Industry GRC approaches use mal treatments as in academic approaches. In this case, the
taxonomy as the collection of predefined tags available for constituents of compliance are legal text and business pro-
enterprises to affix to their financial data [4]. Tags can be cess (BP) models. While process models are BP modeling
specific to territories/geographies, time frames, and busi- notation 2.0 compliant, we utilize DR-Prolog as the specifi-
ness units. Tags either do not leverage semantic meanings cation language for both rules obtained from legal texts and
of terms or the support for such semantics is rudimentary facts extracted from process models. In addition to compli-
at best in most GRC approaches [24]. ance checking the specialization in Figure 2 enables natural
Both kinds of approaches vary based on constituents of language explanation of proofs of (non-) compliance.
compliance, i.e., the legal and enterprise information arti- We build the vocabulary model based on Semantics of
facts, their formats, or formalisms and the purpose of com- Business Vocabulary and Rules (SBVR) metamodel from
pliance. In the next section, we show variations of both the SBVR specification [19]. The vocabulary model repre-
� EMF Ecore
SBVR
reconciled in a manner similar to as detailed in our earlier
Legal
Editor Vocabulary work [24]. The reports are generated using Drools reporting
Text
OMG SBVR features, but mostly contain information of checked passed
Drools Metamodel Vocabulary of
Integrated DB
and failed rather than explanations of the same.
Java
Rules Facts
3. (SEMI-)AUTOMATED AND END TO END
Conceptual
Mapping
COMPLIANCE
Path DB
Expression
Two specializations we described in Figures 2 and 3 show
Query that depending on the enterprises’ purpose and the form
Language
Datalog and
of operational specifics it has, the generic set of activities
DB1 DB2 DB3 DBn
Proprietary in Figure 1 can be specialized. Referring back to Section
Tools 1, our specializations use models for representing rules and
facts and also for expressing semantic similarity between the
Manual Implementa)on Specifica(on Language/ Various vocabularies of legal texts and enterprise information. More
Specifica-on Technology in boldface format in Italics Models
information about how we create SBVR-based models and
how we utilize SEMILAR for contextual similarity measure-
Figure 3: Compliance Report Generation using ment can be found in [24]. To some extent, this satisfies
Multi-source Data. requirement (a) that of relating compliance requirements to
business operations. These models together enable end-to-
end compliance management in various combinations of rule
sents terms from the legal text and BP models. These terms and operation specifications as described in the previous sec-
from legal and business side are reconciled using SEMILAR tion and thereby satisfies requirement (b) to a large extent.
similarity measurement API [20]. We use DR-Prolog de- Similarly, we demonstrated in [23], how risks pertaining to
feasible compliance engine to express rules from legal text the compliance of given set of regulations and correspond-
and facts in relational form that we extract from BP mod- ing mitigation activities can be modeled and how to utilize
els using a proprietary tool. Specialized algorithms using a these models. This satisfies requirement (c) to some extent.
Prolog-based meta-interpreter emit a suitable trace which Yet, most of the activities continue be manual as evident
is parsed to obtain rules and facts contributing to success in Figures 2 and 3, which need to be automated to the ex-
or failure of queries of compliant rules. The terms from this tent possible. Also, to effectively relate business objectives
subset of rules and facts are matched with the vocabulary to to compliance, further modeling and model processing ma-
express the natural language explanation using FreeMarker chinery is required. We propose how this can be done next.
template API where relevant details of terms under consid-
eration are inserted into the variable parts of a template. 3.1 Automating Model Generation for Rules
We redirect the reader to [22] for details of proof generation and Facts
and natural language explanation. To represent rules and facts from legal text and enterprise
This specialization is useful when an enterprise aims at information, it might be possible to extract each using natu-
obtaining explanation of proofs of (non-) compliance in ad- ral language processing (NLP) and machine learning (ML).
dition to checking whether its operational practices are com- There exists sizable literature on extracting conceptual mod-
pliant or not with given set of regulations. We demonstrated els of regulation or rules from legal/regulatory texts. Most
the utility of this framework on a real world Know Your of these approaches focus on using either a simplified repre-
Customer (KYC) regulations by Reserve Bank of India for sentations of natural language texts or making assumption
Indian Banks [22]. In this particular case, the bank had about structural aspects of the texts or both. We review
business processes where both backward checking (checking such proposals next briefly.
data generated by processes) and forward checking (realizing An approach presented in [27] uses a modeling interface
controls on specific activities) could be achieved. that the domain expert (referred to as a knowledge engineer
in [27]) can use to build the conceptual model and norms
2.2.2 Report Generation with Multi-source Data incrementally. At the back of this interface are a set of NLP
The second specialization that we illustrate is a work-in- components including a parser, a grammar, a lexicon, and a
progress where the enterprise has data instead of process lexicon supplementor for identifying grammatical categories,
descriptions. This data is to be obtained from sources in all of which are specific to Dutch language. They make a
various business units. Figure 3 shows this use case. suitable assumption that a set of possible juridical natural
The databases DB1 to DBn hold the data which is inte- language constructs (JNLC) can describe categories like def-
grated into the database DB. We use our proprietary tooling initions, value assignments, and conditions. If the regulation
for this purpose where a specialization of object query lan- text does not contain presumed syntactic structures then it
guage called path expression query language is used for map- has to be rewritten to make the syntactic structures explicit.
ping conceptual models of DBs to the integrated DB. The Only when the syntactic structures are explicit that a parser
actual model processing uses Datalog and other proprietary written to identify them can be actually used.
tools described in detail in [28]. The rule specification lan- A similar approach for Italian language is presented in
guage used in this case is Drools which takes plain old Java [18] which uses articles, sections, and paragraphs to iden-
objects (POJOs) as the fact model which is checked against tify especially the amendments to original laws. Breaux et
rules implementing Rete pattern matching. Both the vocab- al. propose a systematic manual process [7], in which the
ularies of legal text and the integrated DB are created and domain expert marks the text using phrase heuristics and a
�frame-based model to identify rights or obligations, associ-
ated constraints, and condition keywords including natural Vocabulary
Legal Text NLP+ML NLP+ML Enterprise
language conjunctions. These rights and obligations are re- Opera-ons
Domain
stated into restricted natural language statements (RNLS). Model
The RNLS can be modeled as description logic rules using
semantic parameterization process. Kiyavitskaya et al. pro- Purposive Rule Purposive Opera-ons
Language Specifica-on Specifica-on
posed to add tool support to this process [13], which was DR-Prolog/Drools Business Process
carried out in work by Zeni et al. [29]. In this work, a doc- Defini-ons/Data/Audit
Trails
ument structure is assumed with varying granularity from
words and phrases to sections and documents. Various syn-
Simula'on of
tactic indicators are used to capture deontic concepts and Rules Facts
Business Opera'ons
exceptions. For instance, the concept of right is identified
in the text via indicators like may, can, could, permit, to
Compliance Checking Report
have a right to, should be able to. Some of the indicators [+Proof Explana-on] Genera-on
could be complex patterns that combine literal phrases and
basic concepts. The annotation schema that specifies rules
Manual Specifica(on Language/ Various
for identifying domain concepts via indicators is neverthe- Specifica-on format in Italics Models
less created mostly manually, whereby authors plan to use
clustering techniques to automate the same.
In these approaches, domain experts are required to an- Figure 4: (Semi-) Automation with Purposive Com-
notate the text initially to explicate the core concepts, syn- pliance
tactic structures, or patterns which are then incorporated in
parsing. Domain experts may also have to rewrite the text
in a simpler form for it to become amenable to specialized ceptual models and a mapping between them, this model can
parsing mechanisms. The problem with these approaches is be used to generate rules and facts in the desired specifica-
that they are very specific to a kind of regulation with pars- tion language. We presented early manifestation of the idea
ing mechanisms specialized around the syntactic structures of generating requisite artifact specifications from a concep-
of that regulation. A generic set of NLP-ML techniques is tual model in [23]. At this stage, a (semi-)automated spe-
more amenable than coming up with individual set of tech- cialization of generic set of activities in Figure 1 could be
niques for each. There are several pointers for improvement imagined as illustrated in Figure 4.
with this state of the art: Compared to the generic set of activities for compliance
• We may take a clue from taxonomy tagging tools from management and its specializations presented in Section 2,
industry such as OpenCalais1 , Active Tags2 , and Com- the framework illustrated in Figure 4, restricts the role of
pliance Guardian3 to initially present a list of impor- domain experts in conceptual model making. The process
tant concepts from the text to the domain expert. of generation of model is (semi-)automated since we envision
These concepts could be top-k concepts frequency that such a model will be built incrementally along the lines
distribution-wise. of approach presented in [27] which we reviewed earlier. This
• Alternatively, domain experts may suggest a few con- conceptual model needs to incorporate concepts of risks and
cepts core to the regulation which can be used as seeds governance as we indicated in [23]. With this set of concepts,
to obtain an initial conceptual model which can be in- it might be possible to simulate operations of enterprise to
crementally built to include necessary and sufficient get a better fit between compliance and business objectives
concepts. as described next.
• Instead of using regulation-specific heuristics, one could
use phrase heuristics for building domain models based 3.2 Simulating Operations with Compliance
on identification of entities, attributes, and relations Controls
as applied to regular text. There are several works in
According to the recent Mckinsey report on global risk
NLP-ML, which use a variety of heuristics and training
practice [11], in the traditional compliance management,
methods targeted at creating concept hierarchies via
business managers are left to their own devices to figure
syntactic heuristics, semantic patterns, and un- and
out specific controls required to address regulatory require-
(semi-) supervised methods [2, 9, 21, 14].
ments, leading to build up of labor-intensive control activi-
• Note that most of works on legal text extraction do not
ties with uncertain effectiveness. Compliance activities tend
consider enterprise information against which regula-
to be isolated, lacking a clear link to the broader framework
tions are to be checked. The NLP-ML techniques need
of underlying risks and business goals with a dramatic in-
to be applied to enterprise information as well, avail-
crease in compliance and control spend with either limited
able in the form of business process definitions, data, or
or unproved impact on the residual risk profile of given en-
audit trails, to obtain a conceptual model with which
terprise.
to map regulation concepts.
In our prior work, we modeled existing operational prac-
Once the NLP-ML techniques are applied to obtain con-
tices of enterprises using enterprise architecture and business
1
OpenCalais (Thomson Reuters) http://new.opencalais. motivation models [26]. We also showed how to incorporate
com/opencalais-api/ directives such as internal policies and external regulations
2 in enterprises’ to-be architecture [25]. An enterprise needs
Active Tags http://www.wavetrend.net/activ-tags.php
3 to maintain both its business as usual state and to keep
Compliance Guardian http://www.avepoint.com/
products/compliance-management/ it optimum with regards certain criteria and it is also in-
�volved in transformational activities in the presence of other work that carries out all of these activities and leaves room
change drivers in its environment. When making the enter- for any combination of specifications for rules and opera-
prise compliant to certain regulations, it has to change its tions. Additionally, simulation abilities imparted by ESL
operations. This results in systemic change ripples across all enable a more holistic treatment of compliance by linking it
of its concerns. This is why it is often desirable to play out to underlying risks and business goals. The proposed frame-
change scenarios in the presence of compliance to regulations work builds on our earlier works [22] by adding NLP-ML-
by linking them to business goals. based automation in conceptual model making and ESL-
In an ongoing work within our group, on arriving at a based simulation. Compared to industrial GRC solutions,
language called Enterprise Simulation Language (ESL), we the proposed approach provides an end-to-end compliance
provide a coordinated simulation facility for models repre- management framework.
senting why, what, how, and who aspects of enterprise [16].
The core abstraction used in ESL is that of actor model of 5. CONCLUSION
computation. We believe that ESL is appropriate in simulat-
In spite of considerable research in academia and the ad-
ing enactment of compliance and checking how to optimally
vent of industry GRC solutions, much of the state of the
implement compliance such that it does not negatively af-
art and practice relies heavily on experts for manually con-
fect an enterprises’ business goals. In ESL, actors are used to
ducting various activities within compliance management.
represent various levels of abstractions in enterprise models
(Semi-) automation that we proposed aims at reducing the
in terms of systems, subsystems, and components. Events
burden of relying on domain experts; when applied to end-
capture various events expected by and output by these sys-
to-end activities, also has the potential to reduce costs of
tems as well as the events internal to the systems. If vari-
compliance and improve accuracy and coverage. Further-
ous conditions under which regulatory rules become active
more, holistic treatment of GRC facets and simulation thereof
are imagined as compliance events, then we can model such
ensure that compliance activities are not a bottleneck to
events at appropriate abstraction levels. The data and traces
business goals. We believe that our ongoing work with
required for compliance can be modeled as state variables of
KYC4 as well as MiFID5 and HIPAA6 regulations will en-
actors. Finally, remediation behaviors can be modeled as
able us to actually realize these benefits on ground.
expressions over compliance events and states. ESL mod-
els business goals in terms of various measures and levers
wherein levers can be events, structures, state variables, and 6. REFERENCES
expressions over these that can be tuned for simulating the [1] Accelus. Regulatory change management: the critical
optimum measures. compliance competence, Sep 2013.
Figure 4 shows this as simulation of business operations, [2] L. A. E. Al-Safadi. Natural language processing for
where regulatory rules and operational facts are transformed conceptual modeling. JDCTA, 3(3):47–59, 2009.
into ESL specifications which can be simulated to obtain in- [3] S. Alberth, B. Babel, D. Becker, G. Kaltenbrunner,
sights into how compliance or non-compliance of certain reg- T. Poppensieker, S. Schneider, U. Stegemann, and
ulations will affect the enterprise’s risk profile and business T. Wegner. Compliance and control 2.0: Unlocking
goals at large. potential through compliance and quality-control
activities. McKinsey Working Papers on Risk, 33,
4. DISCUSSION 2012.
[4] AvePoint. AvePoint compliance guardian product
In practice, enterprises rely on domain experts to enact
brochure, Oct. 2014.
compliance controls in their business operations. This in-
troduces a major bottleneck in compliance because manual [5] J. W. Bartley, Y. A. Chen, and E. Z. Taylor. A
treatment of compliance requirements lacks substantially in Comparison of XBRL Filings to Corporate 10-Ks -
accuracy and coverage of compliance requirements [5]. We Evidence from the Voluntary Filing Program. Social
believe that with a model-driven framework we proposed Science Research Network, Feb 2010.
in Section 3.1, wherein domain experts’ role is restricted to [6] J. Becker, P. Delfmann, M. Eggert, and S. Schwittay.
model making on top of NLP-ML techniques, the accuracy Generalizability and applicability of modelbased
and coverage can be imparted at the right juncture in com- business process compliance-checking approaches — a
pliance management. state-of-the-art analysis and research roadmap. BuR
Enterprises also often implement compliance after the fact — Business Research, 5(2):221–247, 2012. Publication
using point solutions in combination, which restrict their status: Published.
ability to address regulatory changes [1, 10]. Also, enter- [7] T. D. Breaux, M. W. Vail, and A. I. Antón. Towards
prises implement compliance mostly in content rather than regulatory compliance: Extracting rights and
in intent, wherein neither enactment nor remediation results obligations to align requirements with regulations. In
in substantive management actions. This leaves certain busi- 14th (RE Conference 2006), 11-15 September 2006,
ness operations exposed to underlying risks in spite of being Minneapolis/St.Paul, Minnesota, USA, pages 46–55,
compliant in word [11]. We believe that an end-to-end com- 2006.
pliance framework with the ability to simulate compliance [8] D. Cau. Governance, risk and compliance (GRC)
along with risks and business goals as proposed in Section software business needs and market trends, 2014.
3.2 can achieve coordinated compliance. 4
Reserve Bank of India KYC https://rbi.org.in/scripts/BS
Contrary to approaches in the literature on compliance ViewMasCirculardetails.aspx?id=8179
management, instead of focusing just on extraction of rules 5
MiFID http://ec.europa.eu/finance/securities/isd/index
from legal text, or compliance checking with a specific set of en.htm
6
specifications for rules and operations, we propose a frame- HIPAA http://www.hhs.gov/hipaa/index.html
2nd Modelling Symposium (ModSym 2016) - colocated with ISEC 2016, Goa, India, Feb 18, 2016
37
� [9] A. Fader, S. Soderland, and O. Etzioni. Identifying 41(11):5201–5211, 2014.
relations for open information extraction. In [22] S. Sunkle, D. Kholkar, and V. Kulkarni. Explanation
Proceedings of the 2011 Conference on Empirical of proofs of regulatory (non-)compliance using
Methods in Natural Language Processing, EMNLP semantic vocabularies. In N. Bassiliades, G. Gottlob,
2011, 27-31 July 2011, John McIntyre Conference F. Sadri, A. Paschke, and D. Roman, editors, Rule
Centre, Edinburgh, UK, A meeting of SIGDAT, a Technologies: Foundations, Tools, and Applications -
Special Interest Group of the ACL, pages 1535–1545. 9th International Symposium, RuleML 2015, Berlin,
ACL, 2011. Germany, August 2-5, 2015, Proceedings, volume 9202
[10] J. A. W. French Caldwell. Magic quadrant for of Lecture Notes in Computer Science, pages 388–403.
enterprise governance, risk and compliance platforms, Springer, 2015.
2013. [23] S. Sunkle, D. Kholkar, and V. Kulkarni. Model-driven
[11] P. Kaminski and K. Robu. Compliance and control regulatory compliance: A case study of ”know your
2.0: Emerging best practice model. McKinsey customer” regulations. In Lethbridge et al. [17], pages
Working Papers on Risk, 33, Oct 2015. 436–445.
[12] M. E. Kharbili, A. K. A. de Medeiros, S. Stein, and [24] S. Sunkle, D. Kholkar, and V. Kulkarni. Toward
W. M. P. van der Aalst. Business process compliance better mapping between regulations and operations of
checking: Current state and future challenges. In enterprises using vocabularies and semantic similarity.
P. Loos, M. Nüttgens, K. Turowski, and D. Werth, CSIMQ, 5:39–60, 2015.
editors, MobIS, volume 141 of LNI, pages 107–113. GI, [25] S. Sunkle, D. Kholkar, H. Rathod, and V. Kulkarni.
2008. Incorporating directives into enterprise TO-BE
[13] N. Kiyavitskaya, N. Zeni, T. D. Breaux, A. I. Antón, architecture. In G. Grossmann, S. Hallé,
J. R. Cordy, L. Mich, and J. Mylopoulos. Automating D. Karastoyanova, M. Reichert, and S. Rinderle-Ma,
the extraction of rights and obligations for regulatory editors, 18th IEEE International Enterprise
compliance. In Q. Li, S. Spaccapietra, E. S. K. Yu, Distributed Object Computing Conference Workshops
and A. Olivé, editors, Conceptual Modeling - ER 2008, and Demonstrations, EDOC Workshops 2014, Ulm,
Barcelona, Spain, volume 5231 of Lecture Notes in Germany, September 1-2, 2014, pages 57–66. IEEE,
Computer Science, pages 154–168. Springer, 2008. 2014.
[14] I. Klapaftis. Unsupervised concept hierarchy induction: [26] S. Sunkle and H. Rathod. Visual and ontological
learning the semantics of words. University of York, modeling and analysis support for extended enterprise
Department of Computer Science, 2009. models. In S. Nurcan and E. Pimenidis, editors,
[15] KPMG. The convergence evolution: Global survey Information Systems Engineering in Complex
into the integration of governance, risk, and Environments - CAiSE Forum 2014, Thessaloniki,
compliance, Feb 2012. Greece, June 16-20, 2014, Selected Extended Papers,
[16] V. Kulkarni, S. Barat, T. Clark, and B. S. Barn. volume 204 of Lecture Notes in Business Information
Toward overcoming accidental complexity in Processing, pages 233–249. Springer, 2014.
organisational decision-making. In Lethbridge et al. [27] T. M. van Engers, R. van Gog, and K. Sayah. A case
[17], pages 368–377. study on automated norm extraction. In T. Gordon,
[17] T. Lethbridge, J. Cabot, and A. Egyed, editors. 18th editor, Legal Knowledge and Information Systems.
ACM/IEEE International Conference on Model Jurix 2004: The Seventeenth Annual Conference.,
Driven Engineering Languages and Systems, MoDELS Frontiers in Artificial Intelligence and Applications,
2015, Ottawa, ON, Canada, September 30 - October 2, pages 49–58, Amsterdam, 2004. IOS Press.
2015. IEEE, 2015. [28] R. R. Yeddula, P. Das, and S. Reddy. A model-driven
[18] P. Mercatali, F. Romano, L. Boschi, and E. Spinicci. approach to enterprise data migration. In
Automatic translation from textual representations of J. Zdravkovic, M. Kirikova, and P. Johannesson,
laws to formal models through UML. In M. Moens and editors, Conference on Advanced Information Systems
P. Spyns, editors, Legal Knowledge and Information Engineering (CAISE), Stockholm, Sweden, volume
Systems - JURIX 2005: The Eighteenth Annual 9097 of Lecture Notes in Computer Science, pages
Conference on Legal Knowledge and Information 230–243. Springer, 2015.
Systems, Brussels, Belgium, 8-10 December 2005, [29] N. Zeni, N. Kiyavitskaya, L. Mich, J. R. Cordy, and
volume 134 of Frontiers in Artificial Intelligence and J. Mylopoulos. GaiusT: supporting the extraction of
Applications, pages 71–80. IOS Press, 2005. rights and obligations for regulatory compliance.
[19] OMG. Semantics of business vocabulary and business Requir. Eng., 20(1):1–22, 2015.
rules (SBVR), v1.3. May 2015.
[20] V. Rus, M. C. Lintean, R. Banjade, N. B. Niraula,
and D. Stefanescu. SEMILAR: the semantic similarity
toolkit. In 51st Annual Meeting of the Association for
Computational Linguistics, ACL, Sofia, Bulgaria,
pages 163–168. The Association for Computer
Linguistics, 2013.
[21] I. Serra, R. Girardi, and P. Novais. Evaluating
techniques for learning non-taxonomic relationships of
ontologies from text. Expert Syst. Appl.,
2nd Modelling Symposium (ModSym 2016) - colocated with ISEC 2016, Goa, India, Feb 18, 2016
38
�