Jan Mendling, Stefanie Rinderle-Ma, Eds.: Proceedings of EMISA 2016, Gesellschaft für Informatik, Bonn 2016 State-of-the-Art of Business Process Compliance Approaches: A Survey (Extended Abstract) Michael Fellmann1, Andrea Zasada1 Abstract: Compliance means to adhere to laws, regulations and guidelines. It has become an integral part of business process management since the financial crisis revealed the dimension of legal offences and violated business rules. Even though Business Process Compliance (BPC) has reached a mature state, studies imply that practice still struggles with the documentation and auto- mated control of compliance requirements. Moreover, due to the plethora of approaches, it is hard to gain an overview on existing works. This paper thus gives a short overview on BPC approaches. The work summarized in this extended abstract has been published in [FZ14]. Keywords: Business Process, Compliance, Validation, Verification, Review Article. 1 Introduction As enterprises increasingly rely on business process models and execution environments to manage and automate their business processes, approaches to ensure compliance in business process modelling and execution are of utmost importance [Aw08, RW12]. Research can contribute to these efforts by addressing the needs of enterprises to auto- mate compliance checks and enhance visibility of operational risks [Mi15]. However, due to the plethora of approaches, it is hard to compare and select from among them. In [FZ14], we therefore provide an overview guided by the following research questions: RQ1: What is the scope of compliance approaches? RQ2: Which phases of the process lifecycle are targeted by compliance approaches? RQ3: What kind of research dominates compliance research? RQ4: What is the contribution of compliance research works? RQ5: What are trends regarding compliance research? The review is based on the suggestions from Webster and Watson [WW02] and vom Brocke et al. [Vb09] who describe best practices of a systematic literature review. It included five scientific databases. The literature search revealed 430 hits from which 84 were considered relevant for the classification (cf. [FZ14] for a detailed description). The remainder of the paper is structured as follows. Section 2 introduces our classification of compliance approaches that is also used to answer RQ1–4 in the original paper. In Sec- tion 3, we apply the classification to important research works. In Section 4, research trends are sketched (RQ5) and Section 5 provides a conclusion. 1 University of Rostock, Institute of Computer Science, Albert-Einstein-Str. 22, 18057 Rostock, Germany {michael.fellmann | andrea.zasada}@uni-rostock.de 16 Michael Fellmann und Andrea Zasada 2 Classification of Compliance Approaches In the original paper [FZ14], a faceted classification is developed and subsequently ap- plied to characterize research works. The classification contains the four dimensions (facets) Scope, Lifecycle phase, Formality and Contribution type of compliance ap- proaches along with their attributes (cf. Figure 1). For example, the attribute Order and occurrence of the Scope dimension refers to the fact that every process is determined by events which trigger subsequent process steps. The execution of processes in turn re- quires detailed Information, which has to be either extracted from regulations or can be defined by the company as indicated by the attributes Resource, Time or Location. Fig. 1: Dimensions for compliance checking 3 Classification of Important Compliance Works In our original paper, we selected the top 20 articles (a complete list can be found here: http://tinyurl.com/compliance-list) according to the citation rate measured with Google Scholar (as of 2013, when the original article was writ- ten). We then provided a visual map (cf. Figure 2) where approaches are classi- fied according to three dimensions of our classification: Formality, Scope and Contribution type. Regarding formality (y-axis), we slightly extended this di- mension to comprise additional levels of formality in order to provide for a more suitable graphical representation. The extended levels are: Highly formal (e.g. using mathematical analyses), Formalized approaches with end-user orientation (e.g. presenting an algorithm with a user interface), Management-oriented partly formal approaches (e.g. descriptions of tools or procedures) and Management- State-of-the-Art of Compliance Approaches 17 oriented frameworks or methods (e.g. architectures or strategies). Regarding the Scope (x-axis), we used the attributes of our classification. Regarding Contribu- tion type, we extended the criteria Other and replaced it by the two more specific attributes No specific contribution type and Technical artefact and method. With these extensions, we can provide the map that is shown in Figure 2 (references to the articles in the map are contained in the original publication [FZ14]). Fig. 2: Classification of important compliance works 4 Research Trends Regarding the subject of research, it can be noticed that compliance research has been driven by the increasing requirements of businesses to comply with given 18 Michael Fellmann und Andrea Zasada laws, regulations, best practices and contracts that have been existent since the beginning of the century. Research on the topic reached its climax (regarding the publication rates) in 2009. Many of the research works propose formal methods or frameworks to approach compliance. Future research may thus be concerned with the applicability of the developed approaches in terms of intuitive tool sup- port, cognitive efficient user interfaces and ergonomic and usable languages for compliance rule specification or generation from natural language text as well as with organizational aspects and “the human in the loop”. 5 Conclusion With our review that we summarized here and that is presented in detail in [FZ14], we want to serve the research community by showing the landscape of research in terms of what the literature is focused on (scope), which phase of the process lifecycle are addressed (design, execution, after execution), from which perspective (business-oriented or more formal, computer-science-related work) as well as which contribution type (technical artefact, method or other) is pro- vided. We hope that our contribution is useful and may both serve as a starting point for new researchers and as an overview of the work for more experienced researchers in the business process compliance field. References [Aw08] Awad, A.; Decker, G.; Weske, M.: Efficient Compliance Checking Using BPMN-Q and Temporal Logic. In (Dumas, M., Reichert, M. and Shan, M.-C., Eds.): Proceedings of BPM 2008, LNCS 5240, Springer, Berlin, pp. 326–341, 2008. [FZ14] Fellmann, M.; Zasada A: State-of-the-Art of Business Process Compliance Approach- es: A Survey. In: Proceedings of ECIS 2014, June 9–11, Tel Aviv, 2014. Online: http://aisel.aisnet.org/ecis2014/proceedings/track06/8 [Mi15] Miles, D.: Managing Governance, Risk and Compliance with ECM and BPM. White Paper. AIIM and OpenText, 2015. [RW12] Reichert, M.; Weber, B.: Business Process Compliance. In (Reichert, M. and Weber, B., Eds.): Enabling Flexibility in Process-Aware Information Systems, Springer, Ber- lin, pp. 297–320, 2012. [Vb09] Vom Brocke, J.; Simons, A.; Niehaves, B.; Riemer, K.; Plattfaut, R.; Cleven, A.: Re- constructing the Giant: On the Importance of Rigour in Documenting the Literature Search Process. In: Proceedings of ECIS 2009, Verona, pp. 2206–2217, 2009. [WW02] Webster, J.; Watson, R. T.: Analyzing the Past to Prepare for the Future: Writing a Literature Review. MIS Quarterly, 26 (2), xiii-xxiii, 2002.