=Paper=
{{Paper
|id=Vol-2196/BPM_2018_paper_17
|storemode=property
|title=BCIT: A Tool for Analyzing the Interactions between Business Process Compliance and Business Process Change
|pdfUrl=https://ceur-ws.org/Vol-2196/BPM_2018_paper_17.pdf
|volume=Vol-2196
|authors=Tobias Seyffarth,Kai Raschke
|dblpUrl=https://dblp.org/rec/conf/bpm/SeyffarthR18
}}
==BCIT: A Tool for Analyzing the Interactions between Business Process Compliance and Business Process Change==
https://ceur-ws.org/Vol-2196/BPM_2018_paper_17.pdf
BCIT: A Tool for Analyzing the Interactions between
Business Process Compliance and
Business Process Change
Tobias Seyffarth and Kai Raschke
Martin Luther University Halle-Wittenberg, 06108 Halle (Saale), Germany
{tobias.seyffarth,kai.raschke}@wiwi.uni-halle.de
Abstract. Business processes as well as their supporting information technology
(IT) can be affected by compliance requirements. In the case of changing the
business process, an IT component or a compliance requirement the interactions
between business process compliance (BPC) and business process change must
be determined to ensure BPC. However, there is a lack of tool-support that can
analyze the interactions between BPC and business process change considering
compliance requirements and supporting IT components. Therefore, we devel-
oped the prototype BCIT (Business Process Compliance and IT) which can ana-
lyze these interactions considering the change patterns “delete element” and “re-
place element”.
Keywords: business process compliance, business process change, compliance
process, information technology, software prototype
1 Introduction
Business process compliance (BPC) denotes the execution of business processes in ad-
herence to applicable compliance requirements [1]. Not only business processes but
also information technology (IT) components that can support certain business activi-
ties can be affected by so-called compliance requirements. In dynamic markets, the
rapid detection of compliance violations and the adherence to the demands of compli-
ance requirements to changed business processes and supporting IT components are
necessary [2]. Thus, in the case of a business process change, which includes the change
of a business activity, IT component, or compliance requirement, the effects on busi-
ness process compliance must be automatically determined [3]. Although, there are nu-
merous process modeling tools, such as ARIS Architect, Bizagi Studio, Camunda Mod-
eler and Signavio Process Manager, to the best of our knowledge, there is a lack of a
tool that automatically determines the interaction between BPC and business process
change considering compliance requirements and supporting IT components. There-
fore, the goal of our paper is to present the software prototype BCIT (Business Process
F. Casati et al. (Eds.): Proceedings of the Dissertation Award and Demonstration, In-
dustrial Track at BPM 2018, CEUR-WS.org, 2018. Copyright © 2018 for the individual
papers by its authors. Copying permitted for private and academic purposes. This vol-
ume is published and copyrighted by its editors.
�T. Seyffarth and K. Raschke
Compliance and IT), which is able to determine those interaction between BPC and
business process change.
The rest of the demo paper is structured as follows: Section 2 defines preliminaries
and provides a motivation example that can be solved by our prototype. Section 3 shows
the architecture and implementation of our prototype; and finally, Section 4 concludes
the paper.
2 Business Process Compliance and Business Process Change
There are various approaches used to check for or ensure BPC. One possible solution
to ensure BPC during the design time of the business process is the separate modeling
of so-called compliance processes and their integration into the business process. In this
context, a compliance process is defined as an independent process (part) consisting of
at least one compliance-related activity that ensures BPC [4].
In the literature, many business process change patterns are discussed. In the follow-
ing, we focus on the change patterns “replace element” and “delete element” (e.g. [5])
because they allow the determination of relationships between a changed element and
compliance requirement or a compliance process in a user-provided model. The replace
pattern replaces an existing element with a new one, while the delete pattern removes
an existing element. Business process change patterns can also be applied to views other
than a control flow perspective of a business process. In our case, they are applied to
the perspectives compliance and IT architecture. Further, we define an interaction be-
tween BPC and business process change, if due to a change, an element is either af-
fected by a compliance requirement or compliance process and a change affects a com-
pliance requirement or compliance process.
§ 238
German Replace ERP FI Delete ERP FI
Com.
Code Approve invoice
Logical access (CR)
Physical Internal Logical payment (CP)
access policy access § 238 German
Internal policy (CR)
Commercial Code (CR)
Inform purchase § 238 German
Hardware (IT)
requester about Commercial Code (CR)
received goods
Physical access (CR) Logical access (CR)
Create purchase
request § 238 German
Send Receive Approve Commercial Code (CR)
purchase goods and invoice payment Pay invoice
request invoice
Pay invoice (activity)
Internal policy (CR)
ERP MM ERP FI
§ 238 German
Commercial Code (CR)
Approve invoice payment
Hardware
(CP)
CP changed direct impact Obsolete
CR is prerequisite
for CR IT
is prerequisite
for activity IT
is prerequisite
for IT IT
is prerequisite
for element relation element element
place place CP helps to exclusive changed transitive impact BPC violated
CR demands to IT CR demands to activity satisfy CR start event, gateway element relation element because
end event
CP: compliance process | CR: compliance requirement | IT: IT component
Fig. 1. Motivation example: purchase-to-pay process (based on [3])
The left side of Figure 1 shows a simplified purchase-to-pay process including IT
components that support both business activities and the compliance process, which is
� BCIT: A Tool for Analyzing the Interactions between Business Process Compliance and
Business Process Change
based on our previous work [3]. Further, relevant compliance requirements (CR) of
business activities and IT components (IT) are modeled in the process model. The com-
pliance process (CP) “approve invoice payment” helps to satisfy the “internal policy”.
In the event of a compliance violation, the compliance process aborts the business pro-
cess instance. The right side of Figure 1 shows the interaction between BPC and busi-
ness process change. In the event of replacing the IT component “ERP FI”, both com-
pliance requirements “physical access” and “§ 238 German Commercial Code” must
be directly considered because “ERP FI” must consider all compliance requirements of
their prerequisite IT components. In addition, the “internal policy” must be considered
as well because there is a transitive relation between “ERP FI” and this compliance
requirement. “ERP FI” is necessary for the execution of the compliance process “ap-
prove invoice payment”, which is in turn necessary to satisfy the “internal policy”.
In the case of deleting the IT component “ERP FI” the compliance requirement
“internal policy” and its prerequisite “§ 238 German Commercial Code” are violated.
In this case, the compliance process “approve invoice payment” that helps to satisfy the
“internal policy” cannot be executed since “ERP FI” is a prerequisite to execute this
compliance process. Additionally, the “logical access” becomes obsolete.
3 Tool Architecture and Implementation
We developed the software prototype BCIT1, which is available as a cross-platform
desktop application, based on the software frameworks Node.js and Electron. Figure 2
describes the basic interaction between the components of BCIT to perform each user
step. When starting BCIT, the component app each create an object of process-view,
IT-architecture-view and compliance-view. According to [3], the user has to follow
three steps to analyze the interaction between BPC and business process change. First,
the necessary models business process, IT architecture and compliance requirements
have to be imported. Second, the appropriate elements of the imported models have to
be linked together, and third, the element that shall be changed has to be defined.
proc ess process-editor interaction-analyzer
model proc ess
process-importer process-view result
model
<> graph
IT- proc ess link mode l change
architec ture model/ model elements graph element
model link graph
IT-architecture- IT-architecture-view model app interaction-view
importer <> elements/ <> change <>
change element
element model link mode l
elements
compliance
model
compliance-importer compliance-view graph
<>
graph-creator
component provided interface requested interface
Fig. 2. BCIT architecture as a UML component diagram
1 Our prototype, the sourcecode, a screencast and further information can be found at:
http://informationsmanagement.wiwi.uni-halle.de/projekte/bcit/
�T. Seyffarth and K. Raschke
Import Models: Within the component process-importer, we use bpmn-js [6], a Ja-
vaScript library for parsing, visualizing and modifying BPMN process models to im-
port process models. This library is also used for the visualization of process models in
the component process-view. In addition, within the component IT-architecture-
importer, we built a parser that can read The Open Group's ArchiMate XML exchange
format to import IT architectures. The IT-architecture-view uses the graph library Cy-
toscape [7] to visualize the IT components and their interrelations. Finally, the compo-
nent compliance-importer can import compliance requirements that are provided either
as JSON files or as formal XML files by the German Federal Ministry of Justice.
Link Models: Next, the user must link the corresponding elements of the imported
models together. Here, the following relationships are possible: process flow element
and IT component, process flow element and compliance requirement, IT component
and compliance requirement, and compliance requirement and compliance require-
ment. Technically, within the component graph-creator the imported models are trans-
formed into a single graph 𝐺 = (𝑉, 𝐸, 𝐹, 𝐻, 𝐼) with its elements 𝑔𝑖 ∈ 𝐺. The graph is
modelled using the graph library Cytoscape [7]. In this graph, 𝑉 is a nonempty finite
set of vertices, 𝑒𝑙 ∈ 𝐸 is a directed edge between two vertices (𝑣𝑖 , 𝑣𝑗 ) and 𝑓𝑖 ∈ 𝐹 is the
unique identification (id) of the vertex 𝑣𝑖 . In addition, ℎ𝑖 ∈ 𝐻 is the model type of the
vertex 𝑣𝑖 with 𝐻 = {𝑃, 𝐼𝑇, 𝐶𝑅}, which corresponds to the imported model types process
(𝑃), IT architecture (𝐼𝑇) or compliance requirement (𝐶𝑅). Finally, 𝑖𝑙 ∈ 𝐼 contains the
individual properties of vertex 𝑣𝑖 . In case a process flow element is marked as a com-
pliance process, this information is available in 𝑖𝑙 ∈ 𝐼.
When linking two elements together, the graph-creator generates the corresponding
edges between the vertices of the linked elements. In the case of linking an IT compo-
nent or compliance requirement to the process, the process-editor (1) extends the re-
spective extension element of the process flow element by the id of the added vertex
and (2) adds a data storage symbol or rather a data symbol to the process flow element.
Then, the process-viewer visualize the updated process model again.
Define the Element to be Changed: For analyzing the interactions between BPC
and business process change, the user has to define the element to be changed. This
element can be a compliance requirement, IT component, or a process flow element
that includes a compliance process. The interaction-analyzer always performs the anal-
ysis when the interaction-view is opened. The analysis is based on the graph that was
generated and adjusted in the previous step. Figure 3 shows the algorithm used to ana-
lyze the interactions between BPC and business process change by replacing an IT
component.
Input: Graph g, element to be replaced v g where h=it architecture
1 // get all direct related compliance requirements and compliance processes to v
2 Foreach k in (get all predecessor of v where h=compliance requirement) do
3 mark k as direct AND add k including all vertices between k und v to result
4 // get all transitive related compliance processes and compliance requirements to v
5 Foreach it in (get all leafs of v where h=it architecture) do
6 Foreach activity in (get all direct successor of it where h=business process) do
7 Foreach cr in (get all direct predecessor of activity where h=compliance requirement) do
8 k = get all predecessor of cr
9 mark it, activity, cr and k as transitiv AND add to result
10 Foreach complianceprocess in (get all direct successor of it where h=compliance process) do
11 Foreach cr in (get all direct successor of complianceprocess where h=compliance requirement) do
12 k = get all predecessor of cr
13 mark it, complianceprocess, cr and k as transitiv AND add to result
14 generate result_graph based on g and result
Output: Graph result_graph
Fig. 3. Algorithm to analyze interactions by replacing an IT component (based on [3])
� BCIT: A Tool for Analyzing the Interactions between Business Process Compliance and
Business Process Change
4 Conclusion, Maturity and Future Work
In this paper we presented BCIT, a software prototype that is able to analyze the inter-
actions between BPC and business process change considering supporting IT compo-
nents and compliance requirements. The interaction between BPC and business process
change occurs in two cases. First, the changed element is affected by a compliance
requirement or a compliance process. Second, the changed element affects a compli-
ance requirement or a compliance process. More precisely, our software prototype con-
siders the business process change patterns “delete element” and “replace element”.
Currently, BCIT considers the user-provided links between elements of the three
model types’ compliance requirements, processes and IT architectures. Furthermore,
only vertices of our single graph can be changed. As a consequent next step, we are
planning to add the data and resource perspectives on a business process to our algo-
rithm. Additionally, we are planning to extend BCIT by a function to add or remove
edges between individual IT components or compliance requirements. As a result, it is
possible to detect demands by compliance requirements and thus avoid compliance vi-
olations due to changed relations between individual IT components or compliance re-
quirements.
References
1. Governatori, G., Sadiq, S.: The Journey to Business Process Compliance. Handbook of re-
search on business process modeling, 426–454 (2009)
2. Rinderle, S., Reichert, M., Dadam, P.: Correctness criteria for dynamic changes in workflow
systems––a survey. Data & Knowledge Engineering 50, 9–34 (2004)
3. Seyffarth, T., Kühnel, S., Sackmann, S.: Business Process Compliance and Business Process
Change. An Approach to Analyze the Interactions. Business Information Systems. BIS
2018. Lecture Notes in Business Information Processing, 176–189 (2018)
4. Seyffarth, T., Kühnel, S., Sackmann, S.: A Taxonomy of Compliance Processes for Business
Process Compliance. 15th International Conference on Business Process Management,
Business Process Management Forum. In: Lecture Notes in Business Information Pro-
cessing (LNBIP) (2017)
5. Rinderle-Ma, S., Reichert, M., Weber, B.: On the Formal Semantics of Change Patterns in
Process-aware Information Systems. Proc. 27th Int'l Conference on Conceptual Modeling
(ER'08) (2008)
6. Camunda: bpmn-js. BPMN 2.0 for the web, https://github.com/bpmn-io/bpmn-js
7. Franz, M., Lopes, C.T., Huck, G., Dong, Y., Sumer, O., Bader, G.D.: Cytoscape.js. A graph
theory library for visualisation and analysis. Bioinformatics (Oxford, England) 32, 309–311
(2016)
�