BCIT: A Tool for Analyzing the Interactions between Business Process Compliance and Business Process Change Tobias Seyffarth and Kai Raschke Martin Luther University Halle-Wittenberg, 06108 Halle (Saale), Germany {tobias.seyffarth,kai.raschke}@wiwi.uni-halle.de Abstract. Business processes as well as their supporting information technology (IT) can be affected by compliance requirements. In the case of changing the business process, an IT component or a compliance requirement the interactions between business process compliance (BPC) and business process change must be determined to ensure BPC. However, there is a lack of tool-support that can analyze the interactions between BPC and business process change considering compliance requirements and supporting IT components. Therefore, we devel- oped the prototype BCIT (Business Process Compliance and IT) which can ana- lyze these interactions considering the change patterns “delete element” and “re- place element”. Keywords: business process compliance, business process change, compliance process, information technology, software prototype 1 Introduction Business process compliance (BPC) denotes the execution of business processes in ad- herence to applicable compliance requirements [1]. Not only business processes but also information technology (IT) components that can support certain business activi- ties can be affected by so-called compliance requirements. In dynamic markets, the rapid detection of compliance violations and the adherence to the demands of compli- ance requirements to changed business processes and supporting IT components are necessary [2]. Thus, in the case of a business process change, which includes the change of a business activity, IT component, or compliance requirement, the effects on busi- ness process compliance must be automatically determined [3]. Although, there are nu- merous process modeling tools, such as ARIS Architect, Bizagi Studio, Camunda Mod- eler and Signavio Process Manager, to the best of our knowledge, there is a lack of a tool that automatically determines the interaction between BPC and business process change considering compliance requirements and supporting IT components. There- fore, the goal of our paper is to present the software prototype BCIT (Business Process F. Casati et al. (Eds.): Proceedings of the Dissertation Award and Demonstration, In- dustrial Track at BPM 2018, CEUR-WS.org, 2018. Copyright © 2018 for the individual papers by its authors. Copying permitted for private and academic purposes. This vol- ume is published and copyrighted by its editors. T. Seyffarth and K. Raschke Compliance and IT), which is able to determine those interaction between BPC and business process change. The rest of the demo paper is structured as follows: Section 2 defines preliminaries and provides a motivation example that can be solved by our prototype. Section 3 shows the architecture and implementation of our prototype; and finally, Section 4 concludes the paper. 2 Business Process Compliance and Business Process Change There are various approaches used to check for or ensure BPC. One possible solution to ensure BPC during the design time of the business process is the separate modeling of so-called compliance processes and their integration into the business process. In this context, a compliance process is defined as an independent process (part) consisting of at least one compliance-related activity that ensures BPC [4]. In the literature, many business process change patterns are discussed. In the follow- ing, we focus on the change patterns “replace element” and “delete element” (e.g. [5]) because they allow the determination of relationships between a changed element and compliance requirement or a compliance process in a user-provided model. The replace pattern replaces an existing element with a new one, while the delete pattern removes an existing element. Business process change patterns can also be applied to views other than a control flow perspective of a business process. In our case, they are applied to the perspectives compliance and IT architecture. Further, we define an interaction be- tween BPC and business process change, if due to a change, an element is either af- fected by a compliance requirement or compliance process and a change affects a com- pliance requirement or compliance process. § 238 German Replace ERP FI Delete ERP FI Com. Code Approve invoice Logical access (CR) Physical Internal Logical payment (CP) access policy access § 238 German Internal policy (CR) Commercial Code (CR) Inform purchase § 238 German Hardware (IT) requester about Commercial Code (CR) received goods Physical access (CR) Logical access (CR) Create purchase request § 238 German Send Receive Approve Commercial Code (CR) purchase goods and invoice payment Pay invoice request invoice Pay invoice (activity) Internal policy (CR) ERP MM ERP FI § 238 German Commercial Code (CR) Approve invoice payment Hardware (CP) CP changed direct impact Obsolete CR is prerequisite for CR IT is prerequisite for activity IT is prerequisite for IT IT is prerequisite for element relation element element place place CP helps to exclusive changed transitive impact BPC violated CR demands to IT CR demands to activity satisfy CR start event, gateway element relation element because end event CP: compliance process | CR: compliance requirement | IT: IT component Fig. 1. Motivation example: purchase-to-pay process (based on [3]) The left side of Figure 1 shows a simplified purchase-to-pay process including IT components that support both business activities and the compliance process, which is BCIT: A Tool for Analyzing the Interactions between Business Process Compliance and Business Process Change based on our previous work [3]. Further, relevant compliance requirements (CR) of business activities and IT components (IT) are modeled in the process model. The com- pliance process (CP) “approve invoice payment” helps to satisfy the “internal policy”. In the event of a compliance violation, the compliance process aborts the business pro- cess instance. The right side of Figure 1 shows the interaction between BPC and busi- ness process change. In the event of replacing the IT component “ERP FI”, both com- pliance requirements “physical access” and “§ 238 German Commercial Code” must be directly considered because “ERP FI” must consider all compliance requirements of their prerequisite IT components. In addition, the “internal policy” must be considered as well because there is a transitive relation between “ERP FI” and this compliance requirement. “ERP FI” is necessary for the execution of the compliance process “ap- prove invoice payment”, which is in turn necessary to satisfy the “internal policy”. In the case of deleting the IT component “ERP FI” the compliance requirement “internal policy” and its prerequisite “§ 238 German Commercial Code” are violated. In this case, the compliance process “approve invoice payment” that helps to satisfy the “internal policy” cannot be executed since “ERP FI” is a prerequisite to execute this compliance process. Additionally, the “logical access” becomes obsolete. 3 Tool Architecture and Implementation We developed the software prototype BCIT1, which is available as a cross-platform desktop application, based on the software frameworks Node.js and Electron. Figure 2 describes the basic interaction between the components of BCIT to perform each user step. When starting BCIT, the component app each create an object of process-view, IT-architecture-view and compliance-view. According to [3], the user has to follow three steps to analyze the interaction between BPC and business process change. First, the necessary models business process, IT architecture and compliance requirements have to be imported. Second, the appropriate elements of the imported models have to be linked together, and third, the element that shall be changed has to be defined. proc ess process-editor interaction-analyzer model proc ess process-importer process-view result model <> graph IT- proc ess link mode l change architec ture model/ model elements graph element model link graph IT-architecture- IT-architecture-view model app interaction-view importer <> elements/ <> change <> change element element model link mode l elements compliance model compliance-importer compliance-view graph <> graph-creator component provided interface requested interface Fig. 2. BCIT architecture as a UML component diagram 1 Our prototype, the sourcecode, a screencast and further information can be found at: http://informationsmanagement.wiwi.uni-halle.de/projekte/bcit/ T. Seyffarth and K. Raschke Import Models: Within the component process-importer, we use bpmn-js [6], a Ja- vaScript library for parsing, visualizing and modifying BPMN process models to im- port process models. This library is also used for the visualization of process models in the component process-view. In addition, within the component IT-architecture- importer, we built a parser that can read The Open Group's ArchiMate XML exchange format to import IT architectures. The IT-architecture-view uses the graph library Cy- toscape [7] to visualize the IT components and their interrelations. Finally, the compo- nent compliance-importer can import compliance requirements that are provided either as JSON files or as formal XML files by the German Federal Ministry of Justice. Link Models: Next, the user must link the corresponding elements of the imported models together. Here, the following relationships are possible: process flow element and IT component, process flow element and compliance requirement, IT component and compliance requirement, and compliance requirement and compliance require- ment. Technically, within the component graph-creator the imported models are trans- formed into a single graph 𝐺 = (𝑉, 𝐸, 𝐹, 𝐻, 𝐼) with its elements 𝑔𝑖 ∈ 𝐺. The graph is modelled using the graph library Cytoscape [7]. In this graph, 𝑉 is a nonempty finite set of vertices, 𝑒𝑙 ∈ 𝐸 is a directed edge between two vertices (𝑣𝑖 , 𝑣𝑗 ) and 𝑓𝑖 ∈ 𝐹 is the unique identification (id) of the vertex 𝑣𝑖 . In addition, ℎ𝑖 ∈ 𝐻 is the model type of the vertex 𝑣𝑖 with 𝐻 = {𝑃, 𝐼𝑇, 𝐶𝑅}, which corresponds to the imported model types process (𝑃), IT architecture (𝐼𝑇) or compliance requirement (𝐶𝑅). Finally, 𝑖𝑙 ∈ 𝐼 contains the individual properties of vertex 𝑣𝑖 . In case a process flow element is marked as a com- pliance process, this information is available in 𝑖𝑙 ∈ 𝐼. When linking two elements together, the graph-creator generates the corresponding edges between the vertices of the linked elements. In the case of linking an IT compo- nent or compliance requirement to the process, the process-editor (1) extends the re- spective extension element of the process flow element by the id of the added vertex and (2) adds a data storage symbol or rather a data symbol to the process flow element. Then, the process-viewer visualize the updated process model again. Define the Element to be Changed: For analyzing the interactions between BPC and business process change, the user has to define the element to be changed. This element can be a compliance requirement, IT component, or a process flow element that includes a compliance process. The interaction-analyzer always performs the anal- ysis when the interaction-view is opened. The analysis is based on the graph that was generated and adjusted in the previous step. Figure 3 shows the algorithm used to ana- lyze the interactions between BPC and business process change by replacing an IT component. Input: Graph g, element to be replaced v g where h=it architecture 1 // get all direct related compliance requirements and compliance processes to v 2 Foreach k in (get all predecessor of v where h=compliance requirement) do 3 mark k as direct AND add k including all vertices between k und v to result 4 // get all transitive related compliance processes and compliance requirements to v 5 Foreach it in (get all leafs of v where h=it architecture) do 6 Foreach activity in (get all direct successor of it where h=business process) do 7 Foreach cr in (get all direct predecessor of activity where h=compliance requirement) do 8 k = get all predecessor of cr 9 mark it, activity, cr and k as transitiv AND add to result 10 Foreach complianceprocess in (get all direct successor of it where h=compliance process) do 11 Foreach cr in (get all direct successor of complianceprocess where h=compliance requirement) do 12 k = get all predecessor of cr 13 mark it, complianceprocess, cr and k as transitiv AND add to result 14 generate result_graph based on g and result Output: Graph result_graph Fig. 3. Algorithm to analyze interactions by replacing an IT component (based on [3]) BCIT: A Tool for Analyzing the Interactions between Business Process Compliance and Business Process Change 4 Conclusion, Maturity and Future Work In this paper we presented BCIT, a software prototype that is able to analyze the inter- actions between BPC and business process change considering supporting IT compo- nents and compliance requirements. The interaction between BPC and business process change occurs in two cases. First, the changed element is affected by a compliance requirement or a compliance process. Second, the changed element affects a compli- ance requirement or a compliance process. More precisely, our software prototype con- siders the business process change patterns “delete element” and “replace element”. Currently, BCIT considers the user-provided links between elements of the three model types’ compliance requirements, processes and IT architectures. Furthermore, only vertices of our single graph can be changed. As a consequent next step, we are planning to add the data and resource perspectives on a business process to our algo- rithm. Additionally, we are planning to extend BCIT by a function to add or remove edges between individual IT components or compliance requirements. As a result, it is possible to detect demands by compliance requirements and thus avoid compliance vi- olations due to changed relations between individual IT components or compliance re- quirements. References 1. Governatori, G., Sadiq, S.: The Journey to Business Process Compliance. Handbook of re- search on business process modeling, 426–454 (2009) 2. Rinderle, S., Reichert, M., Dadam, P.: Correctness criteria for dynamic changes in workflow systems––a survey. Data & Knowledge Engineering 50, 9–34 (2004) 3. Seyffarth, T., Kühnel, S., Sackmann, S.: Business Process Compliance and Business Process Change. An Approach to Analyze the Interactions. Business Information Systems. BIS 2018. Lecture Notes in Business Information Processing, 176–189 (2018) 4. Seyffarth, T., Kühnel, S., Sackmann, S.: A Taxonomy of Compliance Processes for Business Process Compliance. 15th International Conference on Business Process Management, Business Process Management Forum. In: Lecture Notes in Business Information Pro- cessing (LNBIP) (2017) 5. Rinderle-Ma, S., Reichert, M., Weber, B.: On the Formal Semantics of Change Patterns in Process-aware Information Systems. Proc. 27th Int'l Conference on Conceptual Modeling (ER'08) (2008) 6. Camunda: bpmn-js. BPMN 2.0 for the web, https://github.com/bpmn-io/bpmn-js 7. Franz, M., Lopes, C.T., Huck, G., Dong, Y., Sumer, O., Bader, G.D.: Cytoscape.js. A graph theory library for visualisation and analysis. Bioinformatics (Oxford, England) 32, 309–311 (2016)