Business process compliance (BPC) denotes the execution of business processes in adherence to applicable compliance requirements. Compliance requirements can be satisfied by compliance processes that are integrated into the business process. There are numerous relations between compliance requirements, business processes, compliance processes, and supporting IT components. Thus, the change of one of those elements can lead to the nonexecutability of a compliance process and thus lead to a violation of BPC. To further ensure BPC, the business process has to be adapted by a compliance process that is still executable. Consequently, we extended our prototype BCIT (Business Process Compliance and IT) through a feature to recommend compliant business processes. The adaptation is based on previously modeled alternative compliance processes that satisfy the same compliance requirement.
Business process compliance (BPC) denotes the execution of business processes to
applicable compliance requirements [
There are numerous process modeling tools, such as ARIS Architect, Bizagi Studio, Camunda Modeler, and Signavio Process Manager or flexible workflow management systems, such as AristaFlow and KitCom. However, to the best of our knowledge, there is a lack of a tool that recommends compliant business processes despite changes to business processes and IT components.
Thus, the goal is a software prototype that recommends compliant business
processes in case of an identified compliance violation due to change. In order to reach
this goal, we have added the feature of recommending compliant business processes
when determining a compliance violation to our existing prototype BCIT [
In Section 2, we motivate the problem statement and briefly describe the method to recommend compliant business processes. In Section 3, we describe our tool before we discuss the maturity in Section 4. Finally, Section 5 concludes the contribution.
Removing either an IT component or compliance process may result in a compliance
violation [
The elaboration of proposals for business process adaptation to further ensure BPC is
based on three main ideas [
As shown in Figure 2, the compliance requirement “internal payments policy” is satisfied by the compliance process pattern “N-way-match.” The compliance process pattern is specialized by three different compliance process: “check invoice,” “manually check invoice,” and “check payment order.” They differ by the trigger and the IT component that may be necessary for the execution of the compliance process. Each alternative compliance process can satisfy the compliance requirement, which results in three recommendations for compliant business processes.
Internal Payments Policy XOR
N-Way-Match
Check Invoice Manually Check Invoice PaymCehnetcOkrder ...
Trigger: Delivery has arrived Further Requirement: ERP MM Trigger: Delivery has arrived Further Requirement: none Trigger: Create payment order Further Requirement: ERP FI
Send Purchase Requisition
Send Purchase Requisition
Send Purchase Requisition BCIT is a single-page application based on React.js and Node.js. A tutorial document, a video, and the tool are available at: https://github.com/tobiasseyffarth/bcit From a user perspective, BCIT offers the following four features:
Model compliance requirements, business process model, and IT components in
one common model. The compliance requirements, business process model, and IT
architecture model are imported as XML files, BPMN process models, and TOGAF
architecture models. The interrelations between them must be modeled manually by
the user. The resulting model is technically represented as a directed graph, as
explained in [
Model alternative compliance processes. The user must model alternative
compliance processes that satisfy the same compliance requirement, too. Alternative
compliance processes specify a generic compliance process pattern and are differentiated by
both their required IT components and predecessor business activity [
Identify compliance violations. In order to identify compliance violations, the user
can define every compliance requirement, IT component, or process activity as the
element to be removed. Based on a graph search, BCIT automatically identifies
violated compliance requirements and presents the cause-effect relation [
Recommend compliant business processes. In case of a compliance violation, BCIT
queries automatically for alternative compliance processes, checks whether they can
be executed, and, if possible, integrates them in the business process model [
We conducted several case studies in order to evaluate the perceived usefulness of
BCIT. Each case study had the same structure. First, we presented a scenario to
motivate the challenge of business process compliance and change that can be solved by
BCIT. Second, we briefly presented the main ideas of our methods to recommend
compliant business processes in order to solve the scenario. Third, we presented a
solution to the challenge through BCIT. Lastly, we collected the opinions on the
perceived usefulness of BCIT by means of a questionnaire. The questionnaire includes
the statements of the technology acceptance model [
Overall, BCIT was evaluated to be useful and helpful. The participants liked the feature for the fast identification of cause-effect relations and getting recommendations for compliant business processes. The latter point was also considered as a competitive advantage. Nevertheless, some participants expressed their concern that the effort of modeling of both business/compliance process and IT architecture may exceed the benefit.
In this paper, we presented BCIT, a tool to recommend compliant business processes based on process adaption. The recommendations for compliant business processes are based on alternative compliance processes that are modeled and stored separately from the business process.
In a next step, we plan to add the data and resource perspective on a business process to our algorithm. Further, we plan to integrate unsupervised machine learning techniques, such as frequent pattern analysis (e.g., an FP-Growth algorithm), into BCIT to propose possible alternative compliance processes without explicit prior modeling.