Business process compliance (BPC) denotes the execution of business processes in adherence to applicable compliance requirements. Compliance requirements can be satisfied by compliance processes that are integrated into the business process. There are numerous relations between compliance requirements, business processes, compliance processes, and supporting IT components. Thus, the change of one of those elements can lead to the nonexecutability of a compliance process and thus lead to a violation of BPC. To further ensure BPC, the business process has to be adapted by a compliance process that is still executable. Consequently, we extended our prototype BCIT (Business Process Compliance and IT) through a feature to recommend compliant business processes. The adaptation is based on previously modeled alternative compliance processes that satisfy the same compliance requirement.
Business process compliance (BPC) denotes the execution of business processes to applicable compliance requirements [1]. On top of that, information technology (IT) that supports business activities may also be affected by compliance requirements. Thus, a change of one of those elements can lead to a violation of BPC [2]. In dynamic markets, both the fast identification of a compliance violation and the adaptation of a business process to avoid these violations are important tasks. However, due to complex relations between compliance requirements, business processes, and IT components, the manual adaptation of business processes is a time-consuming task.
There are numerous process modeling tools, such as ARIS Architect, Bizagi Studio, Camunda Modeler, and Signavio Process Manager or flexible workflow management systems, such as AristaFlow and KitCom. However, to the best of our knowledge, there is a lack of a tool that recommends compliant business processes despite changes to business processes and IT components.
Thus, the goal is a software prototype that recommends compliant business processes in case of an identified compliance violation due to change. In order to reach this goal, we have added the feature of recommending compliant business processes when determining a compliance violation to our existing prototype BCIT [3].
In Section 2, we motivate the problem statement and briefly describe the method to recommend compliant business processes. In Section 3, we describe our tool before we discuss the maturity in Section 4. Finally, Section 5 concludes the contribution.
Business Process Compliance and Change
Figure 1 shows a simplified purchase-to-pay process in which some business activities are supported by IT components, such as a material management (ERP MM) and a financial module (ERP FI) of an ERP system. Furthermore, both business activities and IT components are affected by compliance requirements. In this example, the compliance requirement "legal obligations to keep records" demands the accounting obligation for merchants in Germany. It is also related to the proper operation of IT that supports the accounting activities. The compliance requirements "physical access," "logical access," and "internal payments policy" are prerequisites for "legal obligations to keep records." In order to ensure BPC, we integrate compliance processes into the business process, which are modeled and stored separately from the business process [4]. In the motivation scenario, the compliance process "check invoice" satisfies the compliance requirement "internal payments policy," and is therefore integrated in the purchase to pay process.
Removing either an IT component or compliance process may result in a compliance violation [5]. In this example, the removal of the IT component "ERP MM" means the compliance process can no longer be executed. Consequently, the compliance requirements "internal payments policy" and "legal obligations to keep records" are violated, and the compliance requirement "logical access" becomes obsolete. In order to further ensure BPC, the business process must be adapted by a compliance process that also satisfies the violated compliance requirements and is still executable.
The elaboration of proposals for business process adaptation to further ensure BPC is based on three main ideas [5]. First, compliance processes are modeled and stored separately from the business process and integrated into the business process at design time. Second, alternative compliance processes that meet the same requirements are modeled. Third, alternative compliance processes are differentiated by their characteristics, such as type of execution, which can be manual or automatic [4].
As shown in Figure 2, the compliance requirement "internal payments policy" is satisfied by the compliance process pattern "N-way-match." The compliance process pattern is specialized by three different compliance process: "check invoice," "manually check invoice," and "check payment order." They differ by the trigger and the IT component that may be necessary for the execution of the compliance process. Each alternative compliance process can satisfy the compliance requirement, which results in three recommendations for compliant business processes.
BCIT is a single-page application based on React.js and Node.js. A tutorial document, a video, and the tool are available at: https://github.com/tobiasseyffarth/bcit From a user perspective, BCIT offers the following four features:
Model compliance requirements, business process model, and IT components in one common model. The compliance requirements, business process model, and IT architecture model are imported as XML files, BPMN process models, and TOGAF architecture models. The interrelations between them must be modeled manually by the user. The resulting model is technically represented as a directed graph, as explained in [2,3].
Model alternative compliance processes. The user must model alternative compliance processes that satisfy the same compliance requirement, too. Alternative compliance processes specify a generic compliance process pattern and are differentiated by both their required IT components and predecessor business activity [4,5].
Identify compliance violations. In order to identify compliance violations, the user can define every compliance requirement, IT component, or process activity as the element to be removed. Based on a graph search, BCIT automatically identifies violated compliance requirements and presents the cause-effect relation [2,3].
Recommend compliant business processes. In case of a compliance violation, BCIT queries automatically for alternative compliance processes, checks whether they can be executed, and, if possible, integrates them in the business process model [5]. Basically, three different results are possible. First, there is exactly one alternative compliance process. Second, there is more than one alternative compliance process. In this case, BCIT recommends all resulting compliant business processes. Third, there is no alternative compliance process. In this case, BCIT replaces the violated compliance process by its related compliance process pattern.
We conducted several case studies in order to evaluate the perceived usefulness of BCIT. Each case study had the same structure. First, we presented a scenario to motivate the challenge of business process compliance and change that can be solved by BCIT. Second, we briefly presented the main ideas of our methods to recommend compliant business processes in order to solve the scenario. Third, we presented a solution to the challenge through BCIT. Lastly, we collected the opinions on the perceived usefulness of BCIT by means of a questionnaire. The questionnaire includes the statements of the technology acceptance model [6] on the perceived usefulness. The case study participants were domain experts in the field of compliance management, business process management, and IT architecture management. Finally, we got an overall 24 responses. The questionnaire and the responses are available at: https://github.com/tobiasseyffarth/bcit/tree/master/resources/3-evaluation.
Overall, BCIT was evaluated to be useful and helpful. The participants liked the feature for the fast identification of cause-effect relations and getting recommendations for compliant business processes. The latter point was also considered as a competitive advantage. Nevertheless, some participants expressed their concern that the effort of modeling of both business/compliance process and IT architecture may exceed the benefit.
In this paper, we presented BCIT, a tool to recommend compliant business processes based on process adaption. The recommendations for compliant business processes are based on alternative compliance processes that are modeled and stored separately from the business process.
In a next step, we plan to add the data and resource perspective on a business process to our algorithm. Further, we plan to integrate unsupervised machine learning techniques, such as frequent pattern analysis (e.g., an FP-Growth algorithm), into BCIT to propose possible alternative compliance processes without explicit prior modeling.