BCIT: A Tool to Recommend Compliant Business Processes based on Process Adaption Tobias Seyffarth and Kai Raschke Martin Luther University Halle-Wittenberg, 06108 Halle (Saale), Germany {tobias.seyffarth,kai.raschke}@wiwi.uni-halle.de Abstract. Business process compliance (BPC) denotes the execution of busi- ness processes in adherence to applicable compliance requirements. Compli- ance requirements can be satisfied by compliance processes that are integrated into the business process. There are numerous relations between compliance re- quirements, business processes, compliance processes, and supporting IT com- ponents. Thus, the change of one of those elements can lead to the non- executability of a compliance process and thus lead to a violation of BPC. To further ensure BPC, the business process has to be adapted by a compliance process that is still executable. Consequently, we extended our prototype BCIT (Business Process Compliance and IT) through a feature to recommend compli- ant business processes. The adaptation is based on previously modeled alterna- tive compliance processes that satisfy the same compliance requirement. Keywords: Adaptation, Business process compliance, Change, Compliance process, IT component. 1 Introduction Business process compliance (BPC) denotes the execution of business processes to applicable compliance requirements [1]. On top of that, information technology (IT) that supports business activities may also be affected by compliance requirements. Thus, a change of one of those elements can lead to a violation of BPC [2]. In dynam- ic markets, both the fast identification of a compliance violation and the adaptation of a business process to avoid these violations are important tasks. However, due to complex relations between compliance requirements, business processes, and IT components, the manual adaptation of business processes is a time-consuming task. There are numerous process modeling tools, such as ARIS Architect, Bizagi Stu- dio, Camunda Modeler, and Signavio Process Manager or flexible workflow man- agement systems, such as AristaFlow and KitCom. However, to the best of our knowledge, there is a lack of a tool that recommends compliant business processes despite changes to business processes and IT components. Thus, the goal is a software prototype that recommends compliant business pro- cesses in case of an identified compliance violation due to change. In order to reach Copyright © 2020 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). 2 this goal, we have added the feature of recommending compliant business processes when determining a compliance violation to our existing prototype BCIT [3]. In Section 2, we motivate the problem statement and briefly describe the method to recommend compliant business processes. In Section 3, we describe our tool before we discuss the maturity in Section 4. Finally, Section 5 concludes the contribution. 2 Business Process Compliance and Change 2.1 Identify Compliance Violations Figure 1 shows a simplified purchase-to-pay process in which some business activi- ties are supported by IT components, such as a material management (ERP MM) and a financial module (ERP FI) of an ERP system. Furthermore, both business activities and IT components are affected by compliance requirements. In this example, the compliance requirement “legal obligations to keep records” demands the accounting obligation for merchants in Germany. It is also related to the proper operation of IT that supports the accounting activities. The compliance requirements “physical ac- cess,” “logical access,” and “internal payments policy” are prerequisites for “legal obligations to keep records.” In order to ensure BPC, we integrate compliance pro- cesses into the business process, which are modeled and stored separately from the business process [4]. In the motivation scenario, the compliance process “check in- voice” satisfies the compliance requirement “internal payments policy,” and is there- fore integrated in the purchase to pay process. Legal Obligation to Keep Records Logical Internal Payments Physical Access Delivery Policy Access has arrived Send Check Invoice Create Execute Purchase Payment Order Payment Requisition ERP MM ERP FI Hardware place is prerequisite is prerequisite is prerequisite cp CR CR IT activity IT IT IT demands to for for for place place cp helps to CR IT CR activity CR demands to demands to satisfy start event, exclusive end event gateway CP: compliance process | CR: compliance requirement | IT: IT component Fig. 1. Motivation scenario [5] Removing either an IT component or compliance process may result in a compliance violation [5]. In this example, the removal of the IT component “ERP MM” means the compliance process can no longer be executed. Consequently, the compliance requirements “internal payments policy” and “legal obligations to keep records” are 3 violated, and the compliance requirement “logical access” becomes obsolete. In order to further ensure BPC, the business process must be adapted by a compliance process that also satisfies the violated compliance requirements and is still executable. 2.2 Recommend Compliant Business Processes The elaboration of proposals for business process adaptation to further ensure BPC is based on three main ideas [5]. First, compliance processes are modeled and stored separately from the business process and integrated into the business process at design time. Second, alternative compliance processes that meet the same requirements are modeled. Third, alternative compliance processes are differentiated by their character- istics, such as type of execution, which can be manual or automatic [4]. As shown in Figure 2, the compliance requirement “internal payments policy” is satisfied by the compliance process pattern “N-way-match.” The compliance process pattern is specialized by three different compliance process: “check invoice,” “manu- ally check invoice,” and “check payment order.” They differ by the trigger and the IT component that may be necessary for the execution of the compliance process. Each alternative compliance process can satisfy the compliance requirement, which results in three recommendations for compliant business processes. Internal Payments Policy Delivery has arrived XOR Send Check Invoice Create Purchase Payment Execute Requisition Order Payment N-Way-Match ERP MM ERP FI Trigger: Delivery Check Invoice has arrived Further Requirement: ERP MM Delivery has arrived Send Manually Create Check Invoice Payment Execute Trigger: Delivery Purchase Payment Manually Requisition Order Check Invoice has arrived Further Requirement: none ERP FI Check Trigger: Create Delivery Payment Order payment order has arrived Further Requirement: Send Create Check Purchase Payment Payment Order Execute ERP FI Payment Requisition Order ... ERP FI Each of the related compliance Generalization / Specialization Compliance Compliance relation between Compliance Properties of the process patterns or compliance Process Pattern Process XOR Process Patterns and Compliance Compliance Process processes can statisfy the IT component compliance requirement Processes Fig. 2. Alternative compliance processes and their integration into the business process [5] 3 Tool Description BCIT is a single-page application based on React.js and Node.js. A tutorial document, a video, and the tool are available at: https://github.com/tobiasseyffarth/bcit From a user perspective, BCIT offers the following four features: 4 Model compliance requirements, business process model, and IT components in one common model. The compliance requirements, business process model, and IT architecture model are imported as XML files, BPMN process models, and TOGAF architecture models. The interrelations between them must be modeled manually by the user. The resulting model is technically represented as a directed graph, as ex- plained in [2, 3]. Model alternative compliance processes. The user must model alternative compli- ance processes that satisfy the same compliance requirement, too. Alternative compli- ance processes specify a generic compliance process pattern and are differentiated by both their required IT components and predecessor business activity [4, 5]. Identify compliance violations. In order to identify compliance violations, the user can define every compliance requirement, IT component, or process activity as the element to be removed. Based on a graph search, BCIT automatically identifies vio- lated compliance requirements and presents the cause-effect relation [2, 3]. Recommend compliant business processes. In case of a compliance violation, BCIT queries automatically for alternative compliance processes, checks whether they can be executed, and, if possible, integrates them in the business process model [5]. Basi- cally, three different results are possible. First, there is exactly one alternative compli- ance process. Second, there is more than one alternative compliance process. In this case, BCIT recommends all resulting compliant business processes. Third, there is no alternative compliance process. In this case, BCIT replaces the violated compliance process by its related compliance process pattern. 4 Maturity We conducted several case studies in order to evaluate the perceived usefulness of BCIT. Each case study had the same structure. First, we presented a scenario to moti- vate the challenge of business process compliance and change that can be solved by BCIT. Second, we briefly presented the main ideas of our methods to recommend compliant business processes in order to solve the scenario. Third, we presented a solution to the challenge through BCIT. Lastly, we collected the opinions on the per- ceived usefulness of BCIT by means of a questionnaire. The questionnaire includes the statements of the technology acceptance model [6] on the perceived usefulness. The case study participants were domain experts in the field of compliance manage- ment, business process management, and IT architecture management. Finally, we got an overall 24 responses. The questionnaire and the responses are available at: https://github.com/tobiasseyffarth/bcit/tree/master/resources/3-evaluation. Overall, BCIT was evaluated to be useful and helpful. The participants liked the feature for the fast identification of cause-effect relations and getting recommenda- tions for compliant business processes. The latter point was also considered as a com- petitive advantage. Nevertheless, some participants expressed their concern that the effort of modeling of both business/compliance process and IT architecture may ex- ceed the benefit. 5 5 Conclusion and Future Work In this paper, we presented BCIT, a tool to recommend compliant business processes based on process adaption. The recommendations for compliant business processes are based on alternative compliance processes that are modeled and stored separately from the business process. In a next step, we plan to add the data and resource perspective on a business pro- cess to our algorithm. Further, we plan to integrate unsupervised machine learning techniques, such as frequent pattern analysis (e.g., an FP-Growth algorithm), into BCIT to propose possible alternative compliance processes without explicit prior modeling. References 1. Governatori, G., Sadiq, S.: The Journey to Business Process Compliance. Handbook of re- search on business process modeling, 426–454 (2009) 2. Seyffarth, T., Kühnel, S., Sackmann, S.: Business Process Compliance and Business Pro- cess Change. An Approach to Analyze the Interactions. Business Information Systems. BIS 2018. Lecture Notes in Business Information Processing, 176–189 (2018) 3. Seyffarth, T., Raschke, K.: BCIT. A Tool for Analyzing the Interactions between Business Process Compliance and Business Process Change. Proceedings of the Dissertation Award and Demonstration, Industrial Track at BPM 2018, 81–85 (2018) 4. Seyffarth, T., Kühnel, S., Sackmann, S.: A Taxonomy of Compliance Processes for Busi- ness Process Compliance. 15th International Conference on Business Process Manage- ment, Business Process Management Forum. In: Lecture Notes in Business Information Processing (LNBIP), 71–87 (2017) 5. Seyffarth, T., Kühnel, S., Sackmann, S.: Business Process Compliance despite Change. Towards Proposals for a Business Process Adaption. Information Systems Engineering in Responsible Information Systems. CAiSE 2019. Lecture Notes in Business Information Processing, vol 350., 227–239 (2019) 6. Davis, F.D.: Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Infor- mation Technology. MIS Quarterly 13, 319 (1989)