Business process compliance (compliance for short) management is the continuous process of monitoring and assessing organizational systems and processes to ensure that there is adherence to relevant laws, regulations, internal policies, guidelines and specifications, e.g., U.S. ' SOX legislation, Germany's DCGK, Australia's CLERP 9, and EU's GDPR. Based on them, a set of compliance controls that must be observed by the organization can be defined. Each compliance control can be further decomposed into a set of compliance rules. These rules are specific checks that must be carried out to evaluate whether the control is being fulfilled and may refer to different process aspects, such as the execution order of activities, the data accessed and produced, or the people that participate in the process.
Processes must be designed and executed according to the governing rules. Hence, compliance is inherently relevant to Business Process Management (BPM). Compliance management includes various tasks, from rule definition to compliance checking and reporting, which span the BPM lifecycle [1]. Several approaches and frameworks have been developed to address compliance issues, such as techniques for compliance verification, with limited scopes [2], or integrated solutions [3] that address a larger number of acknowledged Compliance Monitoring Functionalities (CMFs) [4]. However, they tend to focus on design-time or run-time compliance checking, and they usually use event logs as the only data source for compliance checking.
This paper presents STATUS, a Business Process Compliance Management System (BPCMS) that supports compliance management in several phases of the BPM lifecycle. For rule specification and checking, it relies on the mashup-based compliance management framework presented in [5], a low-code solution that brings several advantages: (i) an open-ended set of types rules can be specified by designing and connecting mashup components; (ii) the definitions of the rules can be reused as needed; and (iii) the mashup-based compliance checking system can retrieve data from different information systems of the organization, enabling the verification of actual facts on actions performed during process execution (e.g., the existence of a specific document in a concrete location). Furthermore, compliance mashups can be used for design-time and run-time compliance checking. Interactive compliance dashboards [6] are automatically created for results reporting and can be customized by the user. With STATUS, the BPM community will benefit from a BPCMS closer to what organizations usually demand. Moreover, the ability to extend the functionality of the system with custom-made mashup components makes STATUS a good platform in which results from the community can be integrated.
STATUS is accessible through a comprehensive web application, which enables users to define and organize compliance catalogs and controls, construct and configure mashups for rule specification, and display compliance outcomes through interactive dashboards.
Catalog and Control Editor. This is a foundational component of STATUS as it enables users to define and manage catalogs of compliance controls systematically. Each control within a catalog is configured to check specific compliance rules, facilitating organized and comprehensive compliance management.
To create a catalog and its associated controls, users interact with a form-based User Interface (UI). This UI simplifies the process of defining controls by allowing users to specify its parameters and to link the control to a compliance mashup, which implements the rules that the control should monitor. When a user selects a mashup using the "Check" field of the UI, the system displays the required input parameters for that mashup, ensuring that the necessary data is available for accurate compliance evaluation. The integration of mashups with controls not only enhances the flexibility and specificity of compliance checks but also supports the modular and reusable nature of control definitions. This approach ensures that compliance controls and rules can be easily updated and adapted to meet evolving regulatory requirements. Figure 1 shows a new catalog called "Documents" that applies from January 1 to July 13, 2024. It includes a control to check if document "Invoice123" exists. The check is performed monthly from May to July 13, using the "existsDocument" compliance mashup, which receives the document's name. The document location is defined within the mashup itself but it could also be parameterized. Compliance Mashup Editor. This component allows users to create visual data-driven workflows (i.e., dataflows) to extract and manipulate data for compliance rule checking. Pipes are the elements in charge of extracting and operating on data. Most of them have inputs and outputs that represent the streams of data going in and out of the pipe, respectively. These pipes operate on the input data to produce output data (e.g., check the execution of an activity in the traces of an event log). The pipes without an input flow retrieve data from a data source, such as a process event log, a repository (e.g., Github), a document management system (e.g., OneDrive) or a project management system (e.g., Trello). The pipe without an output flow returns the outcome of the compliance mashup, i.e., the result of rule checking.
Node-RED's visual programming approach has been used to implement compliance mashups. To further simplify the creation of compliance mashups, STATUS includes custom Node-RED pipes specifically designed for compliance rule modeling. Moreover, the system can be easily extended with additional custom-made pipes to integrate it with ad-hoc information systems or to include additional functionalities like new process mining techniques. Figure 2 depicts a compliance mashup that checks that for those purchase items that do not require a reception confirmation message, the cost shown on the invoice is the same as that recorded when the item was created. The brown-colored pipes are part of our collection of custom components. The other pipes come pre-installed with the tool and are part of its standard set of functionalities 1 .
Compliance Dashboard Monitor. The dashboards in STATUS provide a comprehensive view of the results of the compliance mashups. A compliance dashboard aggregates data from various compliance checks and presents it in a series of customizable charts and graphs. This visual representation makes it easy for users to monitor the overall compliance status, identify rule violations, and track trends over time. The dashboards' interactive features allow users to drill down into specific controls and mashups, gaining deeper insights into the compliance performance of individual processes. Governify [7] 2 serves as the infrastructure that processes the responses of mashups according to each created catalog, facilitating the creation of interactive dashboards. The results of a rule checking shown in Figure 3 determine that the rule is met, on average, in 44.3% of the projects. The bar chart informs about the percentage of projects compliant with the rule over time.
The STATUS software, a video that screencasts the system and further information are available at https://github.com/statuscompliance.
STATUS is a general-purpose solution that can be adapted to specific scenarios by adding pipes to the compliance mashups to connect to new data sources and perform other operations on data. A preliminary implementation of the system has already been successfully used to address compliance checking at both design time and run time for the IT department of a multinational company from the energy supply domain as part of an R&D project [5]. The project covered more than 20 processes and 122 controls that had been obtained after analyzing the implication of three well-known regulations (SOX, SCIIF and L262) plus additional controls that responded to internal business policies. To implement them, a total of 11 mashups based on five data sources and 18 domain-specific pipes were defined. The data sources included process models from an enterprise modeling tool for design-time rules, project and process documents from a Document Management System (DMS), data about projects status from a project management tool, and data about incidents and claims from a helpdesk system. This case study showed the feasibility and usefulness of STATUS for compliance checking in organizations.
In terms of functionalities, at this moment, STATUS supports CMFs 1-7 and CMF 10. Currently, there is no support for pro-active compliance checking (CMF 8) and partial support for root-cause analysis (CMF 9). We are working towards the development and integration of functionalities for predictive compliance monitoring [8] and advanced root-cause analysis for a full coverage of the CMFs. Furthermore, we plan to create a marketplace that allows developers to upload custom-made mashup pipes that provide additional functionality to the system.
Grants PDC2022-133521-I00 (STATUS) and TED2021-131023B-C22 (ORCHID) funded by MCIN/AEI/10.13039/501100011033/ and by the European Union NextGenerationEU/PRTR; and grants PID2021-126227NB-C21 (PERSEO), PID2021-126227NB-C22 and PID2022-140221NB-I00 (TAPIOCA) funded by MCIN/AEI/10.13039/501100011033/ and by ERDF/EU.