=Paper=
{{Paper
|id=Vol-3758/paper-26
|storemode=property
|title=STATUS: A Low-Code Business Process Compliance Management System
|pdfUrl=https://ceur-ws.org/Vol-3758/paper-26.pdf
|volume=Vol-3758
|authors=Álvaro Bernal,Francisco Montero,Cristina Cabanillas,Pablo Fernández,Manuel Resinas
|dblpUrl=https://dblp.org/rec/conf/bpm/BernalMC0R24
}}
==STATUS: A Low-Code Business Process Compliance Management System==
https://ceur-ws.org/Vol-3758/paper-26.pdf
STATUS: A Low-Code Business Process Compliance
Management System
Álvaro Bernal1,† , Francisco Montero1,† , Cristina Cabanillas1,2,∗ , Pablo Fernández1,2 and
Manuel Resinas1,2
1
SCORE Lab, Universidad de Sevilla, Spain
2
I3US Institute, Universidad de Sevilla, Spain
Abstract
Business process compliance management ensures adherence of processes to laws and internal policies.
This paper introduces STATUS, a comprehensive Business Process Compliance Management System
(BPCMS) developed to meet real organizational needs. STATUS supports compliance management in
several phases of the Business Process Management (BPM) lifecycle with low-code compliance mashups
for rule specification and checking. This approach allows for flexible rule creation, reuse, and integration
with organizational systems, enabling both design-time and run-time compliance checks. Interactive
compliance dashboards provide users with clear reporting on compliance results. These characteristics
make STATUS a practical tool for the BPM community and process-oriented organizations.
Keywords
business process compliance, compliance checking, compliance dashboard, compliance mashup
1. Introduction and Significance to BPM
Business process compliance (compliance for short) management is the continuous process of
monitoring and assessing organizational systems and processes to ensure that there is adherence
to relevant laws, regulations, internal policies, guidelines and specifications, e.g., U.S.’ SOX
legislation, Germany’s DCGK, Australia’s CLERP 9, and EU’s GDPR. Based on them, a set of
compliance controls that must be observed by the organization can be defined. Each compliance
control can be further decomposed into a set of compliance rules. These rules are specific
checks that must be carried out to evaluate whether the control is being fulfilled and may refer
to different process aspects, such as the execution order of activities, the data accessed and
produced, or the people that participate in the process.
Processes must be designed and executed according to the governing rules. Hence, compli-
ance is inherently relevant to Business Process Management (BPM). Compliance management
Proceedings of the Best BPM Dissertation Award, Doctoral Consortium, and Demonstrations & Resources Forum co-located
with 22nd International Conference on Business Process Management (BPM 2024), Krakow, Poland, September 1st to 6th,
2024.
∗
Corresponding author.
†
These authors contributed equally.
Envelope-Open abernal3@us.es (Á. Bernal); fmontero3@us.es (F. Montero); cristinacabanillas@us.es (C. Cabanillas);
pablofm@us.es (P. Fernández); resinas@us.es (M. Resinas)
Orcid 0009-0008-4350-1389 (Á. Bernal); 0009-0002-4638-1825 (F. Montero); 0000-0001-9182-8847 (C. Cabanillas);
0000-0002-8763-0819 (P. Fernández); 0000-0003-1575-406X (M. Resinas)
© 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
ceur-ws.org
Workshop ISSN 1613-0073
Proceedings
�includes various tasks, from rule definition to compliance checking and reporting, which span
the BPM lifecycle [1]. Several approaches and frameworks have been developed to address
compliance issues, such as techniques for compliance verification, with limited scopes [2], or
integrated solutions [3] that address a larger number of acknowledged Compliance Monitoring
Functionalities (CMFs) [4]. However, they tend to focus on design-time or run-time compliance
checking, and they usually use event logs as the only data source for compliance checking.
This paper presents STATUS, a Business Process Compliance Management System (BPCMS)
that supports compliance management in several phases of the BPM lifecycle. For rule specifica-
tion and checking, it relies on the mashup-based compliance management framework presented
in [5], a low-code solution that brings several advantages: (i) an open-ended set of types rules
can be specified by designing and connecting mashup components; (ii) the definitions of the
rules can be reused as needed; and (iii) the mashup-based compliance checking system can
retrieve data from different information systems of the organization, enabling the verification of
actual facts on actions performed during process execution (e.g., the existence of a specific docu-
ment in a concrete location). Furthermore, compliance mashups can be used for design-time and
run-time compliance checking. Interactive compliance dashboards [6] are automatically created
for results reporting and can be customized by the user. With STATUS, the BPM community will
benefit from a BPCMS closer to what organizations usually demand. Moreover, the ability to
extend the functionality of the system with custom-made mashup components makes STATUS
a good platform in which results from the community can be integrated.
2. Tool Description
STATUS is accessible through a comprehensive web application, which enables users to define
and organize compliance catalogs and controls, construct and configure mashups for rule
specification, and display compliance outcomes through interactive dashboards.
Catalog and Control Editor. This is a foundational component of STATUS as it enables
users to define and manage catalogs of compliance controls systematically. Each control
within a catalog is configured to check specific compliance rules, facilitating organized and
comprehensive compliance management.
To create a catalog and its associated controls, users interact with a form-based User Interface
(UI). This UI simplifies the process of defining controls by allowing users to specify its parameters
and to link the control to a compliance mashup, which implements the rules that the control
should monitor. When a user selects a mashup using the “Check” field of the UI, the system
displays the required input parameters for that mashup, ensuring that the necessary data is
available for accurate compliance evaluation. The integration of mashups with controls not only
enhances the flexibility and specificity of compliance checks but also supports the modular and
reusable nature of control definitions. This approach ensures that compliance controls and rules
can be easily updated and adapted to meet evolving regulatory requirements. Figure 1 shows
a new catalog called “Documents” that applies from January 1 to July 13, 2024. It includes a
control to check if document “Invoice123” exists. The check is performed monthly from May to
July 13, using the “existsDocument” compliance mashup, which receives the document’s name.
The document location is defined within the mashup itself but it could also be parameterized.
�Figure 1: Catalog and control creation
Figure 2: Compliance mashup visualization
Compliance Mashup Editor. This component allows users to create visual data-driven
workflows (i.e., dataflows) to extract and manipulate data for compliance rule checking. Pipes
are the elements in charge of extracting and operating on data. Most of them have inputs and
outputs that represent the streams of data going in and out of the pipe, respectively. These
pipes operate on the input data to produce output data (e.g., check the execution of an activity
in the traces of an event log). The pipes without an input flow retrieve data from a data source,
such as a process event log, a repository (e.g., Github), a document management system (e.g.,
OneDrive) or a project management system (e.g., Trello). The pipe without an output flow
returns the outcome of the compliance mashup, i.e., the result of rule checking.
Node-RED’s visual programming approach has been used to implement compliance mashups.
�Figure 3: Compliance dashboard
To further simplify the creation of compliance mashups, STATUS includes custom Node-RED
pipes specifically designed for compliance rule modeling. Moreover, the system can be easily
extended with additional custom-made pipes to integrate it with ad-hoc information systems
or to include additional functionalities like new process mining techniques. Figure 2 depicts a
compliance mashup that checks that for those purchase items that do not require a reception
confirmation message, the cost shown on the invoice is the same as that recorded when the item
was created. The brown-colored pipes are part of our collection of custom components. The
other pipes come pre-installed with the tool and are part of its standard set of functionalities1 .
Compliance Dashboard Monitor. The dashboards in STATUS provide a comprehensive
view of the results of the compliance mashups. A compliance dashboard aggregates data from
various compliance checks and presents it in a series of customizable charts and graphs. This
visual representation makes it easy for users to monitor the overall compliance status, identify
rule violations, and track trends over time. The dashboards’ interactive features allow users
to drill down into specific controls and mashups, gaining deeper insights into the compliance
performance of individual processes. Governify [7]2 serves as the infrastructure that processes
the responses of mashups according to each created catalog, facilitating the creation of interactive
dashboards. The results of a rule checking shown in Figure 3 determine that the rule is met,
on average, in 44.3% of the projects. The bar chart informs about the percentage of projects
compliant with the rule over time.
The STATUS software, a video that screencasts the system and further information are
available at https://github.com/statuscompliance.
3. Maturity and Future Work
STATUS is a general-purpose solution that can be adapted to specific scenarios by adding pipes
to the compliance mashups to connect to new data sources and perform other operations on
data. A preliminary implementation of the system has already been successfully used to address
compliance checking at both design time and run time for the IT department of a multinational
company from the energy supply domain as part of an R&D project [5]. The project covered
more than 20 processes and 122 controls that had been obtained after analyzing the implication
1
Note that the split and join pipes have different semantics than they usually have in process models. In our case,
we use split to sequentially send an array of any objects, and then regroup them with join to work at trace level.
2
https://governify.io
�of three well-known regulations (SOX, SCIIF and L262) plus additional controls that responded
to internal business policies. To implement them, a total of 11 mashups based on five data
sources and 18 domain-specific pipes were defined. The data sources included process models
from an enterprise modeling tool for design-time rules, project and process documents from a
Document Management System (DMS), data about projects status from a project management
tool, and data about incidents and claims from a helpdesk system. This case study showed the
feasibility and usefulness of STATUS for compliance checking in organizations.
In terms of functionalities, at this moment, STATUS supports CMFs 1-7 and CMF 10. Currently,
there is no support for pro-active compliance checking (CMF 8) and partial support for root-cause
analysis (CMF 9). We are working towards the development and integration of functionalities
for predictive compliance monitoring [8] and advanced root-cause analysis for a full coverage
of the CMFs. Furthermore, we plan to create a marketplace that allows developers to upload
custom-made mashup pipes that provide additional functionality to the system.
Acknowledgments
Grants PDC2022-133521-I00 (STATUS) and TED2021-131023B-C22 (ORCHID) funded by
MCIN/AEI/10.13039/501100011033/ and by the European Union NextGenerationEU/PRTR; and
grants PID2021-126227NB-C21 (PERSEO), PID2021-126227NB-C22 and PID2022-140221NB-I00
(TAPIOCA) funded by MCIN/AEI/10.13039/501100011033/ and by ERDF/EU.
References
[1] C. Cabanillas, M. Resinas, A. Ruiz-Cortés, Exploring Features of a Full-Coverage Integrated
Solution for Business Process Compliance, in: CAiSE Workshops, volume 83, 2011, pp.
218–227.
[2] H. Mustroph, M. Barrientos, K. Winter, S. Rinderle-Ma, Verifying Resource Compliance
Requirements from Natural Language Text over Event Logs, in: Int. Conf. on Business
Process Management (BPM), volume 14159, 2023, pp. 249–265.
[3] D. Knuplesch, M. Reichert, A. Kumar, A framework for visually monitoring business process
compliance, Inf. Syst. 64 (2017) 381–409.
[4] L. T. Ly, F. M. Maggi, M. Montali, S. Rinderle-Ma, W. M. van der Aalst, Compliance
Monitoring in Business Processes, Inf. Syst. 54 (2015) 209–234.
[5] C. Cabanillas, M. Resinas, A. Ruiz-Cortés, A Mashup-Based Framework for Business Process
Compliance Checking, IEEE Trans. Serv. Comput. 15 (2022) 1564–1577.
[6] P. Silveira, C. Rodriguez, F. Casati, F. Daniel, V. D’Andrea, C. Worledge, Z. Taheri, On
the Design of Compliance Governance Dashboards for Effective Compliance and Audit
Management, in: ICSOC Workshops, 2010, pp. 208–217.
[7] R. Fresno-Aranda, J. Ojeda-Perez, P. Fernandez, A. Ruiz-Cortés, Governify. An agreement-
based service governance framework, Softw. Impacts 19 (2024) 100629.
[8] S. Rinderle-Ma, K. Winter, J. Benzin, Predictive compliance monitoring in process-aware
information systems: State of the art, functionalities, research directions, Inf. Syst. 115
(2023) 102210.
�