Ensuring compliance of business processes with internal policies and external regulations – such as GDPR for data protection, HIPAA for healthcare data privacy, or ISO 27001 for information security management – is a critical challenge for organizations. Compliance violations can lead to legal penalties, ifnancial losses and operational ineficiencies. Traditional compliance monitoring techniques typically focus on detecting non-compliant behavior either retrospectively (post-mortem) or during process design and execution (pre-mortem) [ 1 ].

However, these reactive approaches are often insuficient in mitigating compliance risks before violations occur. A key challenge in compliance monitoring is integrating predictive capabilities that anticipate potential violations in advance. Developing an approach that can generalize across diferent compliance requirements and provide early detection while ensuring accuracy, interpretability, and scalability remains an open research problem.

Predictive Process Monitoring (PPM) ofers a promising approach to addressing this challenge. PPM leverages historical data from process executions stored in event logs to forecast the future behavior of running process instances [ 2 ]. These predictions can take diferent forms, such as estimating remaining execution time, forecasting outcomes, or anticipating the next process event. These predictions act as key performance indicators for ongoing processes, ofering valuable insights to businesses.

In this idea paper, we introduce a conceptual framework for Predictive Compliance Monitoring (PCM) that leverages compliance mashups [ 3 ] to generate partial PPM predictions. Our approach tackles key challenges in the PCM field, including the generalization of compliance requirements beyond SLA-specific constraints and the integration of multiple predictive models to handle more complex compliance rules. Furthermore, we identify key research challenges in the PCM field, ofering a foundation for future research.

The remaining of the paper is structured as follows. Section 2 outlines related work and the limitations of existing approaches that motivate this work. Section 3 presents our proposed framework for PCM based on compliance mashups. Finally, Section 4 reflects on the approach, its scope and limitations, the challenges ahead and plans for future work in this research area.

Predictive compliance monitoring is a largely unexplored research area that focuses on forecasting potential violations of compliance constraints in business processes. A recent survey on PCM [ 4 ] highlights the limited research in this domain and identifies key studies contributing to the field. As discussed in [ 4 ], two primary approaches to PCM exist: (i) Predicate Prediction, which predicts whether a constraint is fulfilled, and (ii) PCM based on PPM, which builds a compliance monitoring system on top of PPM results. For example, Predicate Prediction might be used to determine whether an invoice approval will meet a regulatory deadline before the process is completed. In contrast, a PCM approach on PPM would first predict the expected remaining time of an approval process and then assess whether this prediction aligns with compliance constraints. The key distinction lies in Predicate Prediction providing a direct compliance verdict, whereas PCM based on PPM relies on intermediate process forecasts to infer compliance status.

Rinderle-Ma et al. [ 4 ] identified seven key studies that can be classified as PCM. Leitner et al. [ 5, 6 ] predict Service Level Agreements (SLA) violations using remaining time prediction, qualifying as a PPM approach. In [ 6 ], they also introduce preventive methods to ensure that predictions adhere to the defined Service Level Objectives (SLOs). Khan et al. [ 7 ] provide a generic model for compliance prediction in business processes, utilizing trace activity and time data for binary classification. Cicotti et al. [ 8 ] propose a Quality of Service (QoS) predictor for SLA compliance monitoring based on a probabilistic model. Rodríguez et al. [ 9 ] employ decision trees to explain compliance root causes and use them to predict whether a process is compliant. Comuzzi et al. [ 10 ] present a metric for SLA predictive monitoring by forecasting boolean SLOs. Ivanović et al. [ 11 ] focus on predicting QoS at runtime to support service orchestration.

These approaches sufer from several limitations that prevent them from functioning as a comprehensive PCM system. Specifically, existing methods typically fall into one of three categories: (i) they focus solely on remaining time prediction in PPM, (ii) they are restricted to SLA compliance, or (iii) they operate only at the level of individual process instances [ 4 ]. As a result, these approaches rely on relatively simple compliance rules, lacking the ability to handle more complex compliance constraints that involve multiple features or events.

This gap underscores the need for further research to develop PCM solutions that move beyond SLA-specific compliance monitoring, incorporate advanced predictive capabilities, and support the enforcement of complex compliance rules spanning multiple process features or events.

We propose a conceptual framework for PCM that leverages compliance mashups [ 3 ] for defining and automatically monitoring compliance rules. Our approach generates PPM models on these mashups, enabling partial predictions of the rules and ultimate unifying the obtained results to verify compliance.

A mashup is a data-driven workflow (a.k.a. data flow ) built with information from one or more data sources that might be transformed and propagated to produce a desired output in a reusable User Interface (UI) [ 12 ]. Compliance mashups [ 3 ] refer to mashups specifically designed for compliance checking purposes. These mashups facilitate the automated verification of compliance rules at design

PCM Framework Offline Stage

Online Stage

Event Log Compliance Mashups

Preprocessing Generate PPM models based on

Mashups

Rule 1 Model Rule 2... Model

Rule N Model

Train and evaluate models

Get process predictions

Check compliance

Dashboard Evaluation Metrics

Ongoing trace time or run time by integrating heterogeneous data sources, applying necessary transformations, and producing compliance evaluation results in an interpretable format. Each mashup operationalizes one compliance rule, although mashups can be embedded into domain-specific components to adapt to diferent granularities and enhance scalability. Tools like STATUS [ 13 ] leverage the mashup-based compliance management framework presented in [ 3 ] to build a low-code compliance monitoring system.

Figure 1 depicts the architecture of our proposed framework for PCM. We assume that all compliance rules can be verified based on data from event logs. This assumption is generally adopted by existing compliance monitoring approaches [ 14, 15 ]. Our framework integrates PPM, a well established discipline that applies machine learning techniques to forecast process behavior or outcomes. Specifically, we consider predictive models generated by machine learning techniques such as neural networks or decision trees, which estimates the next process event(s), next event time, remaining execution time, process outcome, or any combination of these [ 2 ].

The framework comprises two stages. For a compliance rule, the ofline stage generates PPM models based on historical event logs containing information about the respective process executions, and on the compliance mashup that monitors the rule. First, the system parses the mashup to identify the components of the compliance rule. Subsets of the mashup components can be used to infer intermediate PPM models. These intermediate models serve as building blocks for the final compliance prediction. After constructing the individual models, the system preprocesses the event log, trains each rule-specific model, and evaluates its performance using well-established evaluation metrics. We consider classification metrics such as accuracy, precision, recall, and F1-score for categorical predictions (e.g., predicting the next activity). For numerical predictions, such as remaining execution time, we use regression metrics like Mean Absolute Error (MAE) and Root Mean Square Error (RMSE).

In the online stage, the trained models generate compliance predictions for ongoing process instances. The system processes the latest instance data through the corresponding predictive models, producing probabilistic forecasts of upcoming events, execution times, and process outcomes. These predictions are then integrated into compliance mashups, enabling real-time assessment of whether the process is likely to remain compliant or violate predefined rules.

We exemplify the use of the framework with a simple scenario. Consider an industrial production plant where maintaining product quality and preventing overheating are critical. The plant follows a structured cooling and quality assurance process to ensure that materials are processed within Running process instances (bp) predefined temperature and time regulations. Each batch of materials undergoes a series of steps, starting with (A) material preparation, followed by (B) heat treatment, (C) cooling, (D) quality inspection, and finally ( E) packaging. Throughout the process, compliance with two key rules must be ensured. First (c1), once a batch enters the heat treatment phase, packaging must be completed within 60 minutes to prevent material degradation. Second (c2), the material’s temperature must remain below 90°C to avoid safety hazards.

The process event log entries include a unique identifier for each process instance that enable the recognition of process traces, labeled caseID; the specific process activity to which the event refers, named activity; the date and time when the activity occurred, marked as timestamp; and a numerical value for temperature measurements, identified as temperature.

The compliance mashups for rules c1 and c2 are depicted in Figure 2. These mashups consist of nodes that retrieve and transform information from process traces, enabling the generation and training of the necessary PPM models based on historical data.

The predictive models required for our example are as follows. For rule c1, the system includes two predictors. The Next activity predictor forecasts the subsequent process activities on the follows(B,E) node in mashup c1, which detects if the activity B is followed eventually by the activity E. The Next event time predictor estimates the time diference between events, utilizing the lastTimestamp(B), lastTimestamp(E), and timeDiff() nodes. For Rule c2, the Outcome predictor is used, which infers the process outcome from the getTemperatures() node in mashup c2.

When a process instance is actively running, the system employs the previously trained models to generate compliance predictions in real time. Based on the models associated with each compliance mashup, the system evaluates the likelihood of future compliance or violation. Figure 3 illustrates an example of the online stage as seen in Figure 1, where a running trace undergoes predictive compliance assessment. Rule c1 Model forecasts the next activity and expected event timestamp for the monitoring Rule c1 Model: E must happen eventually after B within 1 hour.

MODEL nextActivity()

E with 90% confidence

MODEL nextEventTimestamp() 2025-02-25T12:50 with 85% confidence

Ongoing trace [2, B, 84, 2025-02-25T12:30]

Rule c2 Model : The temperature must never exceed 90ºC

MODEL nextTemperature() 93 with 75% confidence

Predictions into the mashup of c1; and Rule c2 Model forecasts the temperature for the monitoring of c2.

These results are then integrated into the compliance mashup to determine the compliance degree for each rule. The compliance degree is a quantitative measure of how closely the predicted process execution aligns with the compliance rules. The compliance degree can be expressed as a binary classification (compliant / non-compliant) with a probability score reflecting the likelihood of the prediction. For example, in Figure 3 the compliance degree for rule c1 is classified as compliant with a probability of 76.5%. This combined probability for c1 is derived from the confidences of the constituent predictions; in this instance, it corresponds to the product of the 90% confidence for the predicted next activity (E) and the 85% confidence for the predicted timestamp ( 0.90 · 0.85 = 0.765). For rule c2, it is categorized as non-compliant with a probability of 75%.

This idea paper proposes a novel approach to PCM using compliance mashups. By integrating predictive models with compliance mashups, this approach enhances the coverage of the Compliance Monitoring Functionalities (CMFs) related to PCM outlined in [ 4 ]. Specifically, it supports previously uncovered functionalities such as non-atomic activities (CMF4), life cycle considerations (CMF5), multiple instance constraints (CMF6), root cause analysis (CMF9) and compliance degree calculation (CMF10).

The main limitations of this approach are, first, the lack of integration with information systems that do not rely on event logs, which restricts the range of applicable data sources. Second, the types of predictions supported are inherently constrained by the capabilities of PPM, limiting the scope of compliance violations that can be anticipated.

This work also unveils several challenges that remain open. One of the key issues is implementing eficient online (re-)training mechanisms for each predictive model to adapt to evolving processes dynamically. The second challenge lies in determining the compliance degree, as common regression models do not inherently provide a confidence measure. Some methods, such as those proposed in [16, 17], ofer estimation techniques for this measure. The third open challenge is defining the number of future events to predict. This introduces the need for sophisticated predictive models, such as Long Short-Term Memory (LSTM) networks, which can generate sequences of predictions rather than isolated forecasts. Lastly, the challenge of inferring the appropriate predictive models from the mashups emerges. This involves determining which mashup components are necessary for compliance predictions and how to eficiently combine them.

Future research should focus on addressing these limitations and challenges, and developing scalable architectures for real-world applications. By tacking these issues, compliance monitoring systems can transition from reactive approaches to fully proactive PCM systems, enabling early compliance insights, reducing operational risks, and ensuring greater regulatory adherence.

During the preparation of this work, the author(s) used ChatGPT in order to: Grammar and spelling check, Paraphrase and reword. After using this tool/service, the author(s) reviewed and edited the content as needed and take(s) full responsibility for the publication’s content.