The Journey to Business Process Compliance. Are We There Yet?

The Journey to Business Process
Compliance. Are We There Yet?
Guido Governatori
16 November 2015
www.data61.csiro.au

Outline
• Motivation
• Business Process Compliance
• Modelling Business Processes
• A Privacy Dilemma
• No Time for Compliance
• The Regorous Approach to Business Process Compliance
2 | The Journey to Business Process Compliance. Are We There Yet? | Guido Governatori

Motivation
2000-2010 Big (ﬁnancial) scandals lead to more strict regualtory frameworks with
strong compliance components
2005- Regulatory compliance emerged as a multi-billion dollars market
2005-2006 IT frameworks to support regulatory compliance:
• Governatori and Sadiq
• Giblin, Liu et al.
• Ghose and Koliades
• Goedertier and Vanthienen
2015 10 years and 500 papers later

What is Compliance?
Ensuring that business operations, processes, and practices are in accordance
with a given prescriptive (often legal) document

What is Compliance?
Ensuring that business operations, processes, and practices are in accordance
with a given prescriptive (often legal) document
Regulatory
• Basel II
• Sarbanes-Oxley
• OFAC (USA Patriot Act)
• OSFI “blocked entity” lists
• HIPAA
• Graham-Leach-Bliley
Standards
• Best practice models
• SAP solution maps
• ISO 9000
• Medical guidelines
Contracts
• Service Agreement
• Customer Contract
• Warranty
• Insurance Policy
• Business Partnership

Deﬁnition of Compliance

Compliance is a relationship between two sets of speciﬁcations

Alignment of formal speciﬁcations for business processes and formal
speciﬁcations for prescriptive (legal) documents.

• Conceptually sound representation of business processes

• Conceptually sound representation of business processes
• Conceptually sound representation of and reasoning with norms

Compliance Ecosystem
Legal Space Process Space
Compliance
Space
Process
Data
BP Execution
Compliance
Checking
Regulatory
Document
(Formal) Speciﬁcation
<obligations>;
<permissions>;
<prohibitions;
Analysis
Translation
Monitoring
Violation
Response
Domain Experts
Process Modellers
BP Models
Design TIme
Run Time
Process
Role(s)
New or Existing
New or Existing New
Existing
Existing
ExistingExisting
Violation
Detection

Compliance Recipe
1. Formal Model of Business Processes

Compliance Recipe
2. Formal Model of Relevant Norms/Normative Frameworks

Compliance Recipe
2. Formal Model of Relevant Norms/Normative Frameworks
3. Combine, shake well and serve!

Business Process Model
Self-contained, temporal and logical order in which a set of activities are executed to
achieve a business goal. It describes:
• What needs be done and when (control ﬂows)
• What we need to work on (data)
• Who is doing the work (human and system resources)

Modelling Processes
A
B
D
C
E
F
G
H
t1 : A, B, C, D, E, F, H
t2 : A, B, D, C, E, F, H
t3 : A, D, B, C, E, F, H
t4 : A, B, C, D, E, G, H
t5 : A, B, D, C, E, G, H
t6 : A, D, B, C, E, G, H

Annotated Traces
Let Lit be a set of literals, T be the set of traces of a process and N be the set of
natural numbers
State : T × N → 2Lit
The function State returns the set of literals describing “what’s going on in a trace t
after the execution of the n-th task in the process”.

Example
A B
C
D
Tasks
• A: “turn the light on”
• B: “check if glass is empty”
• C: “ﬁll glass with water”
• D: “turn glass upside-down”
Propositions
• p: “the light is on”
• q: “the glass is full”
Trace 1: A, B, D
Trace 2: A, B, C, D
• State(i, 1) = { p }, i ∈ { 1, 2 }
• State(1, 2) = { p, q }
• State(2, 2) = { p, ¬q }
• State(2, 3) = { p, q }
• State(1, 3) = { p, ¬q }
• State(2, 4) = { p, ¬q }

A Privacy Act
Section 1: (Prohibition to collect personal medical information)
Offence: It is an offence to collect personal medical information.
Defence: It is a defence to the prohibition of collecting personal medical
information, if an entity immediately destroys the illegally collected
personal medical information before making any use of the personal
medical information
Section 2: An entity is permitted to collect personal medical information if the entity
acts under a Court Order authorising the collection of personal medical
information.
Section 3: (Prohibition to collect personal information) It is forbidden to collect personal
information unless an entity is permitted to collect personal medical
information.
Offence: an entity collected personal information
Defence: an entity being permitted to collect personal medical information.

A Business Process
Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End

A Business Process
Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
Is the process compliant with the Privacy Act?

Making Sense of the Act
• Collection of medical information is forbidden.
• Destruction of the illegally collected medical information excuses the illegal
collection.
• Collection of medical information is permitted if there is an authorising court
order.
• Collection of personal information is forbidden.
• Collection of personal information is permitted if the collection of medical
information is permitted

collection.
order.
Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End

collection.
order.
Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
The process is not compliant

Linear Temporal Logic for Compliance
In the past 5-10 years many compliance frameworks based on (Linear) Temporal Logic
have been proposed:
• DECLARE, MoBuCom, DecSerFlow
• COMPAS
• BPMN-Q

Motivation
• Linear Temporal Logic (LTL): mature technology to verify systems
• Similarity between conditions for obligations and temporal notions in LTL
• many compliance frameworks proposed LTL to check compliance of business
processes

Motivation
• Linear Temporal Logic (LTL): mature technology to verify systems
• Similarity between conditions for obligations and temporal notions in LTL
• many compliance frameworks proposed LTL to check compliance of business
processes
Can current compliance frameworks based on LTL be used to
determine compliance of processes with norms?

Linear Temporal Logic 101 (Syntax)
• Xφ: at the next time φ holds;
• Fφ: eventually φ holds (sometimes in the future φ); and
• Gφ: globally φ holds (always in the future φ).
In addition we have three binary operators:
• φ U ψ (until): φ holds until ψ holds;
• φ W ψ (weak until): φ holds until ψ holds and ψ might not hold.
Interdeﬁnability
• Fφ ≡ U φ,
• Gφ ≡ ¬F¬φ,
• φ W ψ ≡ (φ U ψ) ∨ Gφ

Obligation, Prohibition and Permission
Obligation A situation, an act, or a course of action to which a bearer is legally
bound, and if it is not achieved or performed results in a violation.
Prohibition A situation, an act, or a course of action which a bearer should avoid,
and if it is achieved results in a violation.
Permission Something is permitted if the obligation or the prohibition to the
contrary does not hold.

Achievement vs Maintenance Obligations
• For an achievement obligation, a certain condition must occur at least once before
the deadline
‘Customers must pay before the delivery of the good, after receiving the invoice’
• For maintenance obligations, a certain condition must obtain during all instants
before the deadline:
‘After opening a bank account, customers must keep a positive balance until bank
charges are taken out’

Achievement and Maintenance Obligations in
LTL
Maintenance obligation
Gφ G(τ → φ U δ)
Achievement obligation
Fφ G(τ → ¬(¬φ U δ))

Compliance in LTL
To determine, given a model encoding a trace of a business process
and a set of formulas encoding the relevant norms, whether the
formulas are satisﬁable by the model.

LTL Compliance Frameworks
• Several compliance frameworks based on LTL have been proposed (e.g.,
COMPAS, MoBuCOM, BPMN-Q, we focus on COMPAS Compliance
Requirement Language CRL).
• Propose templates/patterns to capture “compliance requirements” based on the
“temporal order” of tasks or business process components.
• Templates correspond to temporal logic formulas

CRL Patterns
• Absence: φ isAbsent, φ does not occur in the process
G¬φ
• Existence: φ Exists, φ occurs in the the process
Fφ
• Leads To: φ LeadsTo ψ, φ must always be followed by ψ
G(φ → Fψ)

CRL Contrary-to-duty Pattern
Pattern to represent compensations to violations
φ (LeadsTo|DirectlyFollowedBy) φ1 (Else|ElseNext) φ2 . . . (Else|ElseNext) φn
translated to
G(φ → F|X(φ1 ∧1≤i<n−1 (F|X(φi NotSucceed) ∧ (φi NotSucceed → F|Xφi+1))))
but it does not work for maintenance obligations (prohibitions), Gφ ∧ ¬φ → ⊥.
Gφ ∨ F(¬φ ∧ F|Xψ)

CRL Exception Patterns
Strong Exceptions: [[R]]Pattern
φ → ψ
Weak Exceptions: [R]Pattern
φ ∨ ψ
where:
• φ is the LTL translation of R
• ψ is the LTL translation of Pattern

Privacy Act Logical Structure
• A (“collection of medical information”) is forbidden
B (“destruction of medical information”) compensates the illegal collection
• A is permitted if C (“acting under a court order”)
• D (“collection of personal information”) is forbidden
• D is permitted if A is permitted

Privacy Act in CRL and LTL
CRL1 R1 : ([R2]A isAbsent) Else B,
CRL2 R2 : C,
CRL3 R3 : [R4]D isAbsent,
CRL4 R4 : A isPermitted.

Privacy Act in CRL and LTL
CRL1 R1 : ([R2]A isAbsent) Else B,
CRL2 R2 : C,
CRL3 R3 : [R4]D isAbsent,
CRL4 R4 : A isPermitted.
LTL1 G(C ∨ (G¬A ∨ F(A ∧ FB)));
LTL2 G(FA ∨ G¬D).

CRL: Are We Compliant?
Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
LTL1 G(C ∨ (G¬A ∨ F(A ∧ FB)));
• v(start) = { ¬A, ¬B, ¬C, ¬D };
• v(T1) = { A, ¬B, ¬C, ¬D };
• v(T2) = { A, ¬B, ¬C, D };
• v(T3) = { A, B, ¬C, D };
• v(end) = { A, B, ¬C, D }.
M |= LTL1 ∧ LTL2

CRL: Are We Compliant?
Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
LTL1 G(C ∨ (G¬A ∨ F(A ∧ FB)));
• v(start) = { ¬A, ¬B, ¬C, ¬D };
• v(T1) = { A, ¬B, ¬C, ¬D };
• v(T2) = { A, ¬B, ¬C, D };
• v(T3) = { A, B, ¬C, D };
• v(end) = { A, B, ¬C, D }.
M |= LTL1 ∧ LTL2
According to CRL/LTL the process is compliant

The Regorous Approach to Business Process Compliance

The Regorous Approach
Extension, reﬁnement of the compliance-by-design methodology proposed by
Governatori and Sadiq 2007.
1. Annotated business process models
2. Proper representation of norms based on PCL (Process Compliance Logic)
3. Simulate execution of traces and round trips to PCL reasoner
1. Determine what are the obligations in force for each state
2. Determine which obligations have been fulﬁlled, violated, or pending
3. Determine which violations have been compensated for
http://www.regorous.com

Modelling Norms
Norms are modelled as if . . . then . . . rules
• norms are defeasible (handling exceptions)
• two types of norms
constitutive rules: defining terms used in a legal context
A1, . . . , An ⇒ C
prescriptive rules: defining “normative effects” (i.e., obligations, permissions,
prohibitions . . . )
A1, . . . , An ⇒ [O]C1 ⊗ [O]C2 ⊗ · · · ⊗ [O]Cm
A1, . . . , An ⇒ [P]C

Reasoning with Norms
1. A is a fact; or
2. there is an applicable rule for A, and either
1. all the rules for ¬A are discarded (i.e., not applicable) or
2. every applicable rule for ¬A is weaker than an applicable rule for A.

The Regorous Architecture
Compliance Checker
Logical State
Representation
State(t,1)
State(t,2)
State(t,3)
State(t,4)
Rule1
Rule2
Rule3
Rule4
Rule5
Rule6
Rule7
Rule8
Rule9
...
Compliance
Rule Base
Obligations
Input
...
Annotated Business Process
T2
T5
T3
T1
T4
T7 T6
Legalese Formalisation
Recommendation Sub-system recommendations
whatif
analysis
StatusReport

Privacy Regorously
• collection of medical information is forbidden
c destruction of medical information compensates the illegal collection
r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy
• collection of medical information is permitted if acting under a court order
r2 : courtOrder ⇒ [P]medicalInfo
• collection of personal information is forbidden
r3 : ⇒ [O]¬personalInfo
• collection personal information is permitted if collection of medical information is
permitted
r4 : [P]medicalInfo ⇒ [P]personalInfo

Are We Regorously Compliant?
Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End

Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
State(start) : ¬courtOrder

Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
Force(T1) : [O]¬medicalInfo
[O]¬personalInfo

Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
[O]¬personalInfo
State(T1) : medicalInfo

Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
[O]¬personalInfo
Violated(T1) : [O]¬medicalInfo

Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
[O]¬personalInfo
Force(T2) : [O]destroy

Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
[O]¬personalInfo
State(T2) : personalInfo

Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
[O]¬personalInfo
Violated(T2) : [O]¬persoanlInfo

Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
[O]¬personalInfo
State(T3) : destroy

Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
[O]¬personalInfo
State(T3) : destroy
Compensated(T3) : [O]¬medicalInfo

The Regorous Evaluation
Formalised Chapter 8 (Complaints) of TCPC 2012. Modelled the compliant
handling/management processes of an Australian telco.
41 tasks, 12 decision points (xor), 2 loops
shortest trace: 6 traces longest trace (loop): 33 tasks
longest trace (no loop): 22 tasks
over 1000 traces, over 25000 states

The Regorous Evaluation
TCPC 2012 Chapter 8. Contains over 100 commas, plus 120 terms
(in Terms and Deﬁnitions Section).
Required 223 propositions, 176 rules.
Punctual Obligation 5 (5)
Achievement Obligation 90 (110)
Preemptive 41 (46)
Non preemptive 49 (64)
Non perdurant 5 (7)
Maintenance Obligation 11 (13)
Prohibition 7 (9)
Non perdurant 1 (4)
Permission 9 (16)
Compensation 2 (2)

Conclusions
• Many scholars jumped on the compliance bandwagon
• Current Compliance Frameworks based on Temporal Logic are not able to model
real life norms.
• Result not restricted to Linear Temporal Logic, it extends to other temporal logics
• Result is not an impossibility theorem. If one knows what are the compliant
traces, one can build a set of temporal formulas corresponding to the compliant
traces (but it means using an external oracle, so useless for compliance)
• Result seems to affect Deontic logics based on possible world semantics.
• PCL and Regorous are not affected by the problem, and offer a viable practical
solution
• 5/10 years of mostly wasted opportunities and research efforts

Questions?
Guido Governatori
guido.governatori@nicta.com.au

The Journey to Business Process Compliance. Are We There Yet?

Recomendados

Recomendados

Más contenido relacionado

Similar a The Journey to Business Process Compliance. Are We There Yet?

Similar a The Journey to Business Process Compliance. Are We There Yet? (20)

Más de Guido Governatori

Más de Guido Governatori (10)

Último

Último (20)

The Journey to Business Process Compliance. Are We There Yet?