In response to recent financial scandals (e.g. those involving Enron, Fortis, Parmalat), new regulations for protecting the society from financial and operational risks of the companies have been introduced. Therefore, companies are required to assure compliance of their operations with those new regulations as well as those already in place. Regulations are only one example of compliance sources modern organizations deal with every day. Other sources of compliance include licenses of business partners and other contracts, internal policies, and international standards. The diversity of compliance sources introduces the problem of compliance governance in an organization. In this paper, we propose an integrated solution for runtime compliance governance in Service-Oriented Architectures (SOAs). We show how the proposed solution supports the whole cycle of compliance management: from modeling compliance requirements in domain-specific languages through monitoring them during process execution to displaying information about the current state of compliance in dashboards. We focus on the runtime part of the proposed solution and describe it in detail. We apply the developed framework in a real case study coming from EU FP7 project COMPAS, and this case study is used through the paper to illustrate our solution.
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
An Integrated Solution for Runtime Compliance Governance in SOA
1. An Integrated Solution for Runtime Compliance Governance in SOA Aliaksandr Birukou , Vincenzo D’Andrea, Frank Leymann, Ja- cek Serafinski, Patricia Silveira, Steve Strauch, Marek Tluczek COMPAS Compliance-driven Models, Languages, and Architectures for Services "The COMPAS project will design and implement novel models, languages, and an architectural framework to ensure dynamic and on-going compliance of software services to business regulations and stated user service-requirements. COMPAS will use model-driven techniques, domain-specific languages, and service-oriented infrastructure software to enable organizations developing business compliance solutions easier and faster“ http://www.compas-ict.eu
2.
3. Do I care about compliance ? Image from http://www.blogfinanza.com/wp-content/uploads/2010/09/banca1.jpg ECB Image from http://www.exponent.com/Nuclear-Plant-Services-Capabilities/ AEG GSE http://altocasertano.files.wordpress.com/2007/12/rifiuti1.jpg Ministry of Natural Resources http://www.seebiz.eu/hr/tvrtke/transport/pevec-transporti-u-stecaju,65063.html Ministry of transportation Legge n.6 06/02/2009 Legge n. 152 13/08/2010 Sarbanes-Oxley Act Basel III Direttiva 2010/40/UE Direttiva 2009/548/CE Decreto 10/09/2010 Direttiva 2008/763/CE
6. 2010 GRC software investments priorities Source: AMR Research, 2009 18% Compliance management 17% 16% Business process management 15% Continuous control monitoring Security (internal/external) Risk management Sustainability software Documents/record management Reporting 14% 12% 11% 10% Investments priorities
7.
8. Case study: Advanced Telecom Services Internet Internet ... Audio providers Video providers MVNO company AudioSport License FootballGames License EU MVNO directives Austria Telecommunication Act 2003 Bob Alice Carol Customer contracts
9.
10. Compliance governance in COMPAS Internalization Design Regulations, business contracts, standards Internal policies Business processes Events Execution data Internal evaluation Business execution Auditor Runtime compliance governance
12. 1. Selecting compliance sources and requirements Pay-per-view plan When MVNO company subscribes for the Pay-per-view plan it has to pay 29.90 euro first and then receive 300 streams from the media supplier Composition permission VideoSport can only have audio streams from AudioSport Availability The WatchMe service must deliver a valid URL at least in 90% of requests per customer subscription. VideoSport License FootballGames License EU MVNO directives Austria Telecommunication Act 2003 Customer contracts
Solutions like COMPAS can help companies to save those money buy providing more automated controls
COMPAS – Compliance-driven Models, Languages and Architectures for services
The case study we consider deals with telecommunication domain[CLICK] There is a Virtual Mobile Network Operator which uses network of other operators to provide additional services[CLICK] It combines video and audio from different content providers and streams sport content to its customers over the internet This case study focuses on particularly challenging evnironment, since network infrastructure and many applications that provide service components are owned and managed by different interprises, including third party application providers, network carriers and the MVNO company. The business of the MVNO company must run in accordance with different regulations.[CLICK] And it also must adhere contracts with audio and video providers and contracts of their customers. So, it faces the problem of ensuring the compliance with all those regulations. If they do not comply they can be sued by the companies, loose customers, or loose a lot of money in fines because of not following legislation. Now we will show how our approach allows the company to deal with those concerns in a systematic manner.
selecting the sources to be compliant with and designing corresponding compliance requirements; (2) (re-)designing business processes compliant with the selected requirements; (3) monitoring compliance of processes during their execution; (4) informing interested parties (managers, auditors) on the current state of compliance; (5) taking specific actions or chang- ing the processes in cases of (predicted or happened) non-compliance. DESIGN ASPECTS – in parallel session