Indicator-based Policy Compliance of Business Processes

Background: Business process compliance management has recently attracted a lot of attention in both business and academia as it enables organizations to not only control and monitor their business processes from a legal point of view but also to avoid financial penalties and undesirable consequence...

Full description

Bibliographic Details
Main Author: Shamsaei, Azalia
Other Authors: Amyot, Daniel
Language:en
Published: Université d'Ottawa / University of Ottawa 2012
Subjects:
Online Access:http://hdl.handle.net/10393/23476
http://dx.doi.org/10.20381/ruor-6171
Description
Summary:Background: Business process compliance management has recently attracted a lot of attention in both business and academia as it enables organizations to not only control and monitor their business processes from a legal point of view but also to avoid financial penalties and undesirable consequences to their reputation. Objective: This thesis aims to provide a framework that would enable organizations to: 1- Discover business processes that violate regulations, laws and policies; 2- Discover the importance level of business processes based on the organization’s goals; 3- Determine the impact of compliance-related process modifications on business goals, including conflicting goals between stakeholders, and on policies; and 4- Enable organizations to measure the level of business process compliance for one or multiple policies. Methodology: A systematic literature review in the area of goal-oriented business process compliance management and measurement has been conducted, which showed that balancing legal compliance obligations with business objectives remains a difficult challenge. A new Indicator-based Policy Compliance Framework (IPCF), which combines policy and rule models together with models capturing business goals (with their relative importance to the organization) and business processes, has been proposed. This framework builds on the User Requirements Notation (URN), which is the first international standard to combine goal modeling with scenario modeling. The intents and objectives of policies have been modeled, as well as the goals and business processes of organizations, and indicators are used to measure the compliance level of policies. This enables the detection of non-compliant business processes and the evaluation of the impact of compliance-related process modifications on business goals. Human resource policies and business processes are used as an example to illustrate the method. Aerodrome security regulations and business processes are then used to validate the method in a real-life environment. Comparisons to related work, evaluation against different sets of criteria, and tool support complement the framework validation. Results: The Indicator-based Policy Compliance Framework enables organizations to discover business processes that violate policies as well as other types of rules, regulations, and laws. Guidelines for modeling legal text with URN’s Goal-oriented Requirement Language (GRL) are proposed. Furthermore, IPCF helps determine the impact of compliance-related process modifications on business goals, including conflicting goals between stakeholders, and on policies. In addition, as policies sometimes apply differently to different types of organizations, a new profile for GRL, with suitable stereotypes, well-formedness constraints, and a modified analysis algorithm defined for GRL model families is used to evaluate the satisfaction level of individual goal models that are members of a larger family model. Finally, the proposed IPCF enables organizations to measure the level of business process compliance for one or multiple policies, and such measures can be visualized directly in URN models but also through interactive Business Intelligence portals, for a wider diffusion.