Uniﬁed Compliance Modeling and Management using Compliance

Descriptors

Falko Koetter

, Maximilien Kintz

, Monika Kochanowski

, Christoph Fehling

, Philipp Gildein

Frank Leymann

and Anette Weisbecker

University of Stuttgart IAT and Fraunhofer IAO, Germany, Stuttgart, Germany

University of Stuttgart, IAAS, Stuttgart, Germany

Keywords:

Business Process Management, Compliance Modeling, Model-Driven Architecture, Business Process

Compliance.

Abstract:

Due to innovations in the ﬁeld of cloud computing business processes become distributed, encompassing a

combination of services spanning multiple IT systems. Due to a growing number of regulations, managing

business process compliance in this cloud environment is a necessary task for companies, leading to a growth

in compliance management and compliance checking approaches. Compliance stems from laws and is im-

plemented in all parts of enterprise IT. Thus, both a connection between business and IT as well as a broad

coverage of compliance scenarios is necessary. To solve both challenges, we use an integrating compliance

descriptor for conceptual compliance modeling. This descriptor is used to conﬁgure a compliance manage-

ment architecture, integrating different types of compliance checking. For creating compliance descriptors, it

proved necessary to introduce a formalism and a graphical notation, which is introduced and evaluated in a

prototype and expert interviews.

1 INTRODUCTION

Cloud computing is both a chance and a challenge for

many companies (Wei and Blake, 2010), especially in

the ﬁeld of security, privacy, (Takabi et al., 2010) and

- consequently - compliance. The possibility to ac-

quire services over the cloud in order to better perform

their business processes gives companies new possi-

bilities to manage their business. However, this adds

to the complexity of the involved IT systems as well

as poses new challenges in managing these. Due to

growing regulatory requirements stemming from new

laws like the Sarbanes-Oxley Act there is an increas-

ing demand for business process compliance solutions

in the industry (Sadiq et al., 2007).

However, there is a gap between compliance man-

agement and business process management, as one is

driven by legal requirements and the other by busi-

ness needs as well as the new cloud technologies.

Additionally, compliance management spans not only

business processes but also the process environment

consisting of software systems, physical hardware

and personnel, as described in (Kochanowski et al.,

2014). Here, also compliance applications and their

needs are mentioned. This requires communication

between legal specialists, business users and IT per-

sonnel. All this makes keeping processes compliant a

cumbersome task.

As business process models and their implementa-

tion increase in complexity (Bobrik et al., 2007), man-

ual compliance checking is not feasible for large or-

ganizations. Existing IT-supported compliance man-

agement solutions focus on speciﬁc process execu-

tion environments (e.g. process engines) and only

support speciﬁc kinds of compliance rules (Kharbili

et al., 2008). As far as processes are executed within

such an environment, they can support compliance

enforcement with strict process models, transition

rules, double-checks, etc. However, not all parts of

a business process are usually contained within such

solutions, and not all of the compliance requirements

can be enforced in such a way. We found the factor

preventing effective compliance management is not a

lack of tools, but rather a lack of integration, between

different kinds of compliance checking as well as be-

tween business and IT.

To alleviate this problem, in previous work we

proposed an integrating compliance descriptor (Koet-

ter et al., 2013), which bridges legal, business and IT

levels by separating laws, compliance requirements

Koetter, F., Kintz, M., Kochanowski, M., Fehling, C., Gildein, P., Leymann, F. and Weisbecker, A.

Uniﬁed Compliance Modeling and Management using Compliance Descriptors.

In Proceedings of the 6th International Conference on Cloud Computing and Services Science (CLOSER 2016) - Volume 2, pages 159-170

ISBN: 978-989-758-182-3

159

that stem from them and compliance rules implement-

ing these requirements. As the approach encapsu-

lates compliance rules, multiple rule languages can be

used, providing integration and coverage of all kinds

of compliance requirements. We described how to

use this compliance descriptor for compliance check-

ing, gathering results from different rules and aggre-

gating them to determine requirement fulﬁllment and

law compliance (Koetter et al., 2014).

In this work, we will build on this approach by

developing a conceptual modeling language for com-

pliance descriptors and integrating it with other mod-

eling languages for processes and compliance rules.

This is the main contribution of this paper, as it

proved necessary to develop a formalism and graph-

ical modeling notation in order to facilitate creating

compliance descriptors. Using a model-driven ap-

proach, we show how a conceptual model of compli-

ance can be transformed to different artifacts neces-

sary for compliance management in a reference archi-

tecture, which is extended from previous work. Eval-

uating the work using a prototype and real-life exam-

ple, we show our approach is a feasible solution for

bridging business and IT views of process compliance

in a rule-language-independent and extensible fash-

ion. Compared to our previous work, we evaluated

the approach not only in a prototype but also with a

real-life system and real users.

The remainder of this work is structured as fol-

lows. In Section 2 an overview of work in compliance

modeling and compliance integration is given. In Sec-

tion 3 we describe conceptual compliance modeling

using the compliance descriptor. In Section 4 we de-

scribe the extensible architecture for compliance man-

agement as well as the model transformation. Sec-

tion 5 describes the prototype and evaluation. Finally,

Section 6 gives a conclusion and outlines future work.

2 RELATED WORK

Achieving Business Process Compliance is not a one-

time task, but a continuous activity. Different com-

pliance checks are performed at different phases in

the business process lifecycle. (Kharbili et al., 2008)

gives an overview of compliance checking methods

and distinguishes design-time, run-time and ex-post

compliance checking. In particular, (Kharbili et al.,

2008) notes a lack of an universal approach, support-

ing all phases of the lifecycle as well as continuous

change. To address this, we introduced an integrating

compliance descriptor in (Koetter et al., 2013). Rather

than designing yet another compliance rule modeling

language, this compliance descriptor connects laws,

compliance requirements and rules in different com-

pliance rule languages. Thus, a link between the busi-

ness and IT view of compliance requirements is pre-

served. Using this link, the impact of changes in

laws, requirements or implementation to overall com-

pliance can be assessed at any time, enabling main-

tenance of compliance in the face of change (Koetter

et al., 2014).

Similarly to the structure of the compliance de-

scriptor, in (El Kharbili et al., 2008a) three levels of

regulatory compliance are deﬁned. Regulations de-

ﬁne measures and directives which are implemented

by policies, internal controls, and procedures. Fur-

thermore, eight requirements for a compliance man-

agement framework are deﬁned, among others en-

forcement, change management, traceability, and im-

pact analysis. As in other previous work, differ-

ent types of compliance checking are identiﬁed. To

tackle these challenges, an architecture for a compli-

ance checking framework based on semantic business

process models is proposed. In this architecture, reg-

ulations are modeled as semantic policies which are

monitored by a policy monitoring component. From

these, semantic business rules are generated to be en-

forced at design-time and run-time by an inference

engine (El Kharbili et al., 2008b).

The SeaFlows Toolset (Ly et al., 2011) is a frame-

work for compliance veriﬁcation of business pro-

cesses. Using compliance rule graphs, rules can be

modeled by imposing patterns of process activities

and/or conditions on process data at speciﬁc points

in process execution. Patterns are then checked at de-

sign time, while data conditions are checked at run-

time in a BPM suite. In further work, the resource

perspective, i.e. who performs tasks, has been added

in an extended rule graph (Semmelrodt et al., 2014).

This approach is interesting both in combining run-

time and design-time rules in the same rule graph as

well as combining multiple rules in a single graph and

separating it from the process model. However, due to

the implementation techniques used, it is dependent

of speciﬁc modeling and execution environments and

doesn’t explicitly offer extensibility for other types of

compliance rules.

(Reichert and Weber, 2012, Chapter 10) inves-

tigates design-time, run-time and ex-post compli-

ance rules based on process traces, on which Lin-

ear Temporal Logic (LTL) expression or compliance

rule graphs are tested. Also the impact of process

change on compliance in models and running pro-

cess instances is tackled by investigating the changes

in compliance rules and their effects. However, only

process models and instances in a workﬂow engine

are in the scope of compliance checking.

CLOSER 2016 - 6th International Conference on Cloud Computing and Services Science

160

(Schleicher et al., 2011) deﬁnes a graphical mod-

eling language for LTL rules which can be used for

design-time compliance checking. A compliance do-

main can be used to attach an LTL rule to a process

or a part of a process. In (Awad et al., 2008) BPMN-

Q, a graphical query language for business process

models is used for design time compliance check-

ing. Using compliance patterns and anti-patterns of

violations, this approach is used to visualize reasons

for compliance violations in the process model (Awad

and Weske, 2010).

Compliance of business processes reaches beyond

the scope of process models and execution, encom-

passing aspects like hosting, maintenance, encryption

and physical access control. Business process man-

agement builds on these aspects, which need to be

covered in order to guarantee overall compliance. The

Topology and Orchestration Speciﬁcation for Cloud

Applications (TOSCA

) is an OASIS standard which

allows modeling the topology of an application, in-

cluding the implementation and physical deployment

of components like web services and databases. In

(Waizenegger et al., 2013), Policy4TOSCA is de-

scribed, extending TOSCA models by so-called poli-

cies to describe non-functional requirements, which

may stem from compliance rules. These can be

checked during process deployment in order to guar-

antee a compliant hardware and software stack (Koet-

ter et al., 2014).

While checking compliance rules for a business

process can be looked at in a single-system fashion,

i.e. the process is executed in a single, homoge-

nous environment, in which compliance is checked,

in practice process compliance needs to be managed

in a multi-system fashion. One reason for this are het-

erogeneous, grown IT infrastructures found in prac-

tice (Patig et al., 2010), another reason are the differ-

ent scopes compliance rules may encompass (Khar-

bili et al., 2008).

(Knuplesch et al., 2013) describes an approach

for integrating compliance checking across multi-

ple companies in cross-organizational business pro-

cesses. Challenges arise because parts of an organiza-

tional process model may not be globally known and

because local compliance requirements may contra-

dict global compliance requirements. Thus, a notion

of compliability is deﬁned, meaning the interaction

between process partners conforms to global com-

pliance rules, even though private processes are not

known. While this approach allows integrated design-

time compliance across multiple public and private

process models, it does not address the challenge of

www.oasis-open.org/committees/tosca/ (accessed

12.3.2015)

heterogeneous process environments and other kinds

of compliance checking, though this shall be ad-

dressed in future work.

(Ramezani et al., 2012) advocates a separation

of compliance management and process manage-

ment by introducing a separate compliance engine,

which checks an implementation system for compli-

ance and interrupts it in case of risks. Compliance

rules are deﬁned on a business vocabulary from a

conceptual model of processes. By separating pro-

cess and compliance, any information system may be

checked, similar to the model-driven solution for pro-

cess monitoring used in our approach (Koetter and

Kochanowski, 2013). Similarly, any compliance rule

language may be used. This in general solves the in-

tegration problem, but requires a high degree of man-

ual implementation in the compliance engine and in

the integrated information system. To lessen the re-

quired effort, (Ramezani et al., 2014) lists methods of

assisting domain experts in the selection of applicable

existing rules from a rule repository, e.g. by question

trees.

In (Comuzzi, 2014) the problem of aligning com-

pliance rules and their implementation across part-

ners in a business network is investigated. Compli-

ance rules are deﬁned on a conceptual level and then

concretized to a speciﬁc scenario and process mod-

eling environment, which in turn are concretized in

a speciﬁc implementing technology. This resembles

a compliance descriptors separation of requirements

and rules. However, even after concretization, man-

ual implementation and integration needs to be per-

formed to achieve compliance monitoring.

(Karagiannis et al., 2012) describes a generic

compliance evaluation method extending existing en-

terprise modeling frameworks to encompass compli-

ance evaluation. Similar to this work, partial compli-

ance can be evaluated and is visualized in a heatmap.

Compliance is evaluated for individual architecture

artifacts aggregated through architecture levels. For

example, the compliance of a business process is cal-

culated form the compliance of its activities. In com-

parison, our approach has a speciﬁc process focus and

allows deﬁnition of emergent compliance rules en-

compassing multiple activities. Additionally, (Kara-

giannis et al., 2012) gives no techniques how to auto-

matically determine compliance at the bottom level,

while our approach integrates different compliance

rule languages.

(Weigand and Elsas, 2012) proposes a model-

driven method for auditing using an ontology, deter-

mining accountability and authorization and in turn

deﬁning controls to address identiﬁed risks. While an

approach like this provides the possibility to discover

Uniﬁed Compliance Modeling and Management using Compliance Descriptors

161

requirements and necessary controls, it does not cover

the actual compliance checking. A gap between deﬁ-

nition and implementation remains.

A framework for deﬁning and managing compli-

ance requirements is presented in (Papazoglou, 2011).

Requirements are deﬁned using a declarative lan-

guage and LTL. Design-time compliance checking

is supported while run-time compliance checking is

only conceptually described. Similarly to the reusable

compliance rules in this approach, patterns are used

for easier implementation of common requirement

types. Compared to this approach, extensibility of

checks, e.g. for software deployments, is not covered.

Overall, the related work shows ﬁrst steps for

solving the problem of heterogeneous environments

and the need for compliance checking to cover the

whole business process lifecycle and associated arti-

facts. However, approaches try to ﬁt all compliance

checking rules in homogenous modeling languages or

require manual rule implementation. In contrast, this

work contributes an integrating compliance manage-

ment approach, which separates business and IT view

of process compliance and encapsulates compliance

rules in any rule modeling language.

3 CONCEPTUAL COMPLIANCE

MODELING

As business process compliance needs to cover many

aspects of the enterprise, multiple artifacts need to be

modeled for compliance management. On the busi-

ness level, laws impose compliance requirements on

a business process. On the IT level, requirements are

implemented in rules which are checked throughout

the process lifecycle, e.g. at design-time, run-time

and during deployment.

Figure 1 gives an overview of compliance-related

models. A process model describes the process on

a conceptual level. This process model may be pre-

scriptive or descriptive, i.e. it may be executed or

describe the execution by other IT systems. On an

implementation level, different types of compliance

rules can be used for compliance checking. LTL

rules (Schleicher et al., 2011) are used for model

checking at design-time, e.g. for verifying the or-

der of activities. ProGoalmML rules (Koetter and

Kochanowski, 2013) are used for compliance moni-

toring at run-time, e.g. to check if timing restrictions

are kept. TOSCA policies (Waizenegger et al., 2013)

are used to verify the physical deployment of process

infrastructure, e.g. to satisfy data protection require-

ments.

For connecting the business and IT levels the com-

pliance descriptor is used. It contains all laws (and

other regulatory documents) applicable to the process.

Compliance requirements from these laws are con-

tained as well, described in natural speech as well

as in an expression referencing implementing com-

pliance rules. As the compliance descriptor serves

to integrate the business and IT levels of compliance

management, a modeling language needs to be un-

derstood both by business and IT experts. In previ-

ous work we deﬁned the structure of the compliance

descriptor on an implementation level using XML

schema (Fehling et al., 2014). While this proved suf-

ﬁcient for implementing compliance checking, creat-

ing compliance descriptors proved to be difﬁcult. To

close this gap, we will deﬁne a graphical modeling

language for compliance descriptors.

3.1 Laws

In the compliance descriptor, a law represents a reg-

ulatory document from which compliance require-

ments stem. A law l ∈ L is deﬁned as a tuple:

l ∈ L := (n

)

where n

is the name of the law, v

identiﬁes the

version of the law and P

is a set of paragraphs the law

consists of. On a technical level the law is stored as an

XHTML document, providing both human readabil-

ity due to html formatting as well as a well-deﬁned

structure for automatic processing due to xml valid-

ity. Laws need to be structured in order to make ref-

erences to paragraphs of the law possible.

Paragraphs p ∈ P

are deﬁned as a tuple:

p ∈ P

:= (n

)

where n

is the number or name of the paragraph

and c

is its content. Paragraph numbers have to be

unique within the law, but may be repeated among dif-

ferent laws. Thus, to uniquely reference a paragraph

p ∈ P

, a combination of its number n

and the law’s

name n

can be used.

We deﬁne this reference as a law url u ∈ U as fol-

lows:

u ∈ U := (n

)

with n

as the name of a law l ∈ L and n

the name of a paragraph p ∈ P

within that law. Note

that if a law url refers to a law, it may only refer to a

paragraph within that same law:

) ∈ U → p ∈ P

3.2 Entity

Entities within the process context (e.g. a process ac-

tivity or a server) are modeled as entities, so they can

be referenced by the compliance descriptor. An entity

e ∈ E is deﬁned as follows:

CLOSER 2016 - 6th International Conference on Cloud Computing and Services Science

162

Rule Models

Compliance Model

ProGoalML

rules

Process Model

Laws

Requirements

LTL

rules

etc.

TOSCA

rules

Figure 1: Compliance-related models.

e ∈ E := (n

,re f

)

where n

is the name of the referenced entity and

re f

a unique reference to the entity (e.g. a reference

to an activity in a process model).

3.3 Compliance Rules

A compliance rule is an implementation level artifact

used to enforce or monitor a fact, e.g. if a variable has

a certain value, if an activity is always followed by an-

other activity or if a database is encrypted. Thus, the

concrete implementation of a rule is not stipulated by

the compliance descriptor. To provide a wide support

in regards to compliance rule languages, a rule is de-

scribed with generic attributes, allowing handling it

during compliance management without knowledge

of implementation semantics. Only during model

transformation is the concrete implementation used.

A compliance rule is described as follows:

r ∈ R := (n

,il

, ph

,rex

,V D

)

where n

is the name of the compliance rule, d

its

description in natural language. These are written by

IT personnel to give business users an understanding

of the semantics of the rule. il

is a unique identi-

ﬁer for the implementation language of the rule, e.g.

LTL. ph

identiﬁes the phase of the process lifecycle

in which the rule is applied, e.g. design-time or run-

time.

The concrete implementation is called a rule ex-

pression and stored in rex

. Depending on the type

of rule this may either be a formal description of the

rule (e.g. an XML ﬁle) or a reference to the full imple-

mentation (e.g. a reference to a graphical rule model).

In any case, a compliance rule must provide a suit-

able result for evaluation. Depending on the lifecycle

phase, a compliance rule may either be fulﬁlled (true),

not fulﬁlled (false) or not yet evaluated (unknown).

Each rule must provide these results.

To facilitate reuse of compliance rules among dif-

ferent process models and requirements, rules are

variable. This means certain parts of the rule can

be modiﬁed in order to adjust the rule to its concrete

use case. For example the name and location of a

database can be chosen. For this purpose, a so-called

variability descriptor is used (Mietzner et al., 2009),

an XML format which allows variability in arbitrary

documents by referencing variability points and pos-

sible values. The variability descriptor of a rule is

stored or referenced in V D

and is a set of variability

points vp

V D

:= {vp

}

A set of bindings B

describes which concrete val-

ues are chosen for each variability point. A binding

b ∈ B

is deﬁned as follows:

b ∈ B

:= (vp

,val

,type

)

where vp

identiﬁes the variability point that is

bound, val

is the value the variability point is bound

to, which depends on the type of the binding type

There are three types type ∈ BTY PE of bind-

ings (Mietzner et al., 2009). A constant value val

is bound to the variability point. Depending on the

variability point, this may for example be an integer

or string value. An entity e in the compliance descrip-

tor is bound to the variability point. val

identiﬁes the

entity by its name n

. A parameter indicates the vari-

ability point is not yet bound in the rule, but will be

bound later. val

indicates the number vp

shall have

in the order of parameters.

The bindings B

are called a complete binding, if:

complete(B

) := ∀vp ∈V D

: ∃b ∈ B

: vp

= vp∧

type

6= parameter

A complete binding thus provides a concrete value

for each variability point. No further information is

necessary to create a concrete rule.

On the other hand the bindings B

are called a par-

tial binding, if:

partial(B

) := (∀vp ∈ V D

: ∃b ∈ B

: vp

= vp)∧

(∃b ∈ B

: type

= parameter)

Note that even a partial binding must provide a

binding for each variability point. Bindings which fail

Uniﬁed Compliance Modeling and Management using Compliance Descriptors

163

both criteria are invalid.

3.4 Compliance Requirements

A compliance requirement is a single compliance-

related requirement to the business process or the pro-

cess environment stemming from a law. It is used to

link laws and implementation. A requirement q ∈ Q

is deﬁned as follows:

q ∈ Q := (n

,cex

)

where n

is the unique name of the requirement,

is a description of the requirement in natural lan-

guage, provided by business users. u

∈ U is a law

url referencing the paragraph the requirement stems

from. Note multiple requirements may stem from the

same law or even paragraph.

Aside from a description d

in natural language, it

contains a formal compliance expression cex

, which

describes the requirement by referencing compliance

rules. The compliance expression cex ∈ CEX is de-

ﬁned as follows:

cex ∈ CEX := ( f

cex

)

A compliance expression links multiple rules r ∈

cex

in a formula f

cex

. This formula uses Boolean op-

erators to relate rules to each other. As rules may

be variable, additional binding information may be

necessary to create the rule. This is the case if

partial(B

) is true. Then, additional bindings B

add

need to be speciﬁed for each binding b ∈ B

, where

type

= parameter. These additional bindings are

stored in B

cex

and are deﬁned as follows:

add

∈ B

cex

:= {(vp

,val

,type

)|type

parameter ∧(∃b

∈ B

: type

= parameter ∧ vp

)}

The bindings are then combined to create are so-

called ﬁnal binding:

f inal

:= B

add

∪ {b ∈ B

|type

6= parameter}

For the ﬁnal binding complete(B

f inal

) must be

true, as otherwise no concrete rule may be created.

Then no deployment of rules can take place. Note

that there may be multiple ﬁnal bindings if a rule is

used multiple times within compliance expressions.

The formula f

deﬁnes a Boolean expression link-

ing the rules R

cex

. The additional bindings B

cex

are speciﬁed using parentheses and parameter order.

Quotation marks are used to bind constants, names

without quotation marks are used to bind entities. The

formula language provides the operators AND and

OR, as well as deﬁning precedence using parenthe-

ses. Note the absence of a negation. The reason for

this is twofold. First, the negation of a rule may be

counterintuitive. For example, the negation of a rule

imposing activity A is always followed by activity B

is not that B never follows A, but rather that in at least

one possible case B does not follow A. We found that

safely using these negations requires proﬁciency in

predicate logic as well as in the implementation lan-

guage which average business users do not process.

Second, as rules may evaluate to unknown, ternary

Kleene logic (Kleene, 1952) is used to evaluate com-

pliance expressions rather than binary Boolean logic.

Thus, negations are not used to approximate the be-

havior of the rule language to the intuitive understand-

ing.

3.5 Graphical Model

Based on the formal description of the compliance de-

scriptor, a graphical modeling language is designed.

The modeling elements are shown in Figure 2, corre-

sponding to the elements deﬁned above.

A law is modeled as a rounded square with a sec-

tion sign indicating it contains multiple paragraphs.

An entity is modeled as an oval. All entities ref-

erenced in bindings must be explicitly added to the

compliance descriptor. Modeled entities may refer-

ence their counterparts in other models, e.g. an activ-

ity in a process model.

Rules are modeled as rounded squares without any

further decoration. For each entity bound in B

, a

reference to the entity has to be modeled. This ex-

plicit modeling of entities serves to visualize the im-

pact of compliance rules and requirements on the pro-

cess, which would otherwise be hidden in an attribute.

A requirement is modeled as a double rounded

square, indicating it may consist of multiple rules.

Like the rule it has to reference each entity bound

in B

cex

. Additionally, requirements have to reference

all rules R

cex

used in the compliance expression. Re-

quirements reference the law they stem from using

their law url u

. In comparison to the other refer-

ences, a law url contains an XPATH expression in-

dicating the law l

and the paragraph p

. A law url

is decorated with a section sign to distinguish it from

the other edges.

3.6 Example

Figure 3 shows a simpliﬁed example process from

our work with insurance companies (for more detail

see (Koetter et al., 2014)). This claim management is

used to automatically process damage claims from a

customer, e.g. in case of car damages. A claim is re-

ceived either digitally or in paper and stored in a cus-

tomer database. The claim is then processed to ﬁnd

additional information, e.g. if the claim is covered by

the insurance policy. Based on this data, the claim

is decided to be either accepted in full, partially ac-

CLOSER 2016 - 6th International Conference on Cloud Computing and Services Science

164

Requirement

Law

Entity

Rule

LawURL

1..n1..n

0..n

1..n 1

cex

Figure 2: Modeling elements of the compliance descriptor with cardinalities and formal equivalents for all relationships.

Receive claim Process claim Decide claim

Send claim

and data

privacy

notification

Customer DB

R2: Do not

store outside

of Germany

R1a:

Follow this by

sending a data

privacy

notification

R1b:

Send at most

14 days after

claim is received

GDV Code of Conduct

BDSG data protection

R1 Notification R2 db location

hostingRegionfollowedBy maxTimeBetweenActivities Customer DB

Receive claim

Send claim and privacy notification

BDSG:§§

GDV COC:5-8

Figure 3: Example claim management process (top) and compliance descriptor (bottom).

cepted or rejected. Finally, a notiﬁcation of the result

is sent to the customer as a letter.

Two laws relevant for this process are the

Code of Conduct of the German Insurance Associa-

tion (GDV) (German Insurance Association (GDV),

2012) and the German Federal Data Protection Act

(BDSG) (Bundesdatenschutzgesetz (BDSG), 1990).

From these laws two requirements are derived as an

example. The GDV Code of Conduct states a cus-

tomer who provides personal data has to be asked in

a timely fashion if this data can be used for marketing

purposes. Requirement R1 is thus that such a noti-

ﬁcation takes place after data is received. This re-

quirement is realized using two rules, followedBy, an

LTL rule checking during design-time if an activity

is always followed by another activity, and maxTime-

BetweenActivities, a ProGoalML rule which checks at

run-time that at most fourteen days pass between re-

ceipt and notiﬁcation. The BDSG regulates storage,

processing, and exposure of data. To comply with it,

a suitable hosting provider within Germany has to be

found. Requirement R2 thus states that the customer

database is hosted within Germany. To check this, the

rule hostingRegion is used, which is a TOSCA policy

applied during deployment.

The graphical compliance descriptor for these pro-

cesses is shown in Figure 3. It references activities of

the process model and external rules (for a full speci-

ﬁcation see (Fehling et al., 2014)).

Uniﬁed Compliance Modeling and Management using Compliance Descriptors

165

4 COMPLIANCE MANAGEMENT

ARCHITECTURE

Figure 4 gives an overview of the compliance man-

agement reference architecture. An editor in the fron-

tend allows the user to graphically model a compli-

ance descriptor. Additionally, existing capabilities for

process and rule modeling can be used within the ed-

itor. All models are stored in a model repository in

the backend. From this repository, a compliance de-

scriptor in XML can be exported. To use a compli-

ance descriptor for compliance management, it needs

to be transformed into implementation speciﬁc arti-

facts. For this, the XML compliance descriptor is

read by the model transformation, which creates rule

expressions as well as a so-called VisML ﬁle (Kintz,

2012), a dashboard description language which de-

scribes how rule checking results are to be visualized.

The created rule expressions are deployed to their

speciﬁc rule checking implementations by a rule de-

ployment component. For each deployed rule a de-

ployment descriptor is created. The details of the de-

ployment descriptor depend on the type of rule, but

contain a unique identiﬁer of the rule as well as all

details necessary to undeploy it. During results gath-

ering the deployment descriptor is used to get all re-

sults from the rule checking implementations. These

results are then aggregated to determine requirement

fulﬁllment and law compliance, thus translating com-

pliance checking results from an IT level to a busi-

ness level. All kinds of results are provided in an

implementation-independent way to reporting and to

a dashboard (via a value provider). Encapsulating

rule implementations makes the architecture extensi-

ble, as only interfaces for rule deployment and result

gathering need to be added for each rule language.

The deployment descriptor handles implementation

speciﬁc data in a generic fashion throughout the pro-

cess lifecycle.

After giving an overview of the architecture, we

will describe model transformation used to create

concrete rule expressions and a visualization schema.

To create deployable concrete rule expressions,

rules R

f inal

are created for each ﬁnal binding B

f inal

resulting from a compliance expression cex.

f inal

= {(n

,il

, ph

,rex

,V D

f inal

)|B

f inal

∈

cex∈CEX

f inal

∈ B

cex

}}

Using V D

and B

f inal

, a concrete rule expression

rex

f inal

is created from rex

. This rule expression can

then be deployed to its implementation as indicated

by il

. The rule creation and deployment process is

described in detail in (Koetter et al., 2014).

Automatically creating process monitoring dash-

boards using VisML has been described in previous

work (Kintz, 2012). Using a ProGoalML ﬁle as in-

put, for each KPI or goal the appropriate visualiza-

tion is selected using a visualization mapping ﬁle, and

conﬁgured with the necessary data source and param-

eters. For the visualization of compliance require-

ments, a new visualization for the monitoring of com-

pliance requirements was designed and documented

in VisML, and the mapping ﬁle was extended. On the

back-end, a new data value provider type was imple-

mented to provide the data structure required by the

new visualization.

The new visualization for compliance (see exam-

ple in Figure 5) was conceived as follows: The dash-

board presents a box for each law. The box is labelled

with the laws’ name and colored in green if all un-

derlying requirements are met, in red if one or more

requirement is broken, and in yellow if the status is

unknown.

A dashboard user has the possibility to click on a

law box. The box is then replaced by a box for each

underlying requirement, colored as mentioned above.

Thus, the user can immediately see which require-

ments are fulﬁlled. The user can go one step further

and click on a requirement box, to show the underly-

ing rules in the compliance expression.

Tooltips provide additional information at every

stage of the drill-down process from law to require-

ment to rules. The visualization mapping ﬁle was

extended to indicate that a law mentioned in a com-

pliance descriptor should be rendered as a ”law box”

compliance visualization. The VisML generation al-

gorithm was extended as follows:

gen

f o r ea ch q ∈ Q

i f l

/∈ L

gen

:= L

gen

∪ {l

}

end i f

end f o r

i f L

gen

add co m p l i a n c e v a l u e p r o v i d e r

t o d a t a s o u r c e s

f o r ea ch l ∈ L

gen

add law box v i s u a l i z a t i o n f o r l

t o d a s h b o a r d

add law d a t a s e t f o r l

t o d a t a s e t s

end f o r

end i f

In this algorithm q ∈ Q are the compliance re-

quirements, L

gen

the laws on the top level of visual-

ization, which are found by following the law urls u

of the requirements.

The visualized data is obtained querying a data

CLOSER 2016 - 6th International Conference on Cloud Computing and Services Science

166

information flow

Frontend (Editor)

Backend

Graphical modeling

Process modeling

Rule

deployment

Compliance

descriptor

XML

Stencilset

Validation

Compliance expression editor

Model

repository

Rule checking implementations

Frontend (Dashboard)

VisML

Result

gathering

Dashboard

Value

provider

Reporting

Rule modeling

Model

transformation

Deployment

descriptor

Rule

expressions

LTL

checker

aPro

monitoring

etc.

LTL ProGoalML etc.

component

document

legend

storage

Figure 4: Compliance management architecture.

source with the appropriate parameters to obtain a

data set. For compliance visualizations, a new data

source ComplianceValueProvider was designed. It

supports data sets using a parameter law, indicating

the law for which the data is requested. It supports

one or more parameters for each requirement, indi-

cating the level of drill down.

5 PROTOTYPE AND

EVALUATION

The architecture has been implemented in a proto-

type based on the Oryx editor

, a web-based mod-

eling tool. The prototype contains modeling capabil-

ities for processes, compliance descriptors, and rules

(ProGoalML and LTL).

When modeling a compliance descriptor, rules

and entities may reference other models, which can

be edited in another editor window. The compliance

descriptor is automatically converted to XML, which

is then used as a basis for model transformation. Dur-

ing model transformation, rules expressions are au-

tomatically created and deployed to their respective

rule implementations. A VisML ﬁle is generated au-

tomatically and used with the conﬁgurable dashboard

to visualize compliance checking results.

Figure 5 shows the modeling as well as the con-

ﬁgured dashboard.

http://bpt.hpi.uni-potsdam.de/Oryx (accessed

18.3.2015)

We evaluated the prototype with the example

(see 3.6) and synthetic execution data for run-time

rules. The process was modeled together with domain

experts of the example process. We found the compli-

ance, process, and rules monitoring to work as an in-

tegrated workﬂow. However, cross-model validation

and other usability features like a graphical compli-

ance expression editor may further increase usability

for business users. We found the concept of encap-

sulating implementing rules feasible. However, some

checks require additional information of the process

implementation, e.g. run-time data to check timings.

Currently, these need to be supplied manually to the

rule checking implementations. This could be par-

tially automated by allowing IT users to give global

conﬁguration ﬁles for each type of rule. The cre-

ated dashboard shows compliance on the rule, re-

quirement, and law levels. Using drilldown, the cause

for a lack of law compliance or legal fulﬁllment can

easily be found. Further implementation details can

be found in a technical report (Fehling et al., 2014).

Using these preliminary results, we further evalu-

ated the prototype in a real-life process in the German

insurance industry and in interviews with compliance

experts. Implementing compliance checking with the

real process encompassed design-time and real-time.

For design-time checking, rules for a claim manage-

ment process were created from laws and industry

guidelines and validated within the process model,

proving it to be compliant. For real-time checking,

compliance goals on process KPIs and timing restric-

tions were modeled as compliance rules, which were

Uniﬁed Compliance Modeling and Management using Compliance Descriptors

167

Figure 5: Prototype compliance descriptor modeling (left) and dashboard (right).

deployed to a model-driven process monitoring solu-

tion (Koetter and Kochanowski, 2013). Monitoring

data was acquired from the live system using exist-

ing business monitoring information, which was man-

ually integrated with the new monitoring solution.

Run-time compliance checking was performed on a

test system with real instance data. By modifying the

running system, timing rules and business rules could

be broken, resulting in a compliance violation, shown

on the dashboard and as an alert. Deployment rules in

TOSCA were not evaluated, as access to the deploy-

ment of real-life live systems was not possible. We

discussed this solution with IT personnel as well as

compliance specialists.

While IT personnel and specialists were generally

interested in the approach, it was judged as only fea-

sible with new or overhauled process. Efforts for in-

tegration were seen as high, even though partial au-

tomation is available, especially in existing infrastruc-

tures which cannot easily be changed and don’t pro-

vide access to data in real-time. Additionally, even if

rules are established, it is not possible to check past

instances, as monitoring data is gathered only at run-

time and not from existing sources (e.g. historical

data). Especially for audits compliance checking of

past process instances is necessary.

Another challenge in practice is the lack of pro-

cess automation. Knowledge-intensive processes nei-

ther fully automated nor fully structured. Employees

have a degree of freedom not captured in the pro-

cess model. Compliance rules, even if communicated

clearly to employees, are not always fulﬁlled. Ex-

amples named by interviewees are the omission of

checks to serve customers faster and the use of non-

approved or homegrown IT tools like Excel Sheets

and cloud services. This suggests the need for fur-

ther compliance rule types outside of the business

process lifecycle not covered in this work yet. Ex-

amples could be process mining tools to compare the

actual process to the prescribed process and infras-

tructure assessment tools to ﬁnd unauthorized appli-

cations, ﬁles, and communications.

Compliance experts also noted that being noti-

ﬁed about each compliance violation can be over-

whelming in large processes. Compliance as a cross-

sectional task depends on cooperation of all depart-

ments. Thus, investigating each violation indepen-

dently will not be feasible, because it will require too

many resources from other departments. Rather, com-

pliance analytics should be able to ﬁnd the root cause

of a violation beyond the violated rule.

Considering this feedback, we ﬁnd the general ap-

proach of using a compliance descriptor and different

rule languages to be feasible for automated, new or

overhauled business processes. To achieve compli-

ance in real-life, large, partially automated business

processes, the current range of functionality is not suf-

ﬁcient yet and needs to be extended considering the

deﬁcits outlined above.

6 CONCLUSION AND OUTLOOK

In this work described an integrating approach for

compliance management. A compliance descriptor

allows conceptual modeling of laws, requirements,

and implementing rules. During model transforma-

tion the conceptual model is used to conﬁgure a ref-

erence architecture for compliance management, inte-

grating different rule checking implementations. Us-

ing a prototype and real-life example, we have shown

the practical application of these concepts, includ-

ing compliance modeling, rule modeling, compliance

checking, and result visualization.

In future work we will address the results of the

practical evaluation, increasing usability of the pro-

totype and adding further rule types, encompassing

checks for partially automated processes and histori-

CLOSER 2016 - 6th International Conference on Cloud Computing and Services Science

168

cal data.

ACKNOWLEDGEMENTS

The work published in this article was funded by

the Co.M.B. project of the Deutsche Forschungsge-

meinschaft (DFG) under the promotional reference

SP 448/27-1.

REFERENCES

Awad, A., Decker, G., and Weske, M. (2008). Efﬁ-

cient compliance checking using bpmn-q and tempo-

ral logic. In BPM ’08, pages 326–341. Springer.

Awad, A. and Weske, M. (2010). Visualization of compli-

ance violation in business process models. In Busi-

ness process management workshops, pages 182–193.

Springer.

Bobrik, R., Reichert, M., and Bauer, T. (2007). View-based

process visualization. In Business Process Manage-

ment, pages 88–95. Springer.

Bundesdatenschutzgesetz (BDSG) (1990). Gesetze im

Internet - Bundesdatenschutzgesetz (BDSG). http://

www.gesetze-im-internet.de/bundesrecht/bdsg 1990/

gesamt.pdf last accessed 19.01.2016.

Comuzzi, M. (2014). Aligning monitoring and compliance

requirements in evolving business networks. In On

the Move to Meaningful Internet Systems: OTM 2014

Conferences, pages 166–183. Springer.

El Kharbili, M., Stein, S., Markovic, I., and Pulverm

uller, E.

(2008a). Towards a framework for semantic business

process compliance management. In Processings of

the 1st GRCIS, pages 1–15.

El Kharbili, M., Stein, S., and Pulverm

uller, E. (2008b).

Policy-based semantic compliance checking for busi-

ness process management. In MobIS Workshops, vol-

ume 420, pages 178–192. Citeseer.

Fehling, C., Koetter, F., and Leymann, F. (2014). Compli-

ance Modeling - Formal Descriptors and Tools.

German Insurance Association (GDV) (2012). Verhal-

tensregeln fuer den Umgang mit personenbezogenen

Daten durch die deutsche Versicherungswirt-

schaft. http://www.gdv.de/wp-content/uploads/2013/

03/GDV Code-of-Conduct Datenschutz 2012.pdf

last accessed 19.01.2016.

Karagiannis, D., Moser, C., and Mostashari, A. (2012).

Compliance evaluation featuring heat maps (ce-hm):

A meta-modeling-based approach. In Ralyt, J.,

Franch, X., Brinkkemper, S., and Wrycza, S., editors,

Advanced Information Systems Engineering, volume

7328 of Lecture Notes in Computer Science, pages

414–428. Springer Berlin Heidelberg.

Kharbili, M. E., de Medeiros, A. K. A., Stein, S., and

van der Aalst, W. M. P. (2008). Business process com-

pliance checking: Current state and future challenges.

In MobIS, volume 141 of LNI, pages 107–113. GI.

Kintz, M. (2012). A semantic dashboard description

language for a process-oriented dashboard design

methodology. In Proceedings of 2nd MODIQUITOUS

2012, Copenhagen, Denmark.

Kleene, S. C. (1952). Introduction to metamathematics.

Knuplesch, D., Reichert, M., Pryss, R., Fdhila, W., and

Rinderle-Ma, S. (2013). Ensuring compliance of dis-

tributed and collaborative workﬂows. In 9th Collabo-

ratecom, pages 133–142. IEEE.

Kochanowski, M., Fehling, C., Koetter, F., Leymann, F.,

and Weisbecker, A. (2014). Compliance in bpm to-

day - an insight into experts’ views and industry chal-

lenges. In Proceedings of INFORMATIK 2014. GI.

Koetter, F. and Kochanowski, M. (2013). A model-driven

approach for event-based business process monitor-

ing. In Business Process Management Workshops SE -

41, volume 132, pages 378–389. Springer Berlin Hei-

delberg.

Koetter, F., Kochanowski, M., Renner, T., Fehling, C., and

Leymann, F. (2013). Unifying compliance manage-

ment in adaptive environments through variability de-

scriptors (short paper). In IEEE SOCA 2013, pages

214–219. IEEE.

Koetter, F., Kochanowski, M., Weisbecker, A., Fehling, C.,

and Leymann, F. (2014). Integrating compliance re-

quirements across business and it. In 18th EDOC,

pages 218–225. IEEE.

Ly, L. T., Knuplesch, D., Rinderle-Ma, S., G

oser, K.,

Pfeifer, H., Reichert, M., and Dadam, P. (2011).

Seaﬂows toolset–compliance veriﬁcation made easy

for process-aware information systems. In Informa-

tion Systems Evolution, pages 76–91. Springer.

Mietzner, R., Metzger, A., Leymann, F., and Pohl, K.

(2009). Variability modeling to support customization

and deployment of multi-tenant-aware software as a

service applications. In Proceedings of PESOS ’09,

pages 18–25, Washington, DC, USA. IEEE Computer

Society.

Papazoglou, M. (2011). Making business processes com-

pliant to standards and regulations. In Enterprise Dis-

tributed Object Computing Conference (EDOC), 2011

15th IEEE International, pages 3–13.

Patig, S., Casanova-Brito, V., and V

ogeli, B. (2010). IT Re-

quirements of Business Process Management in Prac-

tice - An Empirical Study. In Proceedings of the 8th

BPM, pages 13–28, Heidelberg. Springer.

Ramezani, E., Fahland, D., and van der Aalst, W. M. (2014).

Supporting domain experts to select and conﬁgure

precise compliance rules. In Business Process Man-

agement Workshops, pages 498–512. Springer.

Ramezani, E., Fahland, D., van der Werf, J. M., and

Mattheis, P. (2012). Separating compliance manage-

ment and business process management. In Busi-

ness Process Management Workshops, pages 459–

464. Springer.

Reichert, M. and Weber, B. (2012). Enabling ﬂexibil-

ity in process-aware information systems: challenges,

methods, technologies. Springer Science & Business

Media.

Uniﬁed Compliance Modeling and Management using Compliance Descriptors

169

Sadiq, S., Governatori, G., and Namiri, K. (2007). Mod-

eling control objectives for business process compli-

ance. In Business process management, pages 149–

164. Springer.

Schleicher, D., Fehling, C., Grohe, S., Leymann, F., Nowak,

A., Schneider, P., and Schumm, D. (2011). Compli-

ance domains: A means to model data-restrictions in

cloud environments. In 15th EDOC, pages 257–266.

IEEE.

Semmelrodt, F., Knuplesch, D., and Reichert, M. (2014).

Modeling the resource perspective of business process

compliance rules with the extended compliance rule

graph. In Proceedings of the 15th BPMDS, pages 48–

63. Springer.

Takabi, H., Joshi, J. B., and Ahn, G.-J. (2010). Security and

privacy challenges in cloud computing environments.

IEEE Security and Privacy, 8(6):24–31.

Waizenegger, T., Wieland, M., Binz, T., Breitenb

ucher, U.,

Haupt, F., Kopp, O., Leymann, F., Mitschang, B.,

Nowak, A., and Wagner, S. (2013). Policy4tosca: A

policy-aware cloud service provisioning approach to

enable secure cloud computing. In OTM 2013, pages

360–376. Springer.

Wei, Y. and Blake, M. B. (2010). Service-oriented comput-

ing and cloud computing: Challenges and opportuni-

ties. IEEE Internet Computing, 14(6):72–75.

Weigand, H. and Elsas, P. (2012). Model-based auditing

using {REA}. International Journal of Accounting

Information Systems, 13(3):287 – 310. 2011 Research

Symposium on Information Integrity & Information

Systems Assurance.

CLOSER 2016 - 6th International Conference on Cloud Computing and Services Science

170