Abstract
Given the strong increase in regulatory requirements for business processes the management of business process compliance becomes a more and more regarded field in IS research. Several methods have been developed to support compliance checking of conceptual models. However, their focus on distinct modeling languages and mostly linear (i.e., predecessor-successor related) compliance rules may hinder widespread adoption and application in practice. Furthermore, hardly any of them has been evaluated in a real-world setting. We address this issue by applying a generic pattern matching approach for conceptual models to business process compliance checking in the financial sector. It consists of a model query language, a search algorithm and a corresponding modelling tool prototype. It is (1) applicable for all graph-based conceptual modeling languages and (2) for different kinds of compliance rules. Furthermore, based on an applicability check, we (3) evaluate the approach in a financial industry project setting against its relevance for decision support of audit and compliance management tasks.
Similar content being viewed by others
References
Abdullah, N. S., Indulska, M., & Shazia, S. (2009). A study of compliance management in information systems research. In Proc. of the European Conference on Information Systems (ECIS).
Abdullah, N. S., Sadiq, S., & Indulska, M. (2010). Emerging Challenges in Information Systems Research for Regulatory Compliance Management. In B. Pernici (Ed.), Advanced Information Systems Engineering (Vol. 6051, pp. 251–265). Springer Berlin Heidelberg. doi:10.1007/978-3-642-13094-6_21
Accorsi, R., Lowis, L., & Sato, Y. (2011). Automated certification for compliant cloud-based business processes. Business and Information Systems Engineering, 3(3), 145–154. doi:10.1007/s12599-011-0155-7.
Arbab, F., Kokash, N., & Meng, S. (2009). Towards Using Reo for Compliance-Aware Business Process Modeling. In T. Margaria & B. Steffen (Eds.), Leveraging Applications of Formal Methods, Verification and Validation (Vol. 17, pp. 108–123). Springer Berlin Heidelberg. doi:10.1007/978-3-540-88479-8_9
Awad, A. (2007). BPMN-Q: A Language to Query Business Processes (Enterprise Modelling and Information Systems Architectures Concepts and Applications Proceedings of the 2nd Int’l Workshop EMISA 2007 (Vol. 119, pp. 115–128)). Germany: St. Goar.
Awad, A., Decker, G., & Weske, M. (2008). Efficient Compliance Checking Using BPMN-Q and Temporal Logic. In M. Dumas, M. Reichert, & M.-C. Shan (Eds.), Business Process Management (Vol. 5240, pp. 326–341). Milan: Springer Berlin Heidelberg. doi:10.1007/978-3-540-85758-7_24.
Awad, A., & Sakr, S. (2010). Querying Graph-Based Repositories of Business Process Models. In M. Yoshikawa, X. Meng, T. Yumoto, Q. Ma, L. Sun, & C. Watanabe (Eds.), Database Systems for Advanced Applications (Vol. 6193, pp. 33–44). Tsukuba: Springer Berlin Heidelberg.
Awad, A., Smirnov, S., & Weske, M. (2009). Towards Resolving Compliance Violations in Business Process Models (In S. Sadiq, M. Indulska, M. zur Muehlen, E. Dubois, & P. Johannesson (Eds.), Proceedings of the 2nd International Workshop on Governance, Risk and Compliance (GRCIS’09)). Amsterdam: The Netherlands.
Awad, A., & Weske, M. (2009). Visualization of compliance violation in business process models. In S. Rinderle-Ma, S. Sadiq, & F. Leymann (Eds.), Business Process Management Workshops (Vol. 43, pp. 182–193). Ulm: Springer Berlin Heidelberg. doi:10.1007/978-3-642-12186-9_17.
Becker, J., Bergener, P., Delfmann, P., & Weiß, B. (2011). Modeling and Checking Business Process Compliance Rules in the Financial Sector. In D. F. Galletta & T.-P. Liang (Eds.), Proc. of the International Conference on Information Systems (ICIS).
Becker, J., Breuker, D., Weiß, B., & Winkelmann, A. (2010). Exploring the Status Quo of Business Process Modelling Languages in the Banking Sector – An Empirical Insight into The Usage of Methods in Banks (In Proc. of the Australasian Conference on Information Systems (ACIS)). Australia: Brisbane.
Becker, J., Delfmann, P., Eggert, M., & Schwittay, S. (2012a). Generalizability and applicability of model-based business process compliance-checking approaches – A state-of-the-art analysis and research roadmap. Business Research, 5(2), 221–247.
Becker, J., Delfmann, P., Herwig, S., & Lis, L. (2009). A Generic Set Theory-based Pattern Matching Approach for the Analysis of Conceptual Models. In A. H. F. Laender, S. Castano, U. Dayal, F. Casati, & J. P. M. de Oliverira (Eds.), Conceptual Modeling - ER 2009 (Vol. 5829, pp. 41–54). Berlin: Springer Verlag. doi:10.1007/978-3-642-04840-1_6.
Becker, J., Eggert, M., & Schwittay, S. (2012). How to Evaluate the Practical Relevance of Business Process Compliance Checking Approaches? In D. C. Mattfeld & S. Robra-Bissantz (Eds.), Multikonferenz Wirtschaftsinformatik 2012 - Tagungsband der MKWI 2012 (pp. 849–861).
Becker, A., Gruber, W., & Wohlert, D. (2006). Handbuch Marisk: Mindestanforderungen an Das Risiko-Management in Der Bankpraxis. Frankfurt: Knapp.
Becker, J., & Schütte, R. (2004). Handelsinformationssysteme. Frankfurt: Redline Wirtschaft.
Boella, G., Janssen, M., Hulstijn, J., Humphreys, L., & van der Torre, L. (2013). Managing legal interpretation in regulatory compliance. In Proceedings of the Fourteenth International Conference on Artificial Intelligence and Law - ICAIL’13 (pp. 23–32). New York: ACM Press. doi:10.1145/2514601.2514605.
Bräuer, S., Delfmann, P., Dietrich, H.-A., & Steinhorst, M. (2013). Using a Generic Model Query Approach to Allow for Process Model Compliance Checking–An Algorithmic Perspective. In R. Alt & B. Franczyk (Eds.), Proceedings of the 11th International Conference on Wirtschaftsinformatik (WI) 2013 (pp. 1245–1259). Leipzig: Universität Leipzig.
Buhl, H. U., Fridgen, G., Müller, G., & Röglinger, M. (2012). Business and information systems engineering : A complementary approach to information systems – what we can learn from the past and may conclude from present reflection on the future. Journal of the Association for Information Systems, 13, 236–253.
Cabanillas, C., Resinas, M., & Ruiz-Cortés, A. (2010). Hints on how to face business process compliance. Ac-tas de los Talleres de las Jornadas de Ingeniería del Software y Bases de Datos, 4(4), 26–32.
Caldwell, F. (2009). The Worldwide Economic Crisis Will Bring Real-Time Reporting for Risk Management. Stamford: Gartner Research, Gartner, Inc.
Caldwell, F., Bace, J., & Lotto, R. (2009). U.S. Financial System Regulatory Overhaul Brings More Scrutiny. Stamford: Gartner Research, Gartner, Inc.
Davis, A. M. (1993). Software Requirements: Objects, Functions, and States. Upper Saddle River: Prentice-Hall, Inc.
Davis, F. D., Bagozzi, R. P., & Warshaw, P. R. (1989). User acceptance of computer technology: A comparison of two theoretical models. Management Science, 35(8), 982–1003. doi:10.1287/mnsc.35.8.982.
Delfmann, P., Herwig, S., & Lis, Ł. (2009). Unified Enterprise Knowledge Representation with Conceptual Models - Capturing Corporate Language in Naming Conventions (Proc. of the International Conference on Information Systems (ICIS)). Arizona: Phoenix.
Delfmann, P., Steinhorst, M., Dietrich, H.-A., & Becker, J. (2014). The generic model query language GMQL - conceptual specification, implementation, and runtime evaluation. Information Systems. doi:10.1016/j.is.2014.06.003.
Diestel, R. (2010). Graph Theory. Springer.
Dietrich, H.-A., Breuker, D., Steinhorst, M., Delfmann, P., & Becker, J. (2013). Developing graphical model editors for meta-modelling tools – requirements, conceptualisation, and implementation. Enterprise Modelling and Information Systems Architectures, 8(2), 42–78.
Dietrich, H.-A., Steinhorst, M., Becker, J., & Delfmann, P. (2011). Fast Pattern Matching in Conceptual Models - Evaluating and Extending a Generic Approach. In M. Nüttgens, O. Thomas, & B. Weber (Eds.), Enterprise Modelling and Information Systems Architectures (EMISA 2011) (Vol. 190, pp. 79–92). GI.
Dijkman, R. M., La Rosa, M., & Reijers, H. A. (2012). Managing large collections of business process models - current techniques and challenges. Computers in Industry, 63(2), 91–97. doi:10.1016/j.compind.2011.12.003.
El Kharbili, M., de Medeiros, A. K. A., Stein, S., & van der Aalst, W. M. P. (2008). Business Process Compliance Checking: Current State and Future Challenges. In P. Loos, M. Nüttgens, K. Turowsk, & D. Werth (Eds.), MobIS 2008 (Vol. 141, pp. 107–113). Saarbrücken, Germany: GI.
Elgammal, A., Türetken, O., van den Heuvel, W.-J., & Papazoglou, M. P. (2010). Root-Cause Analysis of Design-Time Compliance Violations on the Basis of Property Patterns. In P. P. Maglio, M. Weske, J. Yang, & M. Fantinato (Eds.), ICSOC (Vol. 6470, pp. 17–31).
Foerster, A., Engels, G., Schattkowsky, T., Van Der Straeten, R., & Forster, A. (2007). Verification of Business Process Quality Constraints Based on Visual Process Patterns. In First Joint IEEE/IFIP Symposium on Theoretical Aspects of Software Engineering (TASE’07) (pp. 197–208). Washington: IEEE. doi:10.1109/TASE.2007.56.
Foerster, A., Engels, G., & Schattkowsky, T. (2005). Activity Diagram Patterns for Modeling Quality Constraints in Business Processes. In L. Briand & C. Williams (Eds.), Model Driven Engineering Languages and Systems (Vol. 3713, pp. 2–16). Springer Berlin Heidelberg. doi:10.1007/11557432_2
Gamma, E., Helm, R., Johnson, R., & Vlissides, J. (1994). Design Patterns: Elements of Reusable Object-Oriented Software. Amsterdam: Addison-Wesley Professional.
Ghose, A., & Koliadis, G. (2007). Auditing Business Process Compliance. In B. Krämer, K.-J. Lin, & P. Narasimhan (Eds.), Service-Oriented Computing – ICSOC 2007 (Vol. 4749, pp. 169–180). Vienna: Springer Berlin Heidelberg. doi:10.1007/978-3-540-74974-5.
Goedertier, S., & Vanthienen, J. (2006). Designing Compliant Business Processes with Obligations and Permissions. In J. Eder & S. Dustdar (Eds.), Business Process Management Workshops (Vol. 4103, pp. 5–14). Vienna: Springer Berlin Heidelberg. doi:10.1007/11837862_2.
Governatori, G., & Milosevic, Z. (2006). A formal analysis of a business contract language. International Journal of Cooperative Information Systems, 15(4), 659–685. doi:10.1142/S0218843006001529.
Governatori, G., Milosevic, Z., & Sadiq, S. (2006). Compliance Checking Between Business Processes and Business Contracts. In Proceedings of the 10th IEEE International Enterprise Distributed Object Computing Conference (pp. 221–232). Washington: IEEE Computer Society. doi:10.1109/EDOC.2006.22.
Governatori, G., & Rotolo, A. (2010). A Conceptually Rich Model of Business Process Compliance. In Proceedings of the Seventh Asia-Pacific Conference on Conceptual Modelling (pp. 3–12). Darlinghurst: Australian Computer Society, Inc.
Hevner, A. R., March, S. T., Park, J., & Ram, S. (2004). Design science in information systems research. MIS Quarterly, 28(1), 75–105.
Höfferer, P. (2007). Achieving business process model interoperability using metamodels and ontologies. In H. Österle, J. Schelp, & R. Winter (Eds.), Proc. of the European Conference on Information Systems (ECIS) (pp. 1620–1631). St. Gallen, Switzerland: University of St. Gallen.
Hoffmann, J., Weber, I., & Governatori, G. (2009). On compliance checking for clausal constraints in annotated process models. Information Systems Frontiers, 14(2), 155–177. doi:10.1007/s10796-009-9179-7.
Knuplesch, D., Ly, L. T., Rinderle-Ma, S., Pfeifer, H., & Dadam, P. (2010). On Enabling Data-Aware Compliance Checking of Business Process Models. In Conceptual Modeling – ER 2010 (Vol. 6412, pp. 332–346). Vancouver: Springer Berlin Heidelberg. doi:10.1007/978-3-642-16373-9_24.
Kokash, N., & Arbab, F. (2009). Formal Behavioral Modeling and Compliance Analysis for Service-Oriented Systems. In F. S. Boer, M. M. Bonsangue, & E. Madelaine (Eds.), Formal Methods for Components and Objects (Vol. 5751, pp. 21–41). Sophia Antipolis: Springer Berlin Heidelberg. doi:10.1007/978-3-642-04167-9_2.
Kotonya, G., & Sommerville, I. (1998). Requirements Engineering - Processes and Techniques. John Wiley & Sons.
Kumar, A., & Liu, R. (2008). A Rule-Based Framework Using Role Patterns for Business Process Compliance. In N. Bassiliades, G. Governatori, & A. Paschke (Eds.), Rule Representation, Interchange and Reasoning on the Web (Vol. 5321, pp. 58–72). Springer Berlin Heidelberg. doi:10.1007/978-3-540-88808-6_9
Küster, J. M., Ryndina, K., & Gall, H. (2007). Generation of Business Process Models for Object Life Cycle Compliance. In G. Alonso, P. Dadam, & M. Rosemann (Eds.), Business Process Management (Vol. 4714, pp. 165–181). Brisbane: Springer Berlin Heidelberg. doi:10.1007/978-3-540-75183-0_13.
Liu, Y., Müller, S., & Xu, K. (2007). A static compliance-checking framework for business process models. IBM Systems Journal, 46(2), 335–361. doi:10.1147/sj.462.0335.
Lu, R., Sadiq, S., & Governatori, G. (2008a). Measurement of compliance distance in business processes. Information Systems Management, 25(4), 344–355. doi:10.1080/10580530802384613.
Lu, R., Sadiq, S., & Governatori, G. (2008b). Compliance Aware Business Process Design. In A. ter Hofstede, B. Benatallah, & H.-Y. Paik (Eds.), Business Process Management Workshops (Vol. 4928, pp. 120–131). Brisbane: Springer Berlin Heidelberg. doi:10.1007/978-3-540-78238-4_14.
Ly, L. T., Göser, K., Rinderle-Ma, S., & Dadam, P. (2008a). Compliance of Semantic Constraints - A Requirements Analysis for Process Management Systems. In Proc. 1st Int’l Workshop on Governance, Risk and Compliance - Applications in Information Systems (GRCIS’08).
Ly, L. T., Rinderle, S., & Dadam, P. (2008b). Integration and verification of semantic constraints in adaptive process management systems. Data and Knowledge Engineering, 64(1), 3–23. doi:10.1016/j.datak.2007.06.007.
Ly, L. T., Rinderle, S., & Dadam, P. (2006). Semantic Correctness in Adaptive Process Management Systems. In S. Dustdar, J. L. Fiadeiro, & A. P. Sheth (Eds.), Business Process Management (Vol. 4102, pp. 193–208). Vienna: Springer Berlin Heidelberg. doi:10.1007/11841760_14.
Ly, L. T., Rinderle-Ma, S., Göser, K., & Dadam, P. (2012). On enabling integrated process compliance with semantic constraints in process management systems. Information Systems Frontiers, 14(2), 195–219. doi:10.1007/s10796-009-9185-9.
Ly, L. T., Rinderle-Ma, S., & Dadam, P. (2010). Design and Verification of Instantiable Compliance Rule Graphs in Process-Aware Information Systems. In B. Pernici (Ed.), Advanced Information Systems Engineering (Vol. 6051, pp. 9–23). Hammamet: Springer Berlin Heidelberg. doi:10.1007/978-3-642-13094-6_3.
Mendling, J. (2007). Detection and Prediction of Errors in EPC Business Process Models (Doctoral dissertation). WU Vienna University of Economics and Business Administration.
Monakova, G., Kopp, O., Leymann, F., Moser, S., & Schäfers, K. (2009). Verifying Business Rules Using an SMT Solver for BPEL Processes. In W. Abramowicz, L. Maciaszek, R. Kowalczyk, & A. Speck (Eds.), Business process, servicescomputing and intelligent service management (Vol. 147, pp. 81–94). Gesellschaft für Informatik e.V. (GI).
Müller, J. (2010). Strukturbasierte Verifikation von BPMN-Modellen (Doctoral dissertation). Eberhard-Karls-Universität Tübingen.
OASIS. (2007). Web Services Business Process Execution Language Version 2.0. Retrieved April 10, 2012, from http://docs.oasis-open.org/wsbpel/2.0/wsbpel-v2.0.pdf
Object Management Group. (2005). Unified Modeling Language Infrastructure. Retrieved April 10, 2012, from http://www.omg.org/spec/UML/2.0/Infrastructure/PDF/
Object Management Group. (2011). Business Process Model and Notation (BPMN). Retrieved April 30, 2013, from http://www.omg.org/spec/BPMN/2.0/PDF
Opromolla, G. (2009). Facing the financial crisis: Bank of Italy’s implementing regulation on hedge funds. Journal of Investment Compliance, 10(2), 41–44. doi:10.1108/15285810910971274.
Peffers, K., Tuunanen, T., Rothenberger, M. A., & Chatterjee, S. (2007). A design science research methodology for information systems research. Journal of Management Information System, 24(3), 45–77. doi:10.2753/MIS0742-1222240302.
Peterson, J. L. (1977). Petri nets. ACM Computing Surveys, 9(3), 223–252. doi:10.1145/356698.356702.
Raduescu, C., Tan, H. M., Jayaganesh, M., Bandara, W., zur Muehlen, M., & Lippe, S. (2006). A framework of issues in large process modeling projects. In Proc. of the European Conference on Information Systems (ECIS). Göteborg, Sweden.
Rinderle-Ma, S., Ly, L. T., & Dadam, P. (2008). Business process compliance. EMISA Forum, 28(2), 24–29.
Rosemann, M., & Vessey, I. (2008). Toward improving the relevance of information systems research to practice: The role of applicability checks. MIS Quarterly, 32(1), 1–22.
Sadiq, S., Governatori, G., & Namiri, K. (2007). Modeling Control Objectives for Business Process Compliance. In G. Alonso, P. Dadam, & M. Rosemann (Eds.), Business Process Management (Vol. 4714, pp. 149–164). Springer Berlin Heidelberg. doi:10.1007/978-3-540-75183-0_12
Scheer, A.-W. (2000). ARIS - Business Process Modeling (3rd ed.). Berlin: Springer.
Schleicher, D., Anstett, T., Leymann, F., & Schumm, D. (2010). Compliant Business Process Design Using Refinement Layers. In R. Meersman, T. Dillon, & P. Herrero (Eds.), On the Move to Meaningful Internet Systems: OTM 2010 (Vol. 6426, pp. 114–131). Springer Berlin Heidelberg. doi:10.1007/978-3-642-16934-2_11
Schumm, D., Turetken, O., Kokash, N., Elgammal, A., Leymann, F., & Van Den Heuvel, W.-J. (2010). Business Process Compliance Through Reusable Units of Compliant Processes. In F. Daniel & F. M. Facca (Eds.), Current Trends in Web Engineering (Vol. 6385, pp. 325–337). Berlin: Springer Berlin Heidelberg.
Simon, H. A. (1996). The Sciences of the Artificial (3rd ed.). Cambridge: MIT Press.
Stewart, D. W., Shamdasani, P. N., & Rook, D. W. (2007). Focus groups: Theory and practice (2nd ed.). Sage Publications, Inc.
Thomas, O., & Fellmann, M. (2009). Semantic process modeling – design and implementation of an ontology-based representation of business processes. Business and Information Systems Engineering, 1(6), 438–451. doi:10.1007/s12599-009-0078-8.
Tosatto, S. C., Governatori, G., Kelsen, P., & van der Torre, L. (2012). Business Process Compliance is Hard (pp. 1–14).
Tosatto, S. C., Kharbili, M. El, Governatori, G., Kelsen, P., Ma, Q., & van der Torre, L. (2013). Algorithms for Basic Compliance Problems. In IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops (pp. 2–7). IEEE. doi:10.1109/ICSTW.2013.6
Van der Aalst, W. M. P. (2013). Business process management: A comprehensive survey. ISRN Software Engineering, 2013, 1–37. doi:10.1155/2013/507984.
Venkatesh, V., & Bala, H. (2008). Technology acceptance model 3 and a research agenda on interventions. Decision Sciences, 39(2), 273–315. doi:10.1111/j.1540-5915.2008.00192.x.
Wang, J., Jin, T., Wong, R. K., & Wen, L. (2013). Querying business process model repositories. World Wide Web, 17(3), 427–454. doi:10.1007/s11280-013-0210-z.
Weiß, B., & Winkelmann, A. (2011). A Metamodel Based Perspective on the Adaptation of a Semantic Business Process Modeling Language to the Financial Sector. In 2011 44th Hawaii International Conference on System Sciences (pp. 1–10). IEEE. doi:10.1109/HICSS.2011.16
Wolter, C., & Meinel, C. (2010). An approach to capture authorisation requirements in business processes. Requirements Engineering, 15(4), 359–373. doi:10.1007/s00766-010-0103-y.
Wolter, C., Miseldine, P., & Meinel, C. (2009). Verification of Business Process Entailment Constraints Using SPIN. In F. Massacci, S. Redwine Jr., & N. Zannone (Eds.), Engineering Secure Software and Systems (Vol. 5429, pp. 1–15). Springer Berlin Heidelberg. doi:10.1007/978-3-642-00199-4_1
Worzberger, R., Kurpick, T., & Heer, T. (2008a). Checking Correctness and Compliance of Integrated Process Models. In Symbolic and Numeric Algorithms for Scientific Computing, 2008. SYNASC’08. 10th International Symposium on (pp. 576–583). doi:10.1109/SYNASC.2008.10
Worzberger, R., Kurpick, T., & Heer, T. (2008b). On Correctness, Compliance and Consistency of Process Models. In Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2008. WETICE’08. IEEE 17th (pp. 251–252). doi:10.1109/WETICE.2008.9
Zoet, M., Welke, R., Versendaal, J., & Ravesteyn, P. (2009). Aligning Risk Management and Compliance Considerations with Business Process Development. In T. Noia & F. Buccafurri (Eds.), E-Commerce and Web Technologies (Vol. 5692, pp. 157–168). Springer Berlin Heidelberg. doi:10.1007/978-3-642-03964-5_16
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix 1 – Question guideline for evaluation
Appendix 2 – Focus group session statements
Statements Focus Group Session 1 (FGS1)
No | Lines | Participant | Statement |
1 | 6-9 | Process Expert 1 | “In ITSP we have a product management. The management has the duty when checking and developing products to check the products against legal requirements. The checking is done with the help of normative requirements by a special questionnaire for example.” |
2 | 14-17 | Process Expert 1 | “No. The product managers are located in the same unit as we are. The g-companies structure in this unit is built up like a bank. We have for example controlling units and sales units. The employees in this unit are mainly trained in banking and therefore are able to work on these issues.” |
3 | 19-30 | Manager 1 | “We might have one additional, main input for legal requirements, which is the governing unit. It is working on issues coming from the European level and clarifies what impacts legal changes on that level have for the association on a national level. It checks the legal requirements for relevance and importance. We later on get special reports. One example is the protection of customers. The product manager evaluates the generated input. In the planning process the product manager has a special section in the plan where legal requirements are considered. The range of legal requirements he has to consider is quite big. For example Basel III will probably need several projects over several years. The attachment of a bank account took several years to be implemented. It is the task of the product manager to judge the complexity of the implementation of the legal requirement and plan the costs for the implementation.” |
4 | 32 - 40 | Product Manager 3 | “I would like to complement that statement. We have the simple component view, meaning the specialist view in which legal requirements are considered. Focusing on processes in the core banking system, we have many processes that were developed during a project done with the governing body. The relevant governing bodies have certified all processes that have been created in that project. That means, that for every process there is a person responsible for the legal and auditing aspects. The processes are furthermore continuously checked. Every process available in the core banking system has the mentioned certificate. “ |
5 | 45 | Product Manager 3 | “The checking is done manually.” |
6 | 51-56 | Product Manager 3 | “One topic is the timeliness. How much time is there between the gathering of information and the implementation of their results? Especially with concerning projects on federal level a lot of adjustment between the different parties is needed. Proposals are made that have to be accepted by all other parties. In the end the information comes to ITSP. A question is: how does the information come into ITSP and can a consensus be reached?” |
7 | 58-65 | Manager 1 | “I would like to complement that. Internally we have the problem of timeliness, externally we have to allow the banks to decide whether they use our legally compliant process or do I take some risks. As a bank I do not have to be totally compliant. An example is the signature checking. Up to 1000€ I might say that, if fraud is made I pay the damage done by that, instead of creating a slow process which is costly, which might be totally compliant but also very costly. Thus we have to make the processes flexible, which is quite a challenge. The bank has to be able to decide what process they use.“ |
8 | 73-75 | Manager 1 | “Examples are Basel III and SEPA (Single Euro Payments Area), which has impact on all branches. All of that has to be coordinated, which is once again an internal challenge. “ |
9 | 126-129 | Product Manager 3 | “I would agree that the approach is technically possible. Yet the complexity to create every possible combination should not be underestimated. Different processes, different companies executing these processes make it hard to use the approach in general.” |
10 | 148-157 | Manager 2 | “From my point of view the biggest obstacle is, that right now ITSP does not consider the processes during the development of software, it is rather function oriented. The approach, however, would demand those processes. Yet, ITSP finds it hard to work process oriented. After the implementation of the new core banking system from ITSP within a bank, for example, the bank was not able to execute its processes. ITSP therefore wanted to implement a process test, which was hard to do. Considering that, creating the prerequisites (the processes and the legal requirement database) is complex. If these prerequisites exist, the application of the approach itself is of only minor complexity.” |
11 | 163-164 | Process Expert 1 | “I would say, that the creation of the patterns would be a special task performed by specialists. Thus I would not see that it would be a problem.” |
12 | 173-177 | Consultant | “If the prerequisites are fulfilled the approach could be used during consultation in the banks. One could offer the service of checking the implemented processes in the bank against their compliance with this tool. However, the prerequisites have to be fulfilled, especially the processes have to be modeled.” |
13 | 193-197 | Product Manager 3 | “We are currently searching for a tool to model processes within the banks. Using the presented approach with this tool is interesting as it allows defining rules and specifications that are relevant for the complete life span of a process even if the process is changed. Thus, having process designer software that allows checking the designed processes against these specifications is very interesting.” |
14 | 199-200 | Moderator | “So you would use the pattern search approach already during the modeling phase, before the model itself is complete.” |
15 | 202-207 | Product Manager 3 | “Yes, I would try to use the approach as early as possible. For example I know I have a clear set of topics. For example the verification of identity is used in several processes, the procedure is always the same and thus could be defined once as a pattern and be checked against in several processes. Using the tool to check for the correct verification of identity already in process design would be of high value.” |
16 | 308-311 | Product Manager 3 | “All right, let’s go a bit further. For example, there is a second process building block, which indicates that the customer is already informed. One could exclude this result by creating a pattern which searches for the afore mentioned infringement, but only if the customer is not already informed.” |
17 | 316-317 | Product Manager 3 | “That upgrades the result. Because it differentiates between getting many colorful pictures and getting meaningful results.” |
18 | 346-350 | Product Manager 3 | “An idea would be to go deeper into the process if a certain infringement has been identified. Taking the example shown in the presentation, ‘order execution’ seems to be the important process part. Narrowing the results down to this specific part would be helpful. Although in this example it seems to be trivial, in general there might be problems doing that.” |
19 | 352-359 | Process Expert 5 | “I have similar expectations. The tool presented is a standard tool, which is capable of creation patterns and searching for them in process models. I would expect a list of results showing up, rather than the simple indication of how many results have been found. Clicking on one of the results would lead to the specific part where an infringement can be found. Additionally different error sources can lead to dissatisfying results. The pattern might be incorrect, or the process model. As long as the tool has not been tested for several years in practice it is hard to check whether the results are correct.” |
20 | 253-254 | Product Manager 3 | “If that is the case I would evaluate the quality as perfect, because I assume that the system would find the relevant parts.“ |
21 | 263-264 | Product Manager 3 | “From my point of view the result is always only as good as the models on which the search is used. That the search itself works seems obvious, for example ‘search the part ABC because it is mean‘. The question is rather that the prerequisites have to be met.” |
22 | 260-261 | Process Expert 5 | “That means we have to make an assumption. The assumption is that the prerequisites are given.” |
23 | 429-438 | Process Expert 5 | “If it works automatically, meaning that you do not have to check manually with the tool. If there is for example one input for legal requirements and subsequently an expert that creates the patterns. If the patterns are checked and the result, meaning a hint that an infringement may be found at a specific process step or there is a certain step missing, is forwarded to the product manager, the manager does not have to check if an infringement is present, but can concentrate on the question whether changes have to be made or not. This would be an additional help for the product manager from the legal department, for example. The experts on that specific matter can later on define how the change has to be implemented.” |
24 | 414-417 | Process Expert 1 | “Our organizational unit has the liability for the products and services offered to the banks within ITSP. That means we have a certain liability to ensure compliance. That is the reason why I said that it has a high value for me. With the approach I can show the banks that I have considered these aspects.” |
25 | 478-479 | Process Expert 1 | “If I would accept this approach, I would use it all the time without any alternatives.” |
26 | 489-498 | Manager 2 | “I have great respect for the task of establishing the prerequisites, just like Process Expert 5 said. If I have all modeled processes and have all legal requirements and know that there is a process within ITSP that leads the creation these patterns, then I would not see any obstacle use the approach. But establishing the prerequisites is hard. Process Expert 5, you are probably the only one who can remember the approach taken in 2004/2005 where we worked with a database to see changes to the core banking system. From the basics this is a very similar approach and all participants agreed on the fact that it was necessary, however it did not work in practice. The only thing that remained was a database in which all newsletters are stored.” |
27 | 537-552 | Process Expert 5 | “I would like to have the process of establishing the prerequisites and the actual using of the approach to be analyzed. How has the organization to be set up, how does a process of the application of the approach look like for getting the quality of output that we demand. That means, do we need central input for legal requirements, if yes, who is that? Are the persons liable for the input of legal requirements several people, for example all product managers? Or can another organizational structure be built up? And how does a process look like that leads from the requirement over the definition of the pattern to the actual identification of an infringement? And how does that lead to a potential process adaption within the core banking system? Having the tool alone is not sufficient. The question is how can the tool be used in ITSP getting the wanted quality. This would be an additional project. We could also identify which additional benefits we could gain apart from knowing that we have legally compliant processes. Furthermore we could find out basics about process modeling alone. Namely what is needed and which tool is most beneficial. It is not sufficient to have the tool alone, the process to use the tool is also needed.“ |
29 | 84-92 | Process Expert 5 | “[…] The processes are available and checking whether those processes are compliant is meaningful. On the other hand we have seen that the responsibility for this task is split among different units within the ITSP as well as the ITSP an other organizations within the association. Prerequisites for this approach are that the processes have to have been modeled as well as the legal requirements have to be collected. This is currently a problem because the needed information is not yet centrally available, it is rather distributed among different units. This is the challenge I see during the application of this process, which is meaningful.“ |
30 | 234-239 | Process Expert 1 | “Another aspect would be the certification of processes. The federal governing body for example tries to limit the variants of different processes in the bank, thus standardizing the processes. The goal behind that is to make advertisement with the compliant execution of processes. “ |
31 | 556-560 | Process Expert 5 | “Exactly. We have heard several times in the workshop that the creation of the prerequisites is a rather complex task. If all the prerequisites are met, I would say the approach is a very practicable approach.” |
Statements Focus Group Session 2 (FGS2)
No | Lines | Participant | Statement |
1 | 6-9 | Process Expert 5 | “We have a product management that is liable for the planning of products. When planning new products we always consider legal requirements. Some of the issues are also listed in the product plan in sections where those requirements are considered. This is one way of several to ensure compliance.“ |
2 | 11-13 | Product Manager 1 | “Moreover, we have regulatory institutions in our federation that bundles regulatory requirements. Thus if we have questions to legal topics we can ask them. “ |
3 | 32-36 | Product Manager 1 | “Very often the new regulatory requirements have only a limited time to be implemented. The time between the first time a legal change is identified and the passing of the actual law is rather short. Furthermore there are many different sources where regulatory requirements come from.” |
4 | 49-53 | Process Expert 1 | “One result from the different sources is that there is no consolidation for the different sources. There is no central database where everyone can look for legal requirements to see which are relevant for his task. Instead several teams may have to check against the same legal requirement, because there is no central input and consolidation for legal requirements.” |
5 | 55-58 | Process Expert 5 | “Another challenge is that the budget is limited. The challenge is to identify which implementation can I delay and what would be the consequence. We would like to avoid to use the complete budget to implement legal requirements and not any improvements.“ |
6 | 107-109 | Product Manager 1 | “That is mostly done by the governing bodies. In general we do not read the laws ourselves. We in general wait for information on upcoming changes or we ask for advice. “ |
7 | 116-118 | Product Manager 2 | “Although the implementation itself is always different. The law itself might be interpreted differently. Our task is to check whether we interpreted the law correctly. “ |
8 | 131-132 | Product Manager 2 | “We have to find an optimal consensus between the regulatory requirements and the usability. This is not always easy.” |
9 | 120-125 | Product Manager 1 | “One reason is of course that we first of all have to do the modeling, before we can define the patterns. From my point of view that seems to be rather complex, because you have to model all processes in the presented language and have to define the patterns accordingly. Additionally I would have to make a collection showing which laws are considered. I would say that the main complexity is to create the basics to be able to use the approach. I think the actual maintenance and usage is not that complex. The complexity for the initial creation seems to be high” |
10 | 98-99 | Process Expert 5 | “We once had a student who made this. “Laughter.” Otherwise there is only a manual checking.” |
11 | 368-376 | Product Manager 1 | “I think it also depends on how hard is it, how extensive is it? That is the danger, either you make all, which is sensible, or you say: “Well, I know where I have to make changes”, which in case of doubt is faster than defining a pattern, searching for it. You would have to exclude that you use both approaches, leaving the new approach inconsistently. You will have to maintain the new approach as well, because otherwise you would have rag rug. You have to use it consequently. In case of doubt it might be more complex, than the approach I mentioned before, because you know where and what you have to change. In case of doubt you have to do more work.” |
12 | 397-407 | Product Manager 1 | “Or you might forget it. The danger is always that you forget about it. In one process you might consider it. Especially when the liability is distributed, one person may think of changing it, another unit may forget about it and the relevance is not present. This would be a possibility to say, alright, without considering the liability I would search the pattern. I would take a comprehensive look. This is a question of how you would organize it, that you for example do not leave every product manager alone, but define the patterns product overarching. If everyone would begin defining them on their own it would get fuzzy. That is why these pattern would have to be defined overarching. Only then I would see the advantages. Not that I only check my processes, but also processes that are in other departments.” |
13 | 537-543 | Process Expert 5 | “We discussed that also in the last workshop. You should not only see in the graphic which patterns are relevant. In their prototype in the upper right corner a number indicates how many results are found, which would be something that should be a result set as a list, with a link to the corresponding spot in the process. This list would in the end be sent to different product managers, who have to work on different parts. The results would have to be divided accordingly.” |
14 | 461-465 | Moderator | “In this case we expect the models to be of a quality that allows creating meaningful patterns. That may be ensured by the approach, University Representative 1 mentioned, in which the modeler is forced to use a certain name or with the approach I have taken, in which the combination of semantic building block and attribute defines which activity is meant.” |
15 | 649-657 | Process Expert 4 | “I do not think so. For such a great regulatory topic like SEPA it may be helpful, if the processes are modeled very detailed. If there is a change on field level the tool is helpful. If you know the change affects monetary transactions you can use your common sense to identify which processes are affected. Although I think for securities it is different” |
16 | 659-660 | Process Expert 4 | “If you are on such a detailed level, ok. But we do not go into detail that much with this tool.” |
17 | 676 | Process Expert1 | “But you are right, the models have to be detailed, you are right.” |
18 | 740-748 | University Representative 2 & Process Expert 4 & Process Expert 2 & Moderator | UR2: “Would you say that a direct link to a process step would be interesting?” PE4: “Yes.” PE2: “Yes.” Mod: “The latter is basically what the tool provides. Although I made a distinction in the mindmap concerning the processes, it was very high level. The tool allows going deeper into the process. ” |
19 | 770-773 | Client Service 1 | “Yes and in this context I would say that such an approach, which shows me where changes may have to be made would be relevant for all divisions and our division, which is talking directly to representatives of the banks, may get some additional insights.“ |
20 | 787-793 | Product Manager 1 | “[…] You said before that it is possible to link the used software and components to process steps. I think that would be quite useful. Because sometimes you think you have to develop something new although it is already existing. The search could help to find out what I already have and if I really need to develop something new or could simply change something already existing. This is an issue, because the liability is distributed. Checking something like that centrally would be useful.” |
21 | 812-813 | Process Expert 2 | “The models are available, it delivers totally correct results and no manual checks have to be performed, ok.” |
22 | 855-857 | Product Manager 2 | “Why should I use a different approach if this one is working? I would most certainly use the new approach and only for some spot tests I would check manually.” |
23 | 888-891 | Product Manager 1 | “The definition of the search criteria. Basically the definition of these patterns. I cannot estimate right now how complex that is and whether it can be done by anyone. I don’t know whether it is easily possible or whether you need extensive knowledge.” |
Appendix 3 – Compliance patterns
Infringement patterns
Risk management patterns
Legal requirement identification patterns
Change management patterns
Appendix 4 – Complete process model
Appendix 5 – Occurrences of compliance patterns
Rights and permissions
About this article
Cite this article
Becker, J., Delfmann, P., Dietrich, HA. et al. Business process compliance checking – applying and evaluating a generic pattern matching approach for conceptual models in the financial sector. Inf Syst Front 18, 359–405 (2016). https://doi.org/10.1007/s10796-014-9529-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-014-9529-y