Dr. Shazia Sadiq (ITEE/UQ)
Dr. Guido Governatori (ITEE/UQ)
Dr. Zoran Milosevic (Deontik Pty Ltd.)
Recent Publications
Shazia Sadiq, Guido Governatori, Kioumars Namiri (2007) Modelling Control Objectives for Business Process Compliance. 5th International Conference on Business Process Management, 24-28 September 2007. Brisbane Australia.
Ruopeng Lu, Shazia Sadiq, Guido Governatori (2007) Compliance Aware Business Process Design. 3rd International Workshop on Business Process Design (BPD'07). In conjunction with the 5th International Conference on Business Process Management, 24-28 September 2007. Brisbane Australia.
Guido Governatori, Zoran Milosevic, Shazia Sadiq and Maria Orlowska (2007) On compliance of business processes with business contracts. Technical Report 12216. School of Information Technology and Electrical Engineering, The University of Queensland, 2007.
Zoran Milosevic, Shazia Sadiq, Maria Orlowska (2006), Translating business contract into compliant business processes. Proc. The 10th IEEE Conference on Enterprise Distributed Object Computing, Hong Kong, 16-20 Oct 2006.
Guido Governatori, Zoran Milosevic, Shazia Sadiq (2006), Compliance checking between business processes and business contracts. Proc. The 10th IEEE Conference on Enterprise Distributed Object Computing, Hong Kong, 16-20 Oct 2006.
Zoran Milosevic, Shazia Sadiq, Maria Orlowska (2006) On Deriving Process Models from Business Contracts. 4th International Conference on Business Process Management (BPM2006), Vienna, Austria, 2006
Zoran Milosevic, Maria Orlowska, Shazia Sadiq (2006) Linking contracts, processes and services: an event-driven approach. IEEE International Conference on Services Computing. SCC 2006, Chicago, USA. Sep 2006.
Vineet Padmanabhan, Guido Governatori, Shazia Sadiq, Robert Colomb and Antonino Rotolo. (2006) Process Modelling: The Deontic Way. In Markus Stumptner, Sven Hartmann and Yasushi Kiyoki, editors, Australia-Pacific Conference on Conceptual Modelling 2006, number 53 in Conference Research and Practice of Information Technology. Australian Computer Science Association, ACS.
Research Premise
(c) Shazia Sadiq, Guido
Governatori 16 Feb 2007
The importance of compliance has dramatically increased over the last few years for businesses in several industry sectors. Essentially, compliance is ensuring that business processes, operations and practice are in accordance with a prescribed and/or agreed set of norms. Compliance requirements may stem from legislature and regulatory bodies (e.g. Sarbanes-Oxley, Basel II, HIPAA), standards and codes of practice (e.g. SCOR, ISO9000) and also business partner contracts. Compliance related software and services is expected to reach a market value of over $27billion this year, with $6billion alone investment in ensuring necessary and sufficient internal financial controls for the Sarbanes-Oxley Act of 2002. The boost in business investment is primarily a consequence of regulatory mandates that emerged as a result of recent events that led to some of the largest scandals in corporate history such as Enron and more locally HIH. In spite of mandated deadlines (e.g. under Section 404, publicly traded companies listed in the US must have internal policies and controls in place and comply by the end of their fiscal year after July 15, 2006) there is evidence that many organizations are still struggling with their compliance initiatives.
A number of compliance solution providers are currently available. Primarily these are large consulting firms such as PriceWaterhouseCoppers, Deliotte etc. However software vendors are also emerging ranging from large corporations with products such as IBM Lotus workplace for Business Controls & Reporting, Microsoft Office Solutions Accelerator for Sarbanes-Oxley, SAP GRC (Governance, Risk and Compliance) Solution, as well as niche vendors such as OpenPages, Paisley Consulting, Qumas Inc etc.
Compliance is predominantly viewed as a burden, although there are indications that businesses have started to see the regulations as an opportunity to improve their business processes and operations. A recent report mentions that up to 80% of companies said they expected to reap business benefits from improving their compliance regimens. Currently there are two main approaches towards achieving compliance.
First is retrospective reporting, wherein traditional audits are conducted for “after-the-fact” detection, often through manual checks by expensive consultants. With increasing pressures and penalties for non-compliance, this approach is rather limited.
A second and more recent approach is to provide some level of automation through automated detection. The bulk of existing software solutions for compliance follow this approach. The proposed solutions hook into variety of enterprise system components (e.g. SAP HR, LDAP Directory, Groupware etc.) and generate audit reports against hard-coded checks performed on the requisite system. These solutions often specialize in certain class of checks, for example the widely supported checks that relate to Segregation of Duty violations in role management and user provisioning systems. However, this approach still resides in the space of “after-the-fact” detection. Although the time spent on assessing is reduced, at least for the class of checks supported by the solution provider. Correspondingly the time to remediation and/or mitigation of control deficiencies is also improved. This improvement is much sought after as is evident from the heavy investment in compliance software during the last few years.
A major issue with the above approaches (in varying degrees of impact) is the lack of sustainability. The current trend of industry solutions is focused on this massive “get-clean” initiatives. There is little evidence of availability of solutions that provide sustainable approaches empowering organizations to “stay-clean”. Even with automated detection facility, the hard coded check repositories can quickly grow out of control making it extremely difficult to evolve and maintain them for changing legislatures and compliance requirements. In addition to external pressures, there is often a company internal push towards quality of service initiatives for process improvement which have similar requirements for compliance relating to tactical directions. The complexity of the situation is exasperated by the presence of dynamically changing collaborative processes shared with business partners. To adapt these systems to requisite compliance needs is extremely costly and very time consuming. The scale and complexity of compliance requirements warrant a highly systematic and well-grounded approach.
We believe that a sustainable approach for achieving compliance should fundamentally have a preventative focus. As such, we envisage an approach that provides the capability to capture compliance requirements through a generic requirements modelling framework, and subsequently facilitate the propagation of these requirements into business process models and enterprise applications, thus achieving compliance by design.
In light of the heavy socio, economic and environmental costs of non-compliance, apriory embedding of requisite checks and triggers into the enterprise applications is clearly desirable but also extremely difficult given that the technology landscape of today’s organizations is disparate, and distributed. This is further complicated by several factors, legacy systems, distributed operations, outsourcing, and imperfect work practices to name a few. Furthermore the compliance requirements are also vastly varied. For example the internal financial controls required by Sarbanes-Oxley, and Basel II raise issues of data cohesion and integrity, demanding guarantees of data retention, and ability to discover lineage and provenance. OFAC (USA Patriot Act) and blocked entity lists raises challenges in data matching due to complex and heterogeneous name forms. Similarly regulations such as HIPAA and GLB raise issues of privacy protection requiring strict checks in access control and role management.
The brute force approach based on hard-coding as adopted by current compliance vendors is destined to lead to serious problems for organizations in their strive towards demonstrating compliance for the diversity of checks that exist. We refer here to the success found in process enforcement technologies that relied on the principles of separation of concerns and abstraction, as an inspiration for generic and sustainable solutions for compliance. The componentisation of enterprise services and the development of open and standard interfaces for service interactions has greatly facilitated the success of these model driven approaches to enterprise system development. We argue that compliance checks must similarly be also supported through a generic requirements modelling facility that empowers the enterprise to handle its compliance requirements through a configurable and model driven approach.
Several questions arise in this regard. Can we build a generic modelling facility to capture compliance requirements? What would be the formal underpinning for such a specification? Can we analyze & validate the specification? Can we relate compliance requirements to enterprise system components (processes, transactions, data)? Can we provide tools and methods to facilitate the understanding of this relationship? Can we devise a mechanism for the (semi/automated) propagation of compliance checks into enterprise (process & application) models. Is compliance by design achievable? If yes, what are its conceptual limitations?