the journey to business process compliance. are we there yet?

The Journey to Business ProcessCompliance. Are We There Yet?

Guido Governatori

16 November 2015

www.data61.csiro.au

Outline

• Motivation

• Business Process Compliance

• Modelling Business Processes

• A Privacy Dilemma

• No Time for Compliance

• The Regorous Approach to Business Process Compliance

2 | The Journey to Business Process Compliance. Are We There Yet? | Guido Governatori

Motivation

2000-2010 Big (financial) scandals lead to more strict regualtory frameworks withstrong compliance components

2005- Regulatory compliance emerged as a multi-billion dollars market

2005-2006 IT frameworks to support regulatory compliance:

• Governatori and Sadiq• Giblin, Liu et al.• Ghose and Koliades• Goedertier and Vanthienen

2015 10 years and 500 papers later


Business Process Compliance

What is Compliance?

Ensuring that business operations, processes, and practices are in accordancewith a given prescriptive (often legal) document

Regulatory• Basel II

• Sarbanes-Oxley

• OFAC (USA Patriot Act)

• OSFI “blocked entity” lists

• HIPAA

• Graham-Leach-Bliley

Standards• Best practice models

• SAP solution maps

• ISO 9000

• Medical guidelines

Contracts• Service Agreement

• Customer Contract

• Warranty

• Insurance Policy

• Business Partnership


Definition of Compliance

Compliance is a relationship between two sets of specifications

Alignment of formal specifications for business processes and formalspecifications for prescriptive (legal) documents.

• Conceptually sound representation of business processes

• Conceptually sound representation of and reasoning with norms


Compliance Ecosystem

Legal Space Process SpaceCompliance Space

Process Data

BP Execution

Compliance Checking

Regulatory Document

(Formal) Specification

<obligations>;<permissions>;<prohibitions;

Analysis

Translation

Monitoring

ViolationResponse

Domain ExpertsProcess Modellers

BP Models

Design TIme

Run Time

ProcessRole(s)

New or Existing

New or Existing New

Existing

Existing

ExistingExisting

ViolationDetection


Compliance Recipe

1. Formal Model of Business Processes

2. Formal Model of Relevant Norms/Normative Frameworks

3. Combine, shake well and serve!


Modelling Business Processes

Business Process Model

Self-contained, temporal and logical order in which a set of activities are executed toachieve a business goal. It describes:

• What needs be done and when (control flows)

• What we need to work on (data)

• Who is doing the work (human and system resources)


Modelling Processes

A

B

D

C

E

F

G

H

t1 : A,B,C ,D,E ,F ,Ht2 : A,B,D,C ,E ,F ,Ht3 : A,D,B,C ,E ,F ,H

t4 : A,B,C ,D,E ,G ,Ht5 : A,B,D,C ,E ,G ,Ht6 : A,D,B,C ,E ,G ,H


Annotated Traces

Let Lit be a set of literals, T be the set of traces of a process and N be the set ofnatural numbers

State : T × N 7→ 2Lit

The function State returns the set of literals describing “what’s going on in a trace tafter the execution of the n-th task in the process”.


Example

A B

C

D

Tasks

• A: “turn the light on”• B: “check if glass is empty”• C : “fill glass with water”• D: “turn glass upside-down”

Propositions

• p: “the light is on”• q: “the glass is full”

Trace 1: 〈A,B,D〉Trace 2: 〈A,B,C ,D〉

• State(i , 1) = { p }, i ∈ { 1, 2 }• State(1, 2) = { p, q }• State(2, 2) = { p,¬q }• State(2, 3) = { p, q }• State(1, 3) = { p,¬q }• State(2, 4) = { p,¬q }


A Privacy Dilemma

A Privacy Act

Section 1: (Prohibition to collect personal medical information)

Offence: It is an offence to collect personal medical information.Defence: It is a defence to the prohibition of collecting personal medical

information, if an entity immediately destroys the illegally collectedpersonal medical information before making any use of the personalmedical information

Section 2: An entity is permitted to collect personal medical information if the entityacts under a Court Order authorising the collection of personal medicalinformation.

Section 3: (Prohibition to collect personal information) It is forbidden to collect personalinformation unless an entity is permitted to collect personal medicalinformation.

Offence: an entity collected personal informationDefence: an entity being permitted to collect personal medical information.


A Business Process

Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End

Is the process compliant with the Privacy Act?


Making Sense of the Act

• Collection of medical information is forbidden.

• Destruction of the illegally collected medical information excuses the illegalcollection.

• Collection of medical information is permitted if there is an authorising courtorder.

• Collection of personal information is forbidden.

• Collection of personal information is permitted if the collection of medicalinformation is permitted

Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End

The process is not compliant


No Time for Compliance

Linear Temporal Logic for Compliance

In the past 5-10 years many compliance frameworks based on (Linear) Temporal Logichave been proposed:

• DECLARE, MoBuCom, DecSerFlow

• COMPAS

• BPMN-Q


Motivation

• Linear Temporal Logic (LTL): mature technology to verify systems

• Similarity between conditions for obligations and temporal notions in LTL

• many compliance frameworks proposed LTL to check compliance of businessprocesses

Can current compliance frameworks based on LTL be used todetermine compliance of processes with norms?


Linear Temporal Logic 101 (Syntax)

• Xφ: at the next time φ holds;

• Fφ: eventually φ holds (sometimes in the future φ); and

• Gφ: globally φ holds (always in the future φ).

In addition we have three binary operators:

• φ U ψ (until): φ holds until ψ holds;

• φW ψ (weak until): φ holds until ψ holds and ψ might not hold.

Interdefinability

• Fφ ≡ > U φ,

• Gφ ≡ ¬F¬φ,

• φW ψ ≡ (φ U ψ) ∨ Gφ


Linear Temporal Logic 102 (Semantics)

TS , σ |= as0a

s1 s2 s3

TS , σ |= Xas0 s1

a

s2 s3

TS , σ |= a U bs0

a ∧ ¬bs1

a ∧ ¬bs2

b

s3

TS , σ |= Fas0¬a

s1¬a

s2a

s3

TS , σ |= Gas0a

s1a

s2a

s3a

A formula φ is true in a fullpath σ iff it is true at the first element of the fullpath.A formula is true in a state S

TS , s |= φ iff ∀σ : σ[0] = s, TS , σ |= φ.


Obligation, Prohibition and Permission

Obligation A situation, an act, or a course of action to which a bearer is legallybound, and if it is not achieved or performed results in a violation.

Prohibition A situation, an act, or a course of action which a bearer should avoid,and if it is achieved results in a violation.

Permission Something is permitted if the obligation or the prohibition to thecontrary does not hold.


Achievement vs Maintenance Obligations

• For an achievement obligation, a certain condition must occur at least once beforethe deadline

‘Customers must pay before the delivery of the good, after receiving the invoice’

• For maintenance obligations, a certain condition must obtain during all instantsbefore the deadline:

‘After opening a bank account, customers must keep a positive balance until bankcharges are taken out’


Achievement and Maintenance Obligations inLTL

Maintenance obligationGφ G(τ → φ U δ)

Achievement obligation

Fφ G(τ → ¬(¬φ U δ))


Compliance in LTL

To determine, given a model encoding a trace of a business processand a set of formulas encoding the relevant norms, whether theformulas are satisfiable by the model.


LTL Compliance Frameworks

• Several compliance frameworks based on LTL have been proposed (e.g.,COMPAS, MoBuCOM, BPMN-Q, we focus on COMPAS ComplianceRequirement Language CRL).

• Propose templates/patterns to capture “compliance requirements” based on the“temporal order” of tasks or business process components.

• Templates correspond to temporal logic formulas


CRL Patterns

• Absence: φ isAbsent, φ does not occur in the process

G¬φ

• Existence: φ Exists, φ occurs in the the process

Fφ

• Leads To: φ LeadsTo ψ, φ must always be followed by ψ

G(φ→ Fψ)


CRL Contrary-to-duty Pattern

Pattern to represent compensations to violations

φ (LeadsTo|DirectlyFollowedBy) φ1 (Else|ElseNext) φ2 . . . (Else|ElseNext) φn

translated to

G(φ→ F|X(φ1 ∧1≤i<n−1 (F|X(φi NotSucceed) ∧ (φi NotSucceed → F|Xφi+1))))

but it does not work for maintenance obligations (prohibitions), Gφ ∧ ¬φ→ ⊥.

Gφ ∨ F(¬φ ∧ F|Xψ)


CRL Exception Patterns

Strong Exceptions: [[R]]Patternφ→ ψ

Weak Exceptions: [R]Patternφ ∨ ψ

where:

• φ is the LTL translation of R

• ψ is the LTL translation of Pattern


Privacy Act Logical Structure

• A (“collection of medical information”) is forbiddenI B (“destruction of medical information”) compensates the illegal collection

• A is permitted if C (“acting under a court order”)

• D (“collection of personal information”) is forbidden

• D is permitted if A is permitted


Privacy Act in CRL and LTL

CRL1 R1 : ([R2]A isAbsent) Else B,

CRL2 R2 : C ,

CRL3 R3 : [R4]D isAbsent,

CRL4 R4 : A isPermitted .

LTL1 G(C ∨ (G¬A ∨ F(A ∧ FB)));

LTL2 G(FA ∨ G¬D).


CRL: Are We Compliant?

Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End

LTL1 G(C ∨ (G¬A ∨ F(A ∧ FB)));

LTL2 G(FA ∨ G¬D).

• v(start) = {¬A,¬B,¬C ,¬D };

• v(T1) = {A,¬B,¬C ,¬D };

• v(T2) = {A,¬B,¬C ,D };

• v(T3) = {A,B,¬C ,D };

• v(end) = {A,B,¬C ,D }.

M |= LTL1 ∧ LTL2

According to CRL/LTL the process is compliant


The Regorous Approach to Business Process Compliance

The Regorous Approach

Extension, refinement of the compliance-by-design methodology proposed byGovernatori and Sadiq 2007.

1. Annotated business process models

2. Proper representation of norms based on PCL (Process Compliance Logic)

3. Simulate execution of traces and round trips to PCL reasoner

1. Determine what are the obligations in force for each state2. Determine which obligations have been fulfilled, violated, or pending3. Determine which violations have been compensated for

http://www.regorous.com


http://www.regorous.com

Modelling Norms

Norms are modelled as if . . . then . . . rules

• norms are defeasible (handling exceptions)

• two types of normsI constitutive rules: defining terms used in a legal context

A1, . . . ,An ⇒ C

I prescriptive rules: defining “normative effects” (i.e., obligations, permissions,prohibitions . . . )

A1, . . . ,An ⇒ [O]C1 ⊗ [O]C2 ⊗ · · · ⊗ [O]Cm

A1, . . . ,An ⇒ [P]C


Reasoning with Norms

1. A is a fact; or

2. there is an applicable rule for A, and either

1. all the rules for ¬A are discarded (i.e., not applicable) or2. every applicable rule for ¬A is weaker than an applicable rule for A.


The Regorous ArchitectureCompliance Checker

Logical State Representation

State(t,1)

State(t,2)

State(t,3)

State(t,4)

Rule1Rule2Rule3Rule4Rule5Rule6Rule7Rule8Rule9

...

Compliance Rule Base

Obligations

Input

...

Annotated Business Process

T2

T5

T3

T1

T4

T7 T6

Legalese Formalisation

Recommendation Sub-system recommendations

what

ifan

alys

is

Status Report


Privacy Regorously

• collection of medical information is forbiddenI c destruction of medical information compensates the illegal collection

r1 : ⇒ [O]¬medicalInfo ⊗ [O]destroy

• collection of medical information is permitted if acting under a court order

r2 : courtOrder ⇒ [P]medicalInfo

• collection of personal information is forbidden

r3 : ⇒ [O]¬personalInfo

• collection personal information is permitted if collection of medical information ispermitted

r4 : [P]medicalInfo ⇒ [P]personalInfo


Are We Regorously Compliant?

Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End



r3 : ⇒ [O]¬personalInfor4 : [P]medicalInfo ⇒ [P]personalInfo

State(start) : ¬courtOrderForce(T1) : [O]¬medicalInfo

[O]¬personalInfoState(T1) : medicalInfoViolated(T1) : [O]¬medicalInfoForce(T2) : [O]destroyState(T2) : personalInfoViolated(T2) : [O]¬persoanlInfoState(T3) : destroyCompensated(T3) : [O]¬medicalInfo



Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End




State(start) : ¬courtOrder

Force(T1) : [O]¬medicalInfo[O]¬personalInfo

State(T1) : medicalInfoViolated(T1) : [O]¬medicalInfoForce(T2) : [O]destroyState(T2) : personalInfoViolated(T2) : [O]¬persoanlInfoState(T3) : destroyCompensated(T3) : [O]¬medicalInfo



Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End





[O]¬personalInfo

State(T1) : medicalInfoViolated(T1) : [O]¬medicalInfoForce(T2) : [O]destroyState(T2) : personalInfoViolated(T2) : [O]¬persoanlInfoState(T3) : destroyCompensated(T3) : [O]¬medicalInfo



Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End





[O]¬personalInfoState(T1) : medicalInfo

Violated(T1) : [O]¬medicalInfoForce(T2) : [O]destroyState(T2) : personalInfoViolated(T2) : [O]¬persoanlInfoState(T3) : destroyCompensated(T3) : [O]¬medicalInfo



Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End





[O]¬personalInfoState(T1) : medicalInfoViolated(T1) : [O]¬medicalInfo

Force(T2) : [O]destroyState(T2) : personalInfoViolated(T2) : [O]¬persoanlInfoState(T3) : destroyCompensated(T3) : [O]¬medicalInfo



Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End





[O]¬personalInfoState(T1) : medicalInfoViolated(T1) : [O]¬medicalInfoForce(T2) : [O]destroy

State(T2) : personalInfoViolated(T2) : [O]¬persoanlInfoState(T3) : destroyCompensated(T3) : [O]¬medicalInfo



Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End





[O]¬personalInfoState(T1) : medicalInfoViolated(T1) : [O]¬medicalInfoForce(T2) : [O]destroyState(T2) : personalInfo

Violated(T2) : [O]¬persoanlInfoState(T3) : destroyCompensated(T3) : [O]¬medicalInfo



Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End





[O]¬personalInfoState(T1) : medicalInfoViolated(T1) : [O]¬medicalInfoForce(T2) : [O]destroyState(T2) : personalInfoViolated(T2) : [O]¬persoanlInfo

State(T3) : destroyCompensated(T3) : [O]¬medicalInfo



Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End





[O]¬personalInfoState(T1) : medicalInfoViolated(T1) : [O]¬medicalInfoForce(T2) : [O]destroyState(T2) : personalInfoViolated(T2) : [O]¬persoanlInfoState(T3) : destroy

Compensated(T3) : [O]¬medicalInfo



Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End





[O]¬personalInfoState(T1) : medicalInfoViolated(T1) : [O]¬medicalInfoForce(T2) : [O]destroyState(T2) : personalInfoViolated(T2) : [O]¬persoanlInfoState(T3) : destroyCompensated(T3) : [O]¬medicalInfo


The Regorous Evaluation

Formalised Chapter 8 (Complaints) of TCPC 2012. Modelled the complianthandling/management processes of an Australian telco.

41 tasks, 12 decision points (xor), 2 loopsshortest trace: 6 traces longest trace (loop): 33 taskslongest trace (no loop): 22 tasksover 1000 traces, over 25000 states


The Regorous Evaluation

TCPC 2012 Chapter 8. Contains over 100 commas, plus 120 terms(in Terms and Definitions Section).Required 223 propositions, 176 rules.

Punctual Obligation 5 (5)

Achievement Obligation 90 (110)

Preemptive 41 (46)Non preemptive 49 (64)Non perdurant 5 (7)

Maintenance Obligation 11 (13)

Prohibition 7 (9)Non perdurant 1 (4)

Permission 9 (16)

Compensation 2 (2)


Conclusions

• Many scholars jumped on the compliance bandwagon

• Current Compliance Frameworks based on Temporal Logic are not able to modelreal life norms.

• Result not restricted to Linear Temporal Logic, it extends to other temporal logics

• Result is not an impossibility theorem. If one knows what are the complianttraces, one can build a set of temporal formulas corresponding to the complianttraces (but it means using an external oracle, so useless for compliance)

• Result seems to affect Deontic logics based on possible world semantics.

• PCL and Regorous are not affected by the problem, and offer a viable practicalsolution

• 5/10 years of mostly wasted opportunities and research efforts


Questions?Guido Governatori

[email protected]


[email protected]

the journey to business process compliance. are we there yet?

Technology