managing business process compliance - oktay turetken mumc+ 19-mar-2013

!"#"$%#$&&'()%#*))&+,-.*))*)&/-012%"#.*!

"#$!%&'()!*+#,'&,-!!"#$%&'($")*+,-.&,/)*01$$2)$#)!"34,-%5'2)6"75"..%5"7))

65"31$8.")9"58.%,5-+)$#):.01"$2$7+);:9<.=)

Maastricht University Medical Center (azM / MUMC+) 19.Mar.2013

3(42%#*&

!!"#$%&'()*+,()-,.'/+*01+2,

!!"3(&&+)4+2,'),5()(4')4,672')+22,8/#*+22,"#$%&'()*+,

!!9+:,"#$%#)+);2,#<,"#$%&'()*+,

!!672')+22,8/#*+22,='<+*:*&+,()-,"#$%&'()*+,

5()(4+$+);,

!!"(2+,>;7-'+2,()-,?')-')42,

>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)

5'()%#*))&+,-.*))6&/-012%"#.*&

7.8#$&%#&"..-,9"#.*&:%4;&*)4"<2%);*9&,*=(%,*0*#4)&*0*,$%#$&>,-0&./#,012,3!@&(A2B,/+47&(0#)2B,%#&'*'+2B,2;()-(/-2B,%/#;#*#&2B,2%+*'C*(0#)2B,+;*DE,


DIRECTIVES

External sources •! Laws, regulations, & public policies

•! EU Directives, Sarbanes Oxley, FINRA, !

•! Privacy/data protection, consumer protection, !

•!HIPAA (US Healthcare) •! Basel III (Finance/Banking)

•! Standards and Codes of Practice •! ISO Standards: ISO 9000, ISO

27000, ISO 14000! •! EFQM, PRINCE II, CMMI, COBIT,

ITIL, ! •! Sector Specific Standards:

•!NIAZ, HKZ, !

Internal Sources •! Internal policies •!Business rules •!QoS, security policies, !

Mutual Agreements •!Service level agreements

(SLA) •!Business Contracts, !

Directives

External sources •! Laws, regulations, & public policies

•! Sarbanes Oxley, FINRA, EU Directives, !

•! Privacy/data protection, consumer protection, !

•! Sector specific regulations •!HIPAA- Healthcare, •! Basel III- Finance/Banking, !

•! Standards and Codes of Practice •! ISO Standards: ISO 9000, ISO/IEC

27000, ! •! PRINCE II, CMMI, COBIT, ITIL, !

Internal Sources •! Internal policies, •! Business rules, •! QoS, security policies, !

Mutual Agreements •! Service level agreements (SLA), •! Business Contracts, !

>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)

!! F#,/+2;#/+,%7G&'*,*#)C-+)*+,'),*#/%#/(;+,4#1+/)()*+B,&(A2H/+47&(0#)2,A+/+,'227+-,

!! I+J7'/+,#/4()'K(0#)2,;#L,!! M-+)0<:,;3+,#G&'4(0#)2,@-'/+*01+2E,;#,G+,*#$%&'+-,A';3,!! I+1'+A,;3+'/,G72')+22,%/#*+22+2,!! N)27/+,;3(;,;3+:,$++;,;3+,*#$%&'()*+,/+J7'/+$+);2,2+;,<#/;3,

!! O';3#7;,+P+*01+,*#$%&'()*+,$+*3()'2$2,'),%&(*+,Q,,!! =#22,#<,/+%7;(0#)H*#)C-+)*+B,G()R/7%;*:B,&'04(0#),/'2R2B,*/'$')(&,%+)(&0+2B,Q,

7.4)&4-&,*)4-,*&1(<2%.&.-#?9*#.*&@@@&


Sarbanes Oxley (SOX), US

CLERP9, AUS

EU Directives 2006/43/EC, etc.

>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)

/(,,*#4&/;"22*#$*)&%#&!"#"$%#$&'+&/-012%"#.*&

!!!"#("2,.;*.A)B"(9%4)&#),G72')+22,%/#*+22+2,!,>0&&,%/+-#$')();,!! C*4,-)1*.8D*&,*1-,8#$,!,F/(-'0#)(&,(7-';2,<#/,S(T+/U;3+U<(*;V,-+;+*0#),

!! "#$%&'()*+,2#&70#)2,!,7(4-0"4*9&9*4*.8-#&G7;,;:%'*(&&:,S(T+/U;3+U<(*;V,!! W/(*&+,XI",Y**+&+/(;#/2B,>Y8,672')+22WGZ+*;2,XI",!,[+)-#/,&#*RU'),

!! W/4()'K(0#)V2,M>,2#&70#)2,!! 5()(4+,*#$%&'()*+,'),(),(-U3#*,$())+/,,,,!! \()-U*/(T+-,<#/,%(/0*7&(/,*#$%&'()*+,%/#G&+$2,,

!! >:2;+$2,G+*#$+,Q,!! \(/-,;#,$(');('),()-,+1#&1+B,/+72+,@*72;#$,$(-+,)(//#A,2#&70#)2E,!! \(/-,;#,<#/$(&&:,1+/'<:,(4(')2;,*#$%&'()*+,

,

!! ?('&,;#,+]%&'*';&:,$()(4+,*#$%&'()*+,/+J7'/+$+);2L,!! F#,4,".*,;3+$,<".A,;#,;3+,*#$%&'()*+,2#7/*+2,!! Q()-,>-,:",9,;#,;3+,G72')+22,%/#*+22+2,


/-012%"#.*&E&F*G&/-01-#*#4)&


Prevention

Response

Detection

Set the Tone Senior Mng. Commitment

•! Set the tone for the company •! Define business objectives •! Identify the obligations to be

complied with

Have the Processes & Policies in place

•! Perform Risk Assessment •! Identify processes/procedures

to mitigate risks •! Tailored to the organization

and its units

Communicate/Train •! Carry the message from the top •! Explain the process/policies

Continuous Monitoring of

Processes

Formal (structured)

Internal Auditing

How do you react in case of

problems?

•! Who is involved? •! What is the

policy? •! How to address

and remediate? •! How to feed back?


Surg

ical

Sui

teO

utpa

tient

Dep

artm

ent

Phys

icia

nM

edic

al T

ech.

A

ssis

tant

Admit Patient

Perform Checkup

Examine Patient

Make a decision

Write Discharge

Letter

Schedule Surgery

Surg

ical

War

d

Nur

sePh

ysic

ian

Check Patient Record

Admit Patient

Perform Surgery

Prepare Patient


Send Patient to

Surgical Suite

Transport Patient to

Ward

Make Lab Test

Provide Postsurgical

Care

Discharge Patient

Write Discharge

Letter

Surgery OK

Laparoscopic (Keyhole) surgery

Original process model at: M. Reichert, B. Weber: Enabling Flexibility in Process-Aware Information Systems, Springer, 2012

'*%#$&/-012%"#4&H&

!! >7%%#2+,#7/,\#2%';(&,A();2,;#,G+,^MY_,(**/+-';+-`,,

!! >+*0#),abc,d,8/4D,bb,!! IJK@JJL,F3+,%/#1'2'#),#<,')<#/$(0#),<#/,;3+,%(0+);,(G#7;,;3+,');+)-+-,/+2+(/*3B,3'2H3+/,2;(;+,#<,3+(&;3,()-,;3+,%/#%#2+-,;/+(;$+);,#**7/2,'),(,$())+/,A3'*3,+)(G&+2,3'$H3+/,;#,4/();,3'2H3+/,%+/$'22'#),(T+/,-7+,-+&'G+/(0#),@')<#/$+-,*#)2+);ED,

!! I+e+*;,;3+,/+J7'/+$+);,#),#7/,%/#*+22H,8+/<#/$,/'2R,(22+22$+);,,,!! >%+*'(&,I+J7'/+$+);2L,,!! /JU,6+<#/+,;3+,27/4+/:B,;3+,%(0+);,$72;,G+,')<#/$+-,(G#7;,;3+,/'2R2,#<,;3+,@%&())+-E,27/4+/:D,

!! /LU,6+<#/+,;3+,27/4+/:B,;3+,%(0+);,3(2,;#,G+,')<#/$+-,(G#7;,()+2;3+2'(D,



Surg

ical

Sui

teO

utpa

tient

Dep

artm

ent

Phys

icia

nM

edic

al T

ech.

A

ssis

tant

Admit Patient

Perform Checkup

Examine Patient

Make a decision

Write Discharge

Letter

Schedule Surgery

Surg

ical

War

d

Nur

sePh

ysic

ian


Admit Patient

Perform Surgery

Prepare Patient

Send Patient to

Surgical Suite


Ward

Make Lab Test


Care

Discharge Patient

Write Discharge

Letter

Surgery OK



Surg

ical

Sui

te


Surg

ical

Sui

te


Out

patie

nt D

epar

tmen

t

Phys

icia

nSurgery OKM

edic

al T

ech.

A

ssis

tant

Out

patie

nt D

epar

tmen

t

Phys

icia

nM

edic

al T

ech.

A

ssis

tant

Admit PatientAdmit Patient

Perform CheckupPerform Checkup

Examine Patient

Examine Patient Inform

Patient about Anestesia

Inform Patient about

RisksdecisionMake a

decisionMake a

decision

Write Discharge

Letter

Write Discharge

Letter

Schedule Surgery

Surgery OK

Schedule Surgery

Surg

ical

War

d

Nur

sePh

ysic

ian

Surg

ical

War

d

Nur

sePh

ysic

ian




Perform Surgery Perform Surgery

Prepare Patient

Prepare Patient


Send Patient to

Surgical Suite

Send Patient to

Surgical Suite


Ward


Ward

Make Lab Test

Make Lab Test


Care


Care

Discharge Patient

Discharge Patient

Write Discharge

Letter

Write Discharge

Letter

Surgery OK

Patient about Patient about AnestesiaAnestesia

Inform Inform

Inform Inform Patient about Patient about Patient about Patient about

RisksRisksRisksRisks

Patient about

Patient about Make a

decisionMake a Make a Make a

decisiondecisionMake a Make a

decisionMake a

decision

C1 & C2

Original process model at: M. Reichert, B. Weber: Enabling Flexibility in Process-Aware Information Systems, Springer, 2012

'*%#$&/-012%"#4&H&

!! >7%%#2+,#7/,\#2%';(&,A();2,;#,G+,^MY_,(**/+-';+-`,,

!! >+*0#),abf,d,8/4D,bg,!! IJM@JNL,F3+,#/4()'2(0#),3(2,(4/++$+);2,(G#7;,;3+,;/()2<+/,#<,')<#/$(0#),G+;A++),;3+,$+$G+/2,#<,2;(P,()-,;3+,A#/R')4,7)';2,A3#,(/+,')1#&1+-,'),;3+,2($+,*(/+,()-,#;3+/,%/#*+22D,

!! I+e+*;,;3+,/+J7'/+$+);,#),#7/,%/#*+22H,8+/<#/$,/'2R,(22+22$+);,,,

!! >%+*'(&,I+J7'/+$+);2L,,!! /OU,YT+/,%+/<#/$')4,;3+,27/4+/:B,(,27/4+/:,/+%#/;,$72;,G+,*/+(;+-,()-,23#7&-,G+,*#)2'-+/+-,G:,;3+,%3:2'*'(),'),;3+,27/4'*(&,A(/-,'),;3+,A/'0)4,#<,;3+,-'2*3(/4+,&+h+/D,




Surg

ical

Sui

teO

utpa

tient

Dep

artm

ent

Phys

icia

nM

edic

al T

ech.

A

ssis

tant

Admit Patient

Perform Checkup

Examine Patient Inform

Patient about Anestesia


Risks Make a decision

Write Discharge

Letter

Schedule Surgery

Surg

ical

War

d

Nur

sePh

ysic

ian


Admit Patient

Perform Surgery

Prepare Patient

Send Patient to

Surgical Suite


Ward

Make Lab Test


Care

Discharge Patient

Write Discharge

Letter

Surgery OK


Surg

ical

Sui

te

>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)

Surg

ical

Sui

te


Out

patie

nt D

epar

tmen

t

Phys

icia

nSurgery OKM

edic

al T

ech.

A

ssis

tant

Out

patie

nt D

epar

tmen

t

Phys

icia

nM

edic

al T

ech.

A

ssis

tant


Perform CheckupPerform Checkup

Examine Patient

Examine Patient

AnestesiaPatient about Patient about


Anestesia

Inform Inform Inform Inform Inform


RisksRisksPatient about

RisksPatient about Patient about


RisksPatient about

Patient about Patient about Patient about Patient about

Patient about Patient about Patient about Make a

decisionMake a

decision

Write Discharge

Letter

Write Discharge

Letter

Schedule Surgery

Surgery OK

Schedule Surgery

Surg

ical

War

d

Nur

sePh

ysic

ian

Surg

ical

War

d

Nur

sePh

ysic

ian




Perform Surgery Perform Surgery

Prepare PatientPrepare Patient


Send Patient to

Surgical Suite

Send Patient to

Surgical Suite


Ward


Ward Make Lab Test

Test

Create Surgery Report


Care


Care

Discharge Patient

Discharge Patient

Write Discharge

Letter

Write Discharge

Letter

Surgery OK

TestTestMake Lab Make Lab

Create Surgery Surgery Surgery ReportMake Lab ReportMake Lab Make Lab ReportMake Lab

C3


Conceptual Model (for the Compliance Repository’s key elements)


BP Compliance Management Operational Components

Business Process Analysis & Design

Business Process Execution

Business Process Monitoring & Optimization

Risk Assessment & Response

Objective Setting and Boundary Identication

Design Controls

Preventive Design-time Compliance

Verification

Preventive Runtime Compliance Monitoring

Detective Offline Comp. Analysis &

Monitoring

Directive/Source

Control Rule

Process Process Element

Process Instance

Process Element Instance

Compliance Requirement/

Control Objective

originate from

Risk

Control formalized by

refer have

have have

refer


Examples of Concepts


Conceptual Model (for the Compliance Repository’s key elements)

Directive/Source

Control Rule

Process Process Element

Process Instance

Process Element Instance

Compliance Requirement

/Control Objective

originate from

Risk

Control formalized by

refer have

have have

COBIT PO4.11 COBIT PO4.11 Internal

Policy 4.11

NIAZ 2.3 516.11

Patient should be informed about the status and

proposed treatment, and his/her permission should be

granted after due deliberation

originate from

Surgery without patient consent

G (Examine Patient " F Inform Patient about

Risks.Role(‘Physician’))

formalized by

- Schedule Surgery W (Inform Patient about

Anesthesia.Role (‘Physician’))

have

(Keyhole) Surgery

prevented by,

mitigated by

Before the surgery, the patient should be

informed about the risks of the (planned) surgery

Before the surgery, the

patient should be informed about

anesthesia

refer

Physician

Examine Patient

Inform Patient about Risks

CRM Demo! http://eriss.uvt.nl/

compas/

refer

refer

Examples of Concepts

COBIT PO4.11 COBIT PO4.11 Internal

Policy 4.11

NIAZ 2.3 516.11

Patient should be informed about the status and proposed treatment, and his/her permission should be granted after

due deliberation

originate from

Surgery without patient consent

G (Examine Patient " F Inform Patient about

Risks.Role(‘Physicisian’))

implemented by, formalized by - Schedule Surgery W (Inform Patient about

Anesthesia.Role (‘Physicisian’))

Before the surgery, the patient should be

informed about the risks of the (planned)

surgery.

Before the surgery, the patient should be informed about

anesthesia

5#-+&')4,A';3,8/#*+22,"#);/#&,8(h+/)2,


implemented by, formalized by Before the surgery, the

Control Modeling

!"#$%"&'

()%*!$)+*,-".%!*'

!"#$%"&'%.&*'

%)-/'

!"012'%*3.)%*0*#$'Examples of Concepts

5#-+&')4,A';3,8/#*+22,"#);/#&,8(h+/)2,

G (Examine Patient

!"#$%"&'%.&*'

G (Examine Patient G (Examine Patient

!"#$%"&'%.&*'

Control Rule Generation

originate from from

Before the surgery, the

originate from from

CONTROL PATTERNS

/-#4,-2&+"P*,#)&

ORDER PATTERNS

Precedes

LeadsTo

XLeadsTo

PLeadsTo

Chain Precedes

Chain LeadsTo

Else

ElseNext

OCCURRENCE PATTERNS

Exists

Absent

Universal

CoExists

CoAbsent

Exclusive

CoRequisite MutexChoice

RESOURCE PATTERNS

PerformedBy

Segregated From

USegregatedFrom

BondedWith

RBondedWith

Multi-Segregated

Multi-Bonded

TIME PATTERNS

Within

After

ExactlyAt

Max/Min

Every


/-#4,-2&+"P*,#)&*Q12"%#*9&&

>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM) MAY/JUNE 2012 | IEEE SOFTWARE 33

TAB

LE

1 Business process control patterns.

Pattern Description*

Orde

r

Basic

Q Precedes P Q must precede P.

P LeadsTo Q Q must follow P.

P XLeadsTo Q Q must immediately follow P.

P PLeadsTo Q P and Q must occur sequentially.

Adva

nced

(P, S, ...) ChainLeadsTo (Q, T, …) A sequence of Q, T, … must follow a sequence of P, S, ....

(Q, T, …) ChainPrecedes (P, S, …) A sequence of Q, T, … must precede a sequence of P, S, ....

P LeadsTo Q Else S Else T Else … If condition P is true, then Q should occur; if Q can’t be satis!ed, then S should occur (which compensates for the violation of Q); if S is violated, then T should occur; and so on.

Occu

rrenc

e

Basi

c

P Exists P must exist in the process speci!cation.

P Absent The process speci!cation must be free of P.

P Universal P must occur or be valid throughout the speci!cation.

Adva

nced

P CoExists Q If P is present, then Q must also be present.

P CoAbsent Q If P is absent, then Q must also be absent.

P Exclusive Q If P is present, then Q must be absent, and vice versa.

P CoRequisite Q Both P and Q must be present or absent.

P MutexChoice Q Either P or Q must be present.

Reso

urce

Basi

c

P PerformedBy Q Role Q must perform (be assigned to) activity P.

P SegregatedFrom Q Activities P and Q must be assigned to different roles, and different users must perform them.

P USegregatedFrom Q Different users must perform activities P and Q.

P BondedWith Q Activities P and Q must be assigned to the same role, and the same user must perform them.

P RBondedWith Q Activities P and Q must be assigned to the same role, but different users must perform them.

Adva

nced

(P, Q, S, …; m) Multisegregated A certain number of different users (m) must perform a set of activities (P, Q, S, …).

(P, Q, S, …) Multibonded The same user and role must perform a set of activities (P, Q, S, …).

Tim

e

Basi

c

Within k Used with order patterns to denote a given P to happen within k time units. For example, P LeadsTo Q Within k indicates that Q must follow P within k time units.

After k Used with order patterns to denote a given P to happen after k time units. For example, P LeadsTo Q After k speci!es that Q must follow P after k time units.

ExactlyAt k Used with order and occurrence patterns to denote a given P to happen exactly at time k. For example, P Exists ExactlyAt k indicates that P must occur at time k, starting from the process instance’s initial state.

Adva

nced

P Exists Max k P can hold at most k time units once it happens.

P Exists Min k P must hold at least k time units once it happens.

P Exists Every k P must happen in every k time unit.

* P, Q, S, and T are operands representing process elements, their attributes, or conditions based on them (for example, CreateOrder.GrandTotal > $100.000).

'+&/-012%"#.*&!"#"$*0*#4&R--2ST(%4*&


BP Repository

Compliance Repository

Compliance Requirements Manager

BP Models and

Elements Elements

Compliance Requirements

Compliance elements

(reqs., risks, controls, ...)

Compliance

controls, ...)

Compliance elements

Compliance Rule Modeler

BP Elements

BP


Control Definitions

Control


Pattern-based Expressions and Formal Control

Rules

Repository

Pattern-based

Formal Control Rules

Design-time Compliance Verification Manager

Verification Handler

WSAT

Formal Control Rules

(in LTL) Verification

BP Specifications

(in BPEL) Specifications Specifications

(in BPEL) Specifications Specifications

Dashboard (Design-time)

Compliance Verification

Results Results

Compliance

elements ., risks,

controls, ...) Formal Control Rules

(in LTL) (in LTL) Verification (in LTL) (in LTL)

(Design-time)

SPIN Model

Checker Selected Control Rules

& BP Specifications

Control Rules

Specifications

Model Checker

Verification Results

Verification Verification

/")*&T4(9%*)&

!! "(2+,2;7-'+2,*#)-7*;+-,,!! A';3'),;3+,*#);+];,#<,Ni,<7)-+-,/+2+(/*3,%/#Z+*;,,

!! F3+,#GZ+*01+L,,!! M)1+204(;+,;3+,"112%."<%2%4G&()-,*Q1,*))%D*#*)),#<,;3+,%(h+/)2,<#/L,"! 2%+*'<:')4,*#$%&'()*+,/+J7'/+$+);2,()-,4+)+/(0)4,<#/$(&,*#$%&'()*+,/7&+2B,(4(')2;,A3'*3,G72')+22,%/#*+22+2,A'&&,G+,+P+*01+&:,1+/'C+-,(;,'+&U*)%$#S80*D,

!! "(2+,>;7-:,bL,M);+/)+;,/+2+&&+/,*#$%():,@A';3,8/'*+A(;+/3#72+"##%+/2B,^=E,!! 8/#*+22+2L,W/-+/,%/#*+22')4B,')1#'*')4B,*(23,/+*+'%0)4B,-+&'1+/:B,()-,&+-4+/,$()(4+$+);,()-,$(');+)()*+,

!! "(2+,>;7-:,jL,=#(),8/#*+22')4,'),(,6()R,,@A';3,F3(&+2B,?IE,


/-#4,-2&RG1*)&%#&4;*&/")*&T4(9%*)&&


!! "#$%&'!()!!*($+,!-&.#/'&$&012!!

3))&41/5&67!&8+'&22&9!#2/0:!!%&!4566789:;!

<7+&!()!*(01'(62! *=2&!>1,?@!!A01&'0&1!!-&2&66&'!

*=2&!>1,B@!C(=0!!

D'(4&22/0:!

<E<FC! !G&2!

!"(!

!!!!!!!!!!

D-E*3>>!

<3*H"A*FC!

DHG>A*FC!

!! "#$%&'!()!!*($+,!-&.#/'&$&012!!

3))&41/5&67!&8+'&22&9!#2/0:!!%&!4566789:;!

<7+&!()!*(01'(62! *=2&!>1,?@!!A01&'0&1!!-&2&66&'!

*=2&!>1,B@!C(=0!!

D'(4&22/0:!

<E<FC! !G&2!

!"(!

D-E*3>>! D-3I3"<AI3!!!"#$%&$%'()*+!*,!-.()$/"0#1-2!!"344$//!&)%5(/6!3.(5*&)7'()*+/!!"34()8)(9"#$:.$+4)+%!!"-'('";&*4$//)+%!

!J?!<=!>=!?>!>=!

!??!?!<!@!"!

!KB!<?!><!?A!>=!

!JB!<?!><!?A!"""!!

!?L!"!!"!!"!!>=!

M3<3*<AI3!!"B'+'%$C$+("D$8)$E/""""F"D$4*+4)G)'()*+/!!"H*#"6";$&,*&C'+4$"B*+)(*&)+%!

!NK!<=!"!"I!

!O!!!!!!

!NK!<=!!"I!

!O!!!"!!!

!NK!<=!"!I!

<3*H"A*FC! D-3I3"<AI3! !#! !$! !%! !"! !%!

M3<3*<AI3! !"! !"! !"! !"! !"!

DHG>A*FC! D-3I3"<AI3! !&! !"! !&! !"! !&!M3<3*<AI3! !"! !"! !"! !"! !"!

!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<E<FC! !?BB! !?N! !?NP! !JB! !QN!

D-3I3"<AI3! !#! !$! !%!

M3<3*<AI3! !"! !"! !"!

D-3I3"<AI3! !&! !"! !&!M3<3*<AI3! !"! !"! !"!

D-3I3"<AI3!!!"#$%&$%'()*+!*,!-.()$/"0#1-2!!"344$//!&)%5(/6!3.(5*&)7'()*+/!!"34()8)(9"#$:.$+4)+%!!"-'('";&*4$//)+%!

!!!!!!

!!!!!!

!!!!!!

!!!!!"""!

!!"!"!!!

M3<3*<AI3!!"B'+'%$C$+("D$8)$E/""""F"D$4*+4)G)'()*+/!!"H*#"6";$&,*&C'+4$"B*+)(*&)+%!

!!!"!"!

!!!!!

!!!"!

!!!"!!

!!!"!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<E<FC! !?BB! !?N! !?NP!

D-3I3"<AI3!!

M3<3*<AI3!!

!J?!<=!>=!?>!>=!

!??!?!<!@!"!

!KB!<?!><!?A!>=!

!NK!<=!"!"I!

!O!!!!!!

!NK!<=!!"I!

D-3I3"<AI3!!

M3<3*<AI3!!

D-3I3"<AI3!!M3<3*<AI3!!

!JB!<?!><!?A!"""!!

!?L!"!!"!!"!!>=!

!O!!!"!!!

!NK!<=!"!I!

!"! !%!

!"! !"!

!"! !&!!"! !"!!JB! !QN!

G&2 "(

JB<?><?A"""!

!?L"!"!"!>=

!NK

+(<2%);*9&C*)(24)V&

!! F7/+;R+)B,WDB,N&4($$(&B,YDB,1(),-+),\+71+&B,OUkDB,8(%(K#4&#7B,5D,@jlbjED,m"(%;7/')4,"#$%&'()*+,I+J7'/+$+);2L,Y,8(h+/)U6(2+-,Y%%/#(*3nD,!666)*$NO'%.B,5(:Hk7)+,jlbjB,%%D,joUpcD,

!! N&4($$(&B,YDB,F7/+;R+)B,WDB,1(),-+),\+71+&B,OUkD,@jlbjED,mi2')4,8(h+/)2,<#/,;3+,Y)(&:2'2,()-,I+2#&70#),#<,"#$%&'()*+,['#&(0#)2nB,!"-.%"'($"'2)P$4%"'2)$#)F$$G.%'(8.)!"#$%&'($")*+,-.&,);!PF!*=/,[#&D,jbB,^#D,bD,,

!! F7/+;R+)B,WDB,N&4($$(&B,YDB,1(),-+),\+71+&B,OUkDB,8(%(K#4&#7B,5D,@jlbbEB,mN)<#/*')4,"#$%&'()*+,#),672')+22,8/#*+22+2,;3/#743,;3+,72+,#<,8(h+/)2nB,64%$G.'")F$"#.%."0.)$")!"#$%&'($")*+,-.&,);6F!*)KLII=D,,

!! N&4($$(&B,YDB,F7/+;R+)B,WDB,1(),-+),\+71+&B,OUkDB,8(%(K#4&#7B,5D,@jlblED,mI##;U"(72+,Y)(&:2'2,#<,.+2'4)U0$+,"#$%&'()*+,['#&(0#)2,#),;3+,G(2'2,#<,8/#%+/;:,8(h+/)2nD,!"-.%"'($"'2)F$"#.%."0.)$")*.%850.Q@%5."-.3)F$&G4("7);!F*@F)KLIL=D,

!! >*37$$B,.DB,F7/+;R+)B,WDB,9#R(23B,^DB,N&4($$(&B,YD?D>DYDB,=+:$())B,?DB,q,\+71+&B,ODkDYD5D,1(),-+),@jlblED,m672')+22,%/#*+22,*#$%&'()*+,;3/#743,/+72(G&+,7)';2,#<,*#$%&'();,%/#*+22+2nD,6*R)SIL/)TUF*QVMWXB,%%D,pjaUppgD,


Elgammal, A., Turetken, O., van den Heuvel, W-J. (2013, under review). “Towards a Comprehensive Pattern-based Business Process Compliance Language”, IEEE Transactions on Software Engineering (TSE).


Thank you!

For more information: Oktay Turetken

[email protected]

managing business process compliance - oktay turetken mumc+ 19-mar-2013

Business

internal policies

iso standards

processes policies

public policies

security policies

internal sources

business rules

business contracts