Skip to main content

Introduction

Due to the handling of confidential information and the processing of personal data, organisations are obliged to follow complex standards such as ISO (International Organization for Standardization), HIPAA (Health Insurance Portability and Accountability Act) or the General Data Protection Regulation (GDPR). Verifying compliance with these standards can be a challenge for organisations, especially in processes that do not follow a structured business process model. For example, applying for and obtaining municipal licences for new business start-ups, where the diversity of requirements, coordination between entities and variability by location represent significant modelling challenges. Effective coordination between teams within an organisation is essential to ensure that business processes comply with established standards and to avoid potential compliance gaps that could result in legal sanctions or damage to the organisation's reputation.

Another scenario in which organisations may need to verify compliance with business processes is to ensure compliance with the organisation's internal policies. These policies can cover a wide range of areas, such as information security, employee and customer privacy protection, risk management, internal control, among other key aspects for the proper and ethical functioning of the company.

To address these challenges, organisations implement various mechanisms and tools, such as Compliance Monitoring, which refers to measures, rules or procedures put in place to ensure compliance with applicable legal, regulatory or internal requirements. For example, a monthly review of financial records by an external auditor to ensure the transparency and accuracy of a company's accounting information.

A key resource in this process is the Controls Catalogue, a structured and detailed list of the compliance controls with which the organisation must comply. This catalogue identifies and describes each specific control, providing information on its purpose, scope, associated responsibilities and compliance criteria. For example, it could include controls related to data protection, IT security and risk management.

In addition, there are several types of Compliance Checking that refer to the different modalities of assessing and verifying compliance with the established controls. These modalities include Design-Time Compliance Checking, which is performed prior to the execution of processes to ensure that they comply with the established rules, and Run-Time Compliance Checking, which is performed during execution to monitor and correct possible deviations in real time.

To facilitate and optimise these processes, organisations can use a Compliance Management System, a platform or tool that automates the management and checking of control catalogues. This system allows the definition, implementation, monitoring and reporting of compliance controls, achieving a more efficient and effective management of regulatory compliance.

In line with the importance of ensuring compliance in business processes, several studies and articles have addressed the different verification phases within the lifecycle of these processes. In particular, much of this information is detailed in the article "A Mashup-Based Framework for Business Process Compliance Checking" written by Cabanillas et. al. This article defines a framework based on mashups for forward compliance checking of business processes. These mashups are workflows based on data from different sources that aim to specify rules and perform compliance checks of business processes at design and runtime.