Aiding Compliance Governance in Service-Based Business Processes

Aiding Compliance Governance in Service-Based Business Processes

Patrícia Silveira (University of Trento, Italy), Carlos Rodríguez (University of Trento, Italy), Aliaksandr Birukou (University of Trento, Italy), Fabio Casati (University of Trento, Italy), Florian Daniel (University of Trento, Italy), Vincenzo D’Andrea (University of Trento, Italy), Claire Worledge (Deloitte Conseil, France) and Zouhair Taheri (PricewaterhouseCoopers Accountants, The Netherlands)
DOI: 10.4018/978-1-61350-432-1.ch022
OnDemand PDF Download:


Assessing whether a company’s business practices conform to laws and regulations and follow standards and SLAs, i.e., compliance management, is a complex and costly task. Few software tools aiding compliance management exist; yet, they typically do not address the needs of who is actually in charge of assessing and understanding compliance. We advocate the use of a compliance governance dashboard and suitable root cause analysis techniques that are specifically tailored to the needs of compliance experts and auditors. The design and implementation of these instruments are challenging for at least three reasons: (1) it is fundamental to identify the right level of abstraction for the information to be shown; (2) it is not trivial to visualize different analysis perspectives; and (3) it is difficult to manage and analyze the large amount of involved concepts, instruments, and data. This chapter shows how to address these issues, which concepts and models underlie the problem, and, eventually, how IT can effectively support compliance analysis in Service-Oriented Architectures (SOAs).
Chapter Preview


Compliance generally refers to the conformance to a set of laws, regulations, policies, best practices, or service-level agreements. Compliance governance refers to the set of procedures, methodologies, and technologies put in place by a corporation to carry out, monitor, and manage compliance. Compliance governance is an important, expensive, and complex problem to deal with:

It is important because there is increasing regulatory pressure on companies to meet a variety of policies and laws (e.g., Basel II, MiFID, SOX). This increase has been to a large extent fueled by high-profile bankruptcy cases (Parmalat, Enron, WorldCom, the recent crisis) or safety mishaps (the April 2009 earthquake in Italy has already led to stricter rules and certification procedures for buildings and construction companies). Failing to meet these regulations means safety risks, hefty penalties, loss of reputation, or even bankruptcy (Trent, 2008).

Managing and auditing/certifying compliance is a very expensive endeavor. A report by AMR Research (Hagerty et al., 2008) estimated that companies would have spent US$32B only on governance, compliance, and risk in 2008 and more than US$33B in 2009. Audits are themselves expensive and invasive activities, costly not only in terms of auditors’ salaries but also in terms of internal costs for preparing for and assisting the audit – not to mention the cost of non-compliance in terms of penalties and reputation.

Finally, the problem is complex because each corporation has to face a large set of compliance requirements in the various business segments, from how internal IT is managed to how personnel is trained, how product safety is ensured, or how (and how promptly) information is communicated to shareholders. Furthermore, rules are sometimes vague and informally specified. As a result, compliance governance requires understanding/interpreting requirements and implementing and managing a large number of control actions on a variety of procedures across the business units of a company. Each compliance regulation and procedure may require its own control mechanism and its own set of indicators to assess the compliance status of the procedure (Bellamy et al., 2007).

If we look at how every-day business is being conducted at an operative level, we note that technologies like web services and business process management systems have largely proved their viability for organizing work and assisting and orchestrating also human actors involved in business processes. The adoption of the so-called service-oriented architecture (SOA) to conduct business (eased by technologies such as SOAP, WSDL, and HTTP) has further affirmed the analogy between web service technologies and common business practices, turning the traditional, heavyweight and monolithic software approach into flexible and reconfigurable service ecosystems. One of the advantages of this kind of ecosystem is that they suddenly allow one to obtain fine-grained insights into runtime aspects, e.g., message exchanges, events, and process progress states, which can only hardly be accessed in traditional legacy systems. As we will see in this chapter, in our work we specifically leverage on this potential in order to check compliance of service-based business processes.

Interestingly, despite these novel opportunities, compliance is to a large extent still managed by the various business units in rather ad-hoc ways (each unit, line of business, or even each business process has its own methodology, policy, controls, and technology for managing compliance) and without leveraging on the new transparency of electronic business (Sloane et al., 2006). As a result, nowadays it is very hard for any CFO or CIO to answer questions such as: Which rules does my company have to comply with? Which processes should obey which rules? Which processes are following regulations? Where do violations occur? Which processes do we have under control? (Cannon & Byers, 2006). Even more, it is hard to do so from a perspective that not only satisfies the company but also the company’s auditors, which is crucial as the auditors are the ones that certify compliance.

In light of these challenges, in this chapter we provide the following contributions:

Key Terms in this Chapter

Compliance Governance Dashboards: User friendly GUI-based tool for the visualization of the compliance status of business process.

Key Compliance Indicator: A quantitative summarization referring to the achievement of the stated compliance objectives (e.g., the number of unauthorized accesses to our payroll data).

Compliance Root-Cause Analysis: Collection of techniques for discovering and understanding the reasons of non-compliance behaviors in business process executions.

SOA: An architectural paradigm for the development of distributed applications where software functionalities are encapsulated as services using well-established communication protocols.

Compliance: A term generally used to refer to the conformance to a set of laws, regulations, policies, or best practices.

Complete Chapter List

Search this Book:
Editorial Advisory Board
Table of Contents
Michael P. Papazoglou
Stephan Reiff-Marganiec, Marcel Tilly
Stephan Reiff-Marganiec, Marcel Tilly
Chapter 1
Bryan Stephenson
This chapter provides an overview from a business perspective of some of the important non-functional properties of services, such as availability... Sample PDF
A Business Perspective on Non-Functional Properties for Services
Chapter 2
Agostino Cortesi, Francesco Logozzo
This chapter investigates a formal approach to the verification of non-functional software requirements that are crucial in Service-oriented... Sample PDF
Verification of Non-Functional Requirements by Abstract Interpretation
Chapter 3
Laura Bocchi, José Fiadeiro, Monika Solanki, Stephen Gilmore, João Abreu, Vishnu Vankayala
We present a formal approach for expressing and analysing time-related properties of service-oriented systems. Our aim is to make it possible for... Sample PDF
Analysing Time-Related Properties of Service-Oriented Systems
Chapter 4
Ioan Toma, Flavio De Paoli, Dieter Fensel
Service-Oriented Architectures (SOAs) are a widespread solution for realizing distributed applications. Empowered by semantic technologies these... Sample PDF
On Modelling Non-Functional Properties of Semantic Web Services
Chapter 5
Ernest Sithole, Sally McClean, Bryan Scotney, Gerard Parr, Adrian Moore, Dave Bustard, Stephen Dawson
The sharp growth in data-intensive applications such as social, professional networking and online commerce services, multimedia applications, as... Sample PDF
Quality of Service Monitoring Strategies in Service Oriented Architecture Environments using Processor Hardware Performance Metrics
Chapter 6
Yudith Cardinale, Joyce El Haddad, Maude Manouvrier, Marta Rukoz
Web Service (WS) composition consists in combining several WSs into a Composite WS (CWS), which becomes a value-added process. In order to provide... Sample PDF
Transactional-Aware Web Service Composition: A Survey
Chapter 7
Pierluigi Plebani, Filippo Ramoni
The chapter introduces a quality of Web service model which can be exploited by a Web service broker during the Web service selection phase. The... Sample PDF
A Quality Driven Web Service Selection Model
Chapter 8
Stephan Reiff-Marganiec, Hong Qing Yu
In the maturing world of service oriented computing and Web services, we find ourselves in a position where numerous services are available, all of... Sample PDF
An Integrated Approach for Service Selection Using Non-Functional Properties and Composition Context
Chapter 9
Yves Vanrompay, Manuele Kirsch-Pinheiro, Yolande Berbers
The current evolution of Service-Oriented Computing in ubiquitous systems is leading to the development of context-aware services. Context-aware... Sample PDF
Service Selection with Uncertain Context Information
Chapter 10
Kyriakos Kritikos, Dimitris Plexousakis
QoS plays an important role in all service life-cycle activities, and consequently, has grabbed the researchers’ attention. Concerning QoS-based... Sample PDF
Towards Aligning and Matchmaking QoS-Based Web Service Specifications
Chapter 11
Christoph Rathfelder, Benjamin Klatt, Franz Brosch, Samuel Kounev
With the introduction of services, systems become more flexible as new services can easily be composed out of existing services. Services are... Sample PDF
Performance Modeling for Quality of Service Prediction in Service-Oriented Systems
Chapter 12
Abhishek Srivastava, Paul G. Sorenson
With service-oriented systems driving the economies around the world there has been an exponential rise in the number and choices of available... Sample PDF
Service Selection Based on Customer Preferences of Non-Functional Attributes
Chapter 13
Hong-Linh Truong, G.R. Gangadharan, Marco Comerio, Vincenzo D’Andrea, Flavio De Paoli, Schahram Dustdar
There exist many works addressing service contracts fully or partially. They often mention the same notion with different languages and... Sample PDF
Reconciliation of Contractual Concerns of Web Services
Chapter 14
Mohamed Hamdy, Birgitta König-Ries
Service popularity, e.g., how often a service is requested, can be an important non-functional property determining the life-cycle of a service. To... Sample PDF
The Gross Interest: Service Popularity Aggregation
Chapter 15
Assia Ait-Ali-Slimane, Manuele Kirsch-Pinheiro, Carine Souveyet
The success of service-based applications is based on service technologies such as Web services. Nevertheless, the benefits of the Service-Oriented... Sample PDF
Considering Quality of a Service in an Intentional Approach
Chapter 16
Júlio Cezar Estrella, Regina Helena Carlucci Santana, Marcos Jose Santana, Sarita Mazzini Bruschi
This chapter aims at the design and implementation of a service-oriented architecture (SOA), named WSARCH – Web Services Architecture - which allows... Sample PDF
WSARCH: A Service-Oriented Architecture with QoS
Chapter 17
Ulrich Winkler, Wasif Gilani
The overall objectives of this book chapter are (a) to provide an introduction of Business Continuity Management, (b) to discuss the importance of... Sample PDF
Business Continuity Management of Business Driven IT Landscapes
Chapter 18
Martin Hall-May, Ajay Chakravarthy, Thomas Leonard, Mike Surridge
In this chapter we present a survey of research work related to the semantic modelling of security, semantic SLA modelling, and the current state of... Sample PDF
Semantic Modelling of Resource Dependability for SLA-Based Service Governance
Chapter 19
Peer Hasselmeyer, Bastian Koller, Philipp Wieder
Non-functional properties are an essential constituent of service level agreements as they describe those quality-of-service parameters that are not... Sample PDF
Negotiation of Service Level Agreements
Chapter 20
Wolfgang Theilmann, Sergio Garcia Gomez, Davide Lorenzoli, Christoph Rathfelder, Thomas Roeblitz, Gabriele Zacco
In this chapter we present a technical architecture for a multi-level SLA management framework. We discuss the fundamental components and interfaces... Sample PDF
A Framework for Multi-Level SLA Management
Chapter 21
Toni Ruokolainen, Lea Kutvonen
The recent increased use of Internet, social media, and networked business mark a development trend where software-based services flow to the open... Sample PDF
Framework for Managing Features of Open Service Ecosystems
Chapter 22
Patrícia Silveira, Carlos Rodríguez, Aliaksandr Birukou, Fabio Casati, Florian Daniel, Vincenzo D’Andrea, Claire Worledge, Zouhair Taheri
Assessing whether a company’s business practices conform to laws and regulations and follow standards and SLAs, i.e., compliance management, is a... Sample PDF
Aiding Compliance Governance in Service-Based Business Processes
Chapter 23
Carlos Pedrinaci, Dong Liu, Guillermo Álvaro, Stefan Dietze, John Domingue
Over the years a large number of technologies have been devised in order to describe service interfaces, e.g., WSDL (Booth & Liu, 2007), combine... Sample PDF
An Outlook on the Future of Services and Non-Functional Properties Management: A Web Centric Perspective
About the Contributors