Article Preview
TopIntroduction
Business process outsourcing (BPO) is one of the most adopted strategies by companies to survive in a highly competitive market, especially small and middle-size companies (Shafiee & Emadi, 2020). Indeed, the way business processes (BPs) are carried out has a direct influence on the quality of a company's deliverables and thus on customer satisfaction.
The BPO consists of entrusting a process totally or partially to a third party to be handled outside the company. This trend has been intensified with the advent of Cloud computing that has attracted companies with its new economic model of pay-per-use and its high elasticity in resource consumption (Boukadi et al., 2019). In fact, the Gartner research firm (Gartner, 2017) estimates the BP market in the Cloud at $40.8 billion, which exceeds the market of other service models.
However, the Cloud may endanger the security of outsourced BPs by exposing them to different threats such as data breach and denial of service. A list that sorts out the most important Cloud threats is regularly published and updated by the Cloud Security Alliance (CSA, 2019). Moreover, it is strongly recommended to hide the knowledge encapsulated by the outsourced processes by spreading them over several Cloud providers that will have only a partial view (Goettelmann et al., 2013). On the other hand, a strong distribution will slow down the process execution and generate additional fees related to data transfer, which leads companies to find the right balance in the distribution (Boukadi et al., 2019).
In order to avoid being sanctioned and to have a good reputation, organizations are also required to be well aware of the increasing number of laws and standards imposed on their BPs, especially those operating in heavily regulated sectors like the financial or medical sector (Agostinelli et al., 2019). Indeed, ensuring compliance becomes more challenging when BPs are under the control of different Cloud providers given that regulations change from one country to another. Furthermore, companies are struggling to find the most suited deals for their outsourced BPs, owing to the proliferation of Cloud providers that invade the market with services of various qualities and at different prices (Martens and Teuteberg, 2011).
Given the previous factors, a company must identify accurately the requirements of BP activities in order to decide for each of them, whether it should be outsourced or kept locally, and secondly to select the most suitable Cloud offers for the outsourced activities. Thus, a language is required to specify the activity requirements when modelling BPs. Unfortunately, existing modelling languages are generic and do not support specific domains. In this context, several work extend the BPMN language but do not consider the BPO criteria in a Cloud context and do not also take into account both risk and compliance criteria as recommended by the GRC (Governance, Risks and Compliance) experts (Papazafeiropoulou and Spanaki, 2016).
This paper proposes BPMN4CO (Business Process Model Notation for Cloud-based Outsourcing), an extension of the BPMN language by defining new artefacts to be able to specify the requirements of BP activities in terms of security, compliance, cost, performance, data transfer, and obfuscation. BPMN4CO aims to help organizations in outsourcing their BPs by assigning to each activity, the Cloud offer that best meets its requirements and therefore to obtain an optimal configuration for outsourced BPs. In order to provide a valid extension, BPMN4CO relies on the official documentation of the BPMN language and uses the two formats defined in the extension mechanism, namely, the MOF-based meta-model as well as the XML Schema. For the visual aspect, new graphical elements are proposed and added to the predefined artefacts.
The business process management (BPM) aims to improve processes in a continuous way by handling their iterative lifecycle, which includes the modelling, automation, execution, and evaluation phases (WfMC, 2017). BPMN4CO is intended for the modelling phase and complements our decision support proposed in (Zarour and Benmerzoug, 2019). Indeed, the latter contributes in the evaluation phase by exploiting the execution history of outsourced BPs to assess the Cloud offers and the activities confided to them.