Towards a comprehensive framework for business process compliance

Everything in our lives is governed by a set of laws. Law is a system of rules and guidelines which are enforced through social institutions to govern behavior, wherever possible. Law shapes business, economics, politics and society in every aspect. It plays the role of the arbitrator between people and institutions in case a disputation arises. In the business world, business processes form the foundation for all organizations, and as such are impacted by industry laws and regulations. Ensuring the compliance of business processes with applicable laws and regulations is a key concern that has been paid much interest particularly after the recent high-profile business failures and scandals, such as Enron and WorldCom. These incidents resulted in the enactment of a broad body of strict legislations, e.g. Sarbanes-Oxley act. These laws extend the long-standing requirement for public companies to maintain systems of internal controls for managing compliance, requiring management to certify and the independent auditor to attest to the effectiveness of those systems. Subsequently, organizations are left struggling and spending billions of dollars on compliance by developing and/or deploying ad-hoc compliance solutions, which have inherent problems in terms of reusability, flexibility and evolution that make it difficult to verify and ensure continuous guaranteed compliance. Therefore, a business need for a comprehensive and structured compliance management solution for absolute compliance assurance becomes a must. The main contribution of this dissertation is meeting this business need by establishing a comprehensive compliance management framework and supporting solutions that manages and ensures compliance throughout the complete business process lifecycle, primarily with a preventive focus. This involves design-time business process compliance management and analysis, which is integrated and complemented with the subsequent monitoring of the corresponding running business process instances. Hence, achieving a preventive lifetime compliance support.