Compliance by Design: Synthesis of Business Processes by Declarative Specifications

   page       attach   
Francesco Olivieri

Business Process Compliance are three words scholars use to describe what happens, or should happen, when two worlds very different from each other collide. The first world is meant to represent enterprises and how they do what they do or, in a simpler way, what procedures and processes they adopt to offer always better products to their customers. Scholars of the field refer to the Business Process Management as a "process optimisation process" and they study approaches, methodologies, formal languages to describe and improve what they esteem as the heart of every organisation, the business process.
A business process can be visualised as a self-contained, temporal and logical order in which a set of activities (tasks) are executed to achieve some business objectives. Within it, many information is available: the control flows describes what can be done and when, the relevant data clarify what it is needed to work on as well as the actors who are going to do the work.
The second world is the world of the governments, of the consortia, of all those entities which have enough power to create regulations, norms, policies directly impacting on the organisations. Such entities state the boundaries of legality by imposing which actions can be considered legal to be performed within the aforementioned business processes, and which actions avoid to incur in severe sanctions.
Business Process Compliance is the research field where scholars try to understand how organisations should behave to keep offering good products while respecting a set of regulations strictly affecting their processes. In general, a compliance regimen must include three interrelated but distinct perspectives of compliance, namely, corrective, detective, and preventative. While the first two measures try to mitigate or intervene after compliance breaches are detected, the preventative focus assumes a completely different perspective by stating that "compliance should be embedded into the business practice, rather than be seen as a distinct activity, (...) thus achieving compliance by design".
An issue of great importance consists in devising automated tools able to create an entirely new, compliant process starting from a fully declarative description of both the organisation and the environment it is acting in. Such a description include: (i) A set of business objectives to reach, (ii) The specifications of a process, (iii) The norms ruling the organisational environment. This doctorate dissertation shall confront this problem by following two sequential research paths. First things first, we need a formalism able to state, given a particular context, which norms are in force, which objectives are desirable and which objectives are feasible, in order for the organisation to decide which objectives to commit to. Thus, we liken organisations to agents and, accordingly, refer to the literature of BDI (Belief-Desire-Intention) agents. The BDI architecture addresses how agents try to fulfil their goals based on the knowledge of the environment and a collection of plans. We shall analyse different notions of the concept of goal starting from the idea of sequences of "alternative acceptable outcomes". We shall study the relationships between goals and concepts like agent's beliefs, norms and desires, and propose a computationally oriented formalisation using a variant of Defeasible Logic extended with modal operators that shall provide a suitable approach. The resulting system, being able to capture various nuances of the notion of goal, is of interest for business enterprises, for which the right decision is not only context-dependent, but they must, and want, to choose from a pool of alternatives as wide as possible.
Finally, we shall propose algorithms to compute all provable and refutable conclusions of the modal defeasible theory, and we shall prove soundness and computational complexity.
At the end of this phase, the agent (organisation) knows whether courses of action exist (in term of logical derivations) which lead to norm and outcome compliant situations. Accordingly, the second question being how to determine all such legitimate courses of action the agent may commit to, and how to transform them into a business process-like graphic notation.
We therefore shall propose algorithms which (i) Construct a graph by navigating backwards the derivation trees, from the "compliant" outcomes up to the facts of the theory, and (ii) Transform such a graph by recognising JOIN and SPLIT patterns typical of process model notation. As before, we shall put forward a computational analysis.