In recent years, the number of regulations an organization needs to comply with has been increasing, and organizations have to ensure that their business processes are aligned with these regulations. However, because of the complexity and intended vagueness of regulations in general, it is not possible to treat them the same way as other types of requirements. On the other hand, the cost of being non-compliant can also be fairly high; non-compliance can cause crucial harm to the organization with financial penalties or loss of reputation. Therefore, it is very important for organizations to take a systematic approach to ensuring that their compliance with related laws, regulations and standards is established and maintained.
To achieve this goal, this thesis proposes a model-based compliance analysis framework for business processes called Legal-URN. This framework is composed of four layers of abstraction linked to each other. The framework exploits the User Requirements Notation (URN) as the modeling language to describe and combine legal and organizational models. In order to model legal documents, legal statements are first classified into four classes of Hohfeldian rights, and then Hohfeldian models of the regulations and their statements are created. These models are further refined into legal goal and business process models via a domain-specific version of URN called Legal URN profile. To check the well-formedness of the models and to identify instances of non-compliance, 23 Object Constraint Language (OCL) rules are provided. In this thesis, the quantitative and qualitative analysis algorithms of URN's Goal-oriented Requirement Language are extended to help analyze quantitatively and qualitatively the degree of compliance of an organization to the legal models. Furthermore, with the help of a prioritization algorithm, the framework enables one to decide, while taking the organization goals into consideration, which non-compliant instances to address first in order to provide a suitable evolution path for business processes.
In addition, to assess compliance with more than one regulation, a pair-wise comparison algorithm enables organizations to identify the similarities and conflicts among regulations and incorporate them in the models. The jUCMNav tool, an Eclipse plug-in for URN modeling and analysis, was extended to support the framework and its algorithms and rules.
The thesis contributions are evaluated through a gap analysis based on a systematic literature review, a comparison with closely related work, and two case studies in the healthcare domain: one with a single regulation and realistic business processes, and a second with three additional regulations. We also identify the benefits and limitations of the framework, as well as potential extensions for future work.
The Legal-URN framework provides a tool-supported, rigorous approach to compliance analysis of organizations against relevant regulations.
- 04 May 2013