Australasian Conference on Information Systems
|
Smit, Zoet, and Slot
|
2016, Wollongong
|
Compliance principles for decision management solutions
|
logic level, the business rules applied to make a decision are specified. The highest level of abstraction; represented with the decision requirements diagram, recognizes four key concepts: 1) a decision, 2) business knowledge, 3) input data, and 4) a knowledge source. The decision logic level has no key concepts, as decision logic could be represented by different representations such as decision trees, decision tables, and/or natural languages. The representation selected to represent the decision logic does not influence the decision requirements level.
The “entirety of all measures that need to be taken in order to adhere to laws, regulations and guidelines within the organization, subsumed as compliance sources” is defined as compliance (Daniel et al., 2009). A rising concern in information systems engineering is compliance management. Managing compliance can be defined as the process of assessing an organizational adherence to a set of legal requirements and expectations (Breaux, 2009). Examples of laws and regulations organizations have to comply with are the Payment Card Industry Data Security Standard (PCI DSS), the Federal Information Security Management Act (FISMA), the Foreign Account Tax Compliance Act (FATCA), the BASEL accord, and the Health Insurance Portability and Accountability Act (HIPAA) (Zoet, 2014). Not adhering to compliance, also referred to as noncompliance, poses organizations with various risks, for example, legal fines, civil fines, re-engineering costs, public harms, consumer churn, and loss of public trust (Breaux, 2009).
Compliance is increasingly affecting the way decisions are designed, specified and executed. Legislation and regulations can precisely dictate or restrict how decisions should be designed, specified and executed. This is, for example, the case with tax laws, which is often defined by national regulations, i.e. calculation of taxes according to income scales. Furthermore, compliance affects decision making in terms of transparency. An example of this form of influence can best be described with how the Dutch government is enforced to provide Dutch civilians with information on with what data, how and by whom decisions are taken regarding applications for child benefits or licenses. The third form of influence that is becoming increasingly important is the exploitation of responsibilities of decision making. For example, in the governmental sector, compliance states that decisions regarding amnesty are convened by the Dutch Immigration and Naturalization Service. However, the law dictates that the minister of justice is appointed as final responsible. Outside the governmental context, the responsibility regarding decisions and their outcomes are often convened with, for example, managers, CFO’s and CEO’s (Nutt, 1993).
The concept of compliance is researched from different perspectives in which three general views can be distinguished: 1) the analysis of compliance law, 2) the realization of the internal system to establish compliance, and 3) the actual reporting of compliance to the outside world. Research on the realization of the internal system is highly focused on providing design solutions for specific problems classes. For example, Pittet et al. (2000) limit their research to hand hygiene in the healthcare sector whereas
O’Grady et al. (2001) focus on the singular problem of catheter-related infections. Research with a broader scope, but still problem class-oriented, is executed by Goedertier and Vanthienen (2006) and Caron et al. (2013) who look at the design of patterns for compliant business processes. In our research, we focus on compliance principles that limit the choices an organization has to create a specific design solution for a specific problem class (Winter, 2011). Therefore, instead of evaluating specific instances of a compliance solution which also reduces generalizability of our results, we look at the principles that ground the instantiation of specific compliance solutions.
Multiple definitions and types of principles are discussed in literature, like scientific principles, normative principles, system principles, and design principles. We will not discuss the differences and/or underlying similarities of those concepts. A detailed view on this is presented in the work of Greefhorst and Proper (2011). In this paper, we solely focus on design principles. A design principle is defined as (Greefhorst & Proper, 2011): “A normative-principle on the design of an artifact. As such, it is a declarative statement that normatively restricts design freedom.” A simple example of a design principle for the modeling of business processes is formulated as follows (Johannesson & Perjons, 2001, p17): “Each request needs to be confirmed”. This pair of request and confirmation is optionally followed by a notification. Another example of a design principle regarding enterprise architecture is formulated as (Richardson, Jackson, & Dickson, 1990): “Information systems will need to be developed using formal planning and software engineering methodologies.”
Greefhorst and Proper (2011), argue that design principles can be interpreted as a rule of conduct, as they guide/direct the enterprise by normatively restricting design freedom. Principles fill the gap between high-level strategic intentions and concrete design decisions. Principles ensure that a solution is future-directed, and can guide design decisions. Furthermore, they document fundamental choices in