COMPLIANCE PRINCIPLES FOR DECISION MANAGEMENT SOLUTIONS AT THE DUTCH GOVERNMENT

Abstract

Since decision management is becoming an integrated part of business process management, more and more decision management implementations are realized. Therefore, organizations search for guidance to design such solutions. Principles are often applied to guide the design of information systems in general. A particular area of interest when designing decision management solutions is compliance. In an earlier published study (Zoet & Smit, 2016) we took a general perspective on principles regarding the design of decision management solutions. In this paper, we re-address our earlier work, yet from a different perspective, the compliance perspective. Thus, we analyzed how the principles can be utilized in the design of compliant decision management solutions. Therefore, the purpose of this paper is to specify, classify, and validate compliance principles. To identify relevant compliance principles, we conducted a three round focus group and three round Delphi Study which led to the identification of eleven compliance principles. These eleven principles can be clustered into four categories: 1) surface structure principles, 2) deep structure principles, 3) organizational structure principles, and 4) physical structure principles. The identified compliance principles provide a framework to take into account when designing information systems, taking into account the risk management and compliance perspective.

Keywords Decision Management, Compliance, Principles, Government

1

1 Introduction

A business process realizes business objectives or goals, thereby creating value for the organization. Business processes management is used by organizations to manage and execute their coordinated, value-adding activities (Rikhardsson, Best, Green, & Rosemann, 2006). A specific type of activity are decisions (Breuker & Van de Velde, 1994). Nowadays decision management is becoming an integrated part of business process management. An example of this is the recently released Decision Model and Notation (DMN) standard (Object Management Group, 2015). For both business process management as well as decision management compliance issues are an important consideration when designing, deploying and executing business processes and/or decisions.

Research investigating the relationship between compliance and business processes is executed, amongst others, by Caron, Vanthienen & Baesens (2013), Ghose & Koliadis (2007), Rikhardsson, Best, Green & Rosemann (2006) and Sienou, Lamine & Pingaud (2008). The purpose of the previously mentioned research is to integrate the business process management discipline and compliance (management). Thereby influencing the manner, in which business processes are designed, analyzed, configured, enacted and evaluated. Now that more and more decision management solutions are introduced, organizations are searching for guidance to design such solutions in a compliant manner. In multiple other disciplines, such as system engineering and industrial engineering, the utilization of principles is an important mechanism to guide the design of products and information systems. A principle is a statement of an organization’s belief about how they want to use a specific product or information system. In our context, principles are therefore statements of an organization’s belief on how to design decision management solutions taking into account compliance requirements.

Research on compliance and decision management is commonly addressed as a singular oriented problem, meaning that compliance demands focus on a specific problem (Liao, 2004; Wagner, Otto, & Chung, 2002). Yet, previous research has shown that compliance requirements have a common design problem. A common design problem indicates that common problem classes, for which design solutions can be created, exist. In an earlier published study (Zoet & Smit, 2016) we focused on the design problem decision management in general. This research extends the previous study by solely focusing on principles from a compliance perspective. The compliance principles that affect decision management solutions are structured along the following structures: 1) the deep structure, 2) the organizational structure 3) the physical structure and, 4) the surface structure (Strong & Volkoff, 2010; Weber, 1997). With these premises, the following research question is addressed: “Which principles are essential to design a compliant decision management solution?” Answering this question will help organizations better understand the design and management of decision management solutions while taking compliance into account.

The paper is structured as follows: In section two the relationship between operational and compliance risk and its influence on business processes and decision management is discussed. This is followed by section three in which the research method utilized to identify the compliance principles for compliance is elaborated upon. Furthermore, the collection and analysis of our research data are described. Subsequently, our validated collection of compliance principles is presented. Finally, in Section six, conclusions and suggestions for further research are discussed.

2 Background and related work

Decisions are amongst the most important assets of an organization (Blenko, Mankins, & Rogers, 2010). A decision is: “the act of determining an output value (the chosen option), from a number of input values, using logic defining how the output is determined by the inputs.” Examples of decisions are: 1) determine what illness a patient has, 2) determine the risk factor for a specific customer or 3) determine what medicine a patient needs. If an organization can’t consistently make and execute the right decision(s), large risks are taken that can eventually lead to high costs or bankruptcy. Following the previous example: imagine what happens when a doctor makes the wrong decision continuously or a customer with a high- risk factor gets appointed a low-risk factor. Decision management always received a lot of interest both from research and practice (Arnott & Pervan, 2005). One of the latest developments is the introduction of the Decision Model and Notation (DMN) in September 2015, by the Object Management Group (OMG). The DMN standard recognizes two levels of abstraction for decisions: decision requirements and the decision logic. The decision requirements level is captured in a decision requirements diagram and is used to identify decisions, the input data and business knowledge needed to make the decision, and the knowledge source on which the decision logic is based. At the decision

2

logic level, the business rules applied to make a decision are specified. The highest level of abstraction; represented with the decision requirements diagram, recognizes four key concepts: 1) a decision, 2) business knowledge, 3) input data, and 4) a knowledge source. The decision logic level has no key concepts, as decision logic could be represented by different representations such as decision trees, decision tables, and/or natural languages. The representation selected to represent the decision logic does not influence the decision requirements level.

The “entirety of all measures that need to be taken in order to adhere to laws, regulations and guidelines within the organization, subsumed as compliance sources” is defined as compliance (Daniel et al., 2009). A rising concern in information systems engineering is compliance management. Managing compliance can be defined as the process of assessing an organizational adherence to a set of legal requirements and expectations (Breaux, 2009). Examples of laws and regulations organizations have to comply with are the Payment Card Industry Data Security Standard (PCI DSS), the Federal Information Security Management Act (FISMA), the Foreign Account Tax Compliance Act (FATCA), the BASEL accord, and the Health Insurance Portability and Accountability Act (HIPAA) (Zoet, 2014). Not adhering to compliance, also referred to as noncompliance, poses organizations with various risks, for example, legal fines, civil fines, re-engineering costs, public harms, consumer churn, and loss of public trust (Breaux, 2009).

Compliance is increasingly affecting the way decisions are designed, specified and executed. Legislation and regulations can precisely dictate or restrict how decisions should be designed, specified and executed. This is, for example, the case with tax laws, which is often defined by national regulations, i.e. calculation of taxes according to income scales. Furthermore, compliance affects decision making in terms of transparency. An example of this form of influence can best be described with how the Dutch government is enforced to provide Dutch civilians with information on with what data, how and by whom decisions are taken regarding applications for child benefits or licenses. The third form of influence that is becoming increasingly important is the exploitation of responsibilities of decision making. For example, in the governmental sector, compliance states that decisions regarding amnesty are convened by the Dutch Immigration and Naturalization Service. However, the law dictates that the minister of justice is appointed as final responsible. Outside the governmental context, the responsibility regarding decisions and their outcomes are often convened with, for example, managers, CFO’s and CEO’s (Nutt, 1993).

The concept of compliance is researched from different perspectives in which three general views can be distinguished: 1) the analysis of compliance law, 2) the realization of the internal system to establish compliance, and 3) the actual reporting of compliance to the outside world. Research on the realization of the internal system is highly focused on providing design solutions for specific problems classes. For example, Pittet et al. (2000) limit their research to hand hygiene in the healthcare sector whereas

O’Grady et al. (2001) focus on the singular problem of catheter-related infections. Research with a broader scope, but still problem class-oriented, is executed by Goedertier and Vanthienen (2006) and Caron et al. (2013) who look at the design of patterns for compliant business processes. In our research, we focus on compliance principles that limit the choices an organization has to create a specific design solution for a specific problem class (Winter, 2011). Therefore, instead of evaluating specific instances of a compliance solution which also reduces generalizability of our results, we look at the principles that ground the instantiation of specific compliance solutions.

Multiple definitions and types of principles are discussed in literature, like scientific principles, normative principles, system principles, and design principles. We will not discuss the differences and/or underlying similarities of those concepts. A detailed view on this is presented in the work of Greefhorst and Proper (2011). In this paper, we solely focus on design principles. A design principle is defined as (Greefhorst & Proper, 2011): “A normative-principle on the design of an artifact. As such, it is a declarative statement that normatively restricts design freedom.” A simple example of a design principle for the modeling of business processes is formulated as follows (Johannesson & Perjons, 2001, p17): “Each request needs to be confirmed”. This pair of request and confirmation is optionally followed by a notification. Another example of a design principle regarding enterprise architecture is formulated as (Richardson, Jackson, & Dickson, 1990): “Information systems will need to be developed using formal planning and software engineering methodologies.”

Greefhorst and Proper (2011), argue that design principles can be interpreted as a rule of conduct, as they guide/direct the enterprise by normatively restricting design freedom. Principles fill the gap between high-level strategic intentions and concrete design decisions. Principles ensure that a solution is future-directed, and can guide design decisions. Furthermore, they document fundamental choices in

3

an accessible form and ease communication with all relevant stakeholders. Based on a design science research approach, Greefhorst and Proper (2011) propose eight steps to define principles: 1) determine drivers, 2) determine principles, 3) specify principles, 4) classify principles, 5) validate and accept principles, 6) apply principles, 7) manage compliance, and 8) handle changes. The first step ‘determine drivers’ exists out of collecting drivers to serve as starting point to define the principles. Drivers that serve as input for the definition of principles can be risks, goals, objectives, values, issues, potential rewards, and/or constraints. However, many drivers are not explicitly documented, so they have to be collected from stakeholders. After the relevant drivers have been collected they are translated into candidate principles, in the second step ‘determine principles’. This step exists out of three phases. First, candidate principles are derived from drivers, domain knowledge, and/or existing principles, after which this list is filtered and the relevant principles are selected. Each relevant principle is further generalized or specified to the right level of abstraction. During the third step ‘specify principles’ the principles are further detailed. This means that the rationale, implications, and an example are specified. After the rationale, implications, and an example are added, the principles are validated within the organization(s). The next two steps (‘apply principles’ and ‘manage compliance’) focus on applying the principles and making sure the organization complies with them. Lastly, Greefhorst and Proper (2011) propose an eighth step: ‘handle changes’. They argue that defined principles can change because drivers can change and, therefore, a change management process should be in place. One can also argue that the eighth step is not a separate step but step seven should be connected to step one (creating a lifecycle), since the identification of new and changing drivers is part of step one: ‘determine drivers’. In this research, the focus will be on step one, to and including, step five. Step six, seven, and eight are beyond the scope of this research due to the fact that the principles need to be implemented and utilized over a longer period by the participating organizations in order to measure their effectiveness, and, based on feedback, apply changes.

To structure the identified compliance principles, the dimensions and ontological foundations of the extended information systems framework is applied (Weber, 1997). The extended information system framework has been proposed by Strong and Volkoff (2010), describing that principles can be categorized into four categories: 1) deep structure, 2) organizational structure 3) physical structure, and 4) surface structure. Deep structure elements are subjects that describe real-world systems, their properties, states and transformations (Weber, 1997). Organizational structures are the roles, control and organizational culture represented within organizations or within solutions (Strong & Volkoff, 2010). Physical structure elements describe the physical technology and software in which the deep structure is embedded (Weber, 1997). Surface structure elements describe the elements that are available in the information system to allow users to interact with the information system (Strong and Volkoff, 2010).

3 Research method

The goal of this research is to identify compliance principles that limit the freedom with regards to decision management solutions. In addition to the goal of the research, also, the maturity of the research field is a factor in determining the appropriate research method and technique(s). The maturity of the object under research: compliance principles for decision management is nascent (Kovacic, 2004; Nelson, Peterson, Rariden, & Sen, 2010; Zoet, 2014). Focus of research in nascent research fields should lie on identifying new constructs and establishing relationships between identified constructs (Edmondson & Mcmanus, 2007). Summarized, to accomplish our research goal, a research approach is needed in which a broad range of possible compliance-focused principles for decision management are explored and combined into one view in order to contribute to the body of knowledge, taking into account the five steps of Greefhorst and Proper (2011).

Adequate research methods to explore a broad range of possible ideas / solutions to a complex issue and combine them into one view when a lack of empirical evidence exists consist of group-based research techniques (Delbecq & Van de Ven, 1971; Murphy et al., 1998; Okoli & Pawlowski, 2004; Ono & Wedemeyer, 1994). Examples of group based techniques are Focus Groups, Delphi Studies, Brainstorming and the Nominal Group Technique. The main characteristic that differentiates these types of group-based research techniques from each other is the use of face-to-face versus non-face-to- face approaches. Both approaches have advantages and disadvantages, for example, in face-to-face meetings, provision of immediate feedback is possible. However, face-to-face meetings have restrictions with regard to the number of participants and the possible existence of group or peer pressure. To

4

eliminate the disadvantages, we combined the face-to-face and non-face-to-face technique by means of applying the following two group based research approaches: a Focus Group and a Delphi Study.