Modelling Inter-Organizational Business Processes Governance

30TH INTERNATIONAL CONFERENCE ON INFORMATION SYSTEMS DEVELOPMENT (ISD2022 CLUJ-NAPOCA, ROMANIA) Modelling Inter-Organizational Business Processes Governance Vítor Hugo Machado Ribeiro University of Coimbra, CISUC, DEI Coimbra, Portugal vhribeiro@dei.uc.pt João Barata University of Coimbra, CISUC, DEI Coimbra, Portugal barata@dei.uc.pt Paulo Rupino da Cunha University of Coimbra, CISUC, DEI Coimbra, Portugal rupino@dei.uc.pt Abstract Digital transformation requires decentralizing business process governance due to the increasing interdependencies of organizations and more complex business pipelines enabled by information technologies. We present a modelling approach to assist companies in their inter-organizational business process governance (IO-BPG). The results emerge from a design science research conducted with a major European telecommunications service provider. They include (1) the key domain attributes, (2) a domain-specific ontology, and (3) a BPMN extension instantiated in IO-BPG scenarios of Software-as-aService, covering structure, processes, and relational mechanisms. For theory, this paper extends the literature on business process governance with a modelling approach evaluated in one of the most regulated and dynamic economic sectors. For practice, our proposal may help appraise accountability, confidentiality, compliance, autonomy, authority, traceability, and collaboration configurations that are crucial to IO-BPG. Keywords: Inter-Organizational Business Process Governance, BPMN, BPMN Extension, IT Governance 1. Introduction Business Process Management (BPM) is moving beyond organizational boundaries. Digital transformation requiring integrative capabilities [41] determines this shift from internal operations to inter-organizational business processes (IOBP) [8]. Therefore, new mechanisms are necessary to govern business processes in collaborative networks [23]. However, the structural, procedural, and relational mechanisms proposed by the most prominent governance frameworks (e.g., COBIT) are traditionally applied to a single organization [21] and are not sufficiently integrated with business process models. Business process governance can be defined as the “process of process management” [36], sharing its roots and foundational mechanisms with the IT Governance literature. Moreover, many tools exist to support the governance facets of process mining, monitoring, and control [23]. Nevertheless, business processes are getting increasingly agile and fragmented across organizations, becoming harder to model and steer using standard languages, such as the Business Process Modelling and Notation (BPMN) [24]. This challenge of “digital transformation of business process governance” [23] is the main focus of our paper. Our design science research (DSR) project started in cooperation with a relevant European telecommunications service provider (TSP). The company operates in a multinational environment, in a highly regulated sector, and runs complex organizational software development and operations pipelines (e.g., DataMLOps, DevSecOps, CloudOps) in cross-functional teams. Their product portfolio is also changing to innovative Software-as-a-Service (SaaS) that combines (1) cloud storage, (2) artificial intelligence RIBEIRO ET AL. MODELLING INTER-ORGANIZATIONAL... (AI) as a service, (3) Internet-of-Things integration, and (4) advanced data analytics, mostly aimed at the B2B (Business-to-Business) market. For example, eHealth telemedicine and intelligence-assisted living solutions to support healthcare decisionmaking. Our goal is to create a business process modelling approach suitable for scenarios of decentralized governance. The case company context seemed well suited for our research because their business pipelines operate in a digital platform ecosystem [19]. The remainder of this paper is structured as follows. First, Section 2 presents relevant concepts on governance and BPMN. Then, Section 3 introduces the research approach. Subsequently, Section 4 presents the DSR results, and the discussion follows in Section 5. Finally, Section 6 summarizes the conclusions, limitations, and next steps. 2. 2.1. Background From IT Governance to Business Process Governance IT governance is the “strategic alignment of IT with the business such that maximum business value is achieved through the development and maintenance of effective IT control and accountability, performance management, and risk management” [42]. To ensure effectiveness, the organization should monitor performance and compliance with the agreed-on direction and objectives [21]. Multiple factors shape the IT governance strategy, such as culture and ethics, internal and external regulations, the mission and values, or the company's business plan and strategic intentions [25]. Several frameworks exist to support and monitor IT governance. For example, COBIT (Control Objectives for Information and Related Technologies) [21] is one of the most recognized industry frameworks [27]. COBIT covers several IT governance domains: business-IT alignment, value delivery, risk management, resources management, and performance management [21]. Regarding governance processes, mechanisms for strategic IT planning, IT Service Management, and portfolio management must be defined [18]. Governance structures should include an IT strategy committee, the CIO (Chief Information Officer), or other C-level responsible for the information system [18]. Relational mechanisms are the third critical dimension: cross-functional business-IT training and shared understanding of business-IT objectives must be ensured [18]. Business Process Governance (BPG) can be defined as the set of decisions and procedures aimed at specifying actions, verifying performance, and granting power to the activities related to BPM [22]. It focuses on governing an entity’s processes toward achieving strategic and business goals [22]. Moreover, [37] recognizes BPG as one of the necessary core pillars to increase BPM maturity, namely [22, 23]:  The high-level identification of the organization’s cross-functional and critical business processes;  The clarification of the high-level business and strategic goals and key performance indicators (KPIs);  The definition of accountability and ownership for business processes;  The measurement that guarantees the transparency of the operation and enables fast and well-informed decision-making;  The establishment of mechanisms for reward and recognition of participants;  The settlement of priorities for the improvement of business processes. On the one hand, BPG aims to ensure that the BPM strategy is consistently executed and satisfies the stakeholders' expectations while keeping the organization competitive [22]. On the other hand, BPG drives organizational transformation, leading the design and redesign of business processes to capitalize on the opportunities afforded by new technologies. Three essential BPG activities are necessary [22]:  Designing a high-level enterprise process model;  Defining goals and management plans that include the enterprise architecture, encompassing IT and business aspects;  Implementing an organizational structure to coordinate the people involved in the BPM activities and define the measures to apply. ISD2022 ROMANIA There are similarities between the factors affecting IT and process governance. For example, the company strategy, compliance requirements (e.g., standards and laws, such as the General Data Protection Regulation (GDPR)), industry trends, enterprise culture, and financial constraints [22]. Moreover, governing processes increasingly supported by IT suggests the existence of synergies between both [23]. For example, the work of [34] highlights the need for mutual adjustments between the governance of business processes and the governance of IT regarding the “accountability for business-IT strategic alignment, process and IT requirements specification, and IT-enabled business value realization” [34]. However, this becomes much more challenging as the complexity increases when the processes involve different organizations sharing digital resources to conduct business. 2.2. The Inter-Organizational Dimension of Business Process Governance The digital transformation increased collaboration networks between organizations [8], providing “significant opportunities at strategic level, as well as significant challenges at tactical level, in order to properly combine flexible and effective inter-organization collaborations with traditional internally managed processes” [6]. Inter-organizational business processes interconnect sequences of activities shared and conducted by two or more entities to reach a business goal that is valuable to the partners [4]. Implementing and executing IOBP requires a trust mechanism between the business partners that may be established by legal contracts. However, compliance and real-time control requirements are challenging in decentralized decision-making [17], requiring:  Managing and coordinating business process interdependencies (e.g., shared resources, information exchange points) [24];  Clearly defining the roles and responsibilities of each business partner at several points of the business process [22, 23];  Dealing with possible semantic gaps, considering that each business partner may have its terminology and internal process language [24];  Controlling and tracking process tasks performed in different power structures, thus requiring the deployment of policies to allow traceability of metrics at several points of the process [11];  Representing collaborations between trading partners distributed across several locations, each under distinct laws and compliance requirements [39];  Balancing shared outcomes and autonomy enabling different organizations to implement their strategies at different paces [29]. Digital transformation makes these challenges even more critical, requiring new governance practices [3]. Inter-organizational business process governance (IO-BPG) is the solution to align and ensure the interoperability of distributed processes [38]. However, changing from traditional intra-organizational to inter-organizational process governance is not straightforward [29]. For example, hierarchical decision mechanisms should accommodate cultural differences, economical power, and process dependencies [20, 29]. Moreover, organizations participating in these shared processes can be partially or fully autonomous of each other, requiring a combination of vertical authority with lateral (decentralized) relations [30]. The personal mechanisms are concerned with more informal measures that organizations may create, such as the culture of collaboration or meetings [30]. The organizations must also seek to establish a set of impersonal governance mechanisms. These mechanisms are concerned with more formal activities and policies, often translated into formal agreements and contracts [30]. Impersonal governance mechanisms are essential [29], but personal governance mechanisms are usually smoother when performed by a trusted third party (e.g., an outsourcer or business association). Moreover, nowadays, it is possible to automate parts of governance (e.g., automatic decision algorithms, shared business process rules, and smart contracts) [15]. Table 1 introduces examples of personal and impersonal mechanisms of IO-BPG. RIBEIRO ET AL. MODELLING INTER-ORGANIZATIONAL... Table 1. Personal and impersonal mechanisms of Inter-Organizational Business Process Governance. Personal Mechanisms Propose the co-location of several trading entities (e.g., the case of buyers and suppliers in the supply chain) [20]. The creation of inter-organizational comities (e.g., responsible for the process improvement activities, definition of collaborative strategy) [20]. The implementation of inter-organizational coordination units to manage decentralized dependencies and activities [13]. The creation of liaison roles mirrored through the involved parties or, in other cases, can be a requirement of the third parties enacted in the business process [13, 20]. Impersonal Mechanisms The establishment of trading partner agreements includes business process improvement goals, techniques, tools, and/or measurements [13]. The development of several information systems can provide an overview and the exchange of information across the collaborative network [12]. The use of process and data standards across all business partners aiming at clarifying and streamlining businessto-business communications and transactions, process operations, and data exchange [31]. The formalization of business process practice guidelines, according to standards and industrial associations [13]. There are influential notations to model business processes [1]. However, no solution is specific to model IO-BPG. The following section highlights aspects concerned with the theoretical basis of process modelling. 2.3. The Foundations for IO-BPG Modelling Business process models enable domain experts with different backgrounds and knowledge to understand business processes [1] by describing their behavioural aspects using a graphical representation of control flow, tasks, activities, and events. BPMN introduces a well-structured language meta-model that enables model exchangeability and tool integration [9]. Moreover, BPMN already features elements to represent specific aspects of inter-organizational business processes. For example, (1) message flows represent the exchange of information between organizations, and (2) the pools and lanes represent process participants (e.g., companies) or departments (e.g., accounting, logistics). Nevertheless, BPMN cannot represent specific governance aspects like task accountability (vs. task performer usually indicated by lanes), or compliance requirements, among others. The most recent version of BPMN (2.0) includes an “extension by addition” mechanism that enables the integration of domain-specific concepts [40] while ensuring the elements’ validity [32]. Reusing the BPMN kernel and extending the language with domain-specific concepts is less expensive than developing an entirely new language while benefiting from its standardizations and tool support [10]. Therefore, BPMN extensions can be a suitable solution for IO-BPG [44], and there are proposals on how to create them [40]. The BPMN standard [32] defines four elements to extend the notation:  Extension - Binds and imports the extension definition and its attributes to a BPMN model definition, allowing all the extension elements to become available for the BPMN elements;  ExtensionDefinition - Consists of several ExtensionAttributeDefinition (including the name and type), featuring a named group of new attributes that BPMN elements can use. It may be the addition of attributes to a specific element or a new element;  ExtensionAttributeDefinition - Defines a set of new attributes as characteristics of a redesigned element;  ExtensionAttributeValue – Defines the attribute value. A few authors have proposed BPMN extensions to model inter-organizational business processes. One of the seminal contributions, using pools and messages, was presented by [16]. The authors of [7] provide an overview of IOBP, identify challenges (e.g., IOBP governance), and offer a framework for IOBP modelling, design, and implementation. [2] presents a BPMN extension for collaborative business processes, using elements for collaborative activities, privacy, task execution status, and activity monitoring. More recently, [35] proposes a BPMN extension to model IOBP in the context of Industry 4.0, ISD2022 ROMANIA including elements to model manufacturing activities, the exchange of information between partners, partner’s decisions, and compliance requirements. These contributions, notwithstanding, do not propose approaches for specific governance aspects. 3. Methodology We selected Design Science Research (DSR) for our inquiry. It consists of an iterative process of designing artifacts to solve problems, making research contributions, evaluating, and communicating the results to appropriate audiences [33]. DSR artifacts may include models, methods, and instantiations according to the identified problem and context of the situation [28]. There are six main DSR steps [33]: (1) “Problem Identification and Motivation,” (2) “Definition of the objectives for a solution,” (3) “Design and Development,” (4) “Demonstration,” (5) “Evaluation,” and (6) “Communication.” Ours was a problem-centred DSR cycle, starting with a literature review on BPMN extension development, IOBP, and IT governance. This first step enabled us to identify relevant attributes for an IO-BPG model. We obtained 153 results in Google Scholar for the keyword combination “BPMN extension” AND (“Business Process Governance” OR “Governance”), excluding patents and citations. However, surprisingly, we only got 24 matches for (“interorganizational business process” OR “inter-organizational business process”) AND “BPMN extension,” which shows that there is ample opportunity for new contributions. Additionally, we explored IT governance, Business Process Governance, and BPMN literature. Finally, this DSR cycle included contacts with the case company to understand the requirements of their recently approved 40M€ co-funded innovation project. We based the design and development of our artifact on the proposal of [40], which uses UML stereotypes for BPMN extension proposals, later improved by [9] with the domain analysis and its conceptualization. During this stage, we created an ontology for the IO-BPG domain. Afterward, we performed an equivalence check to verify if its concepts were semantically equivalent (e.g., gateways), with the goal of understanding which of the necessary concepts of the IO-BPG domain were missing in the standard BPMN notation and deriving the extension elements. Following the equivalence check, we created a graphical representation and instantiated the artifact in the case company. We examined various documentation from the company and participated in several meetings and a workshop. Departing from the company's experience with DevOps, the research team is designing a new customizable continuous integration/continuous delivery pipeline (coined DataDevSecMLCloudOps) that adds data(Ops), machine learning (ML), security by design (Sec), cloud operations, and IoT integration for their recent solutions in B2B solutions. By customizable, we mean the capacity to adapt the development and operation lifecycle to each customer segment operating in the SaaS. For example, other TSP operators may need CloudOps services. In contrast, eHealth customers may rely on machine learning models to support decisions or integrate health care with real-time patient monitoring systems. The project includes a comprehensive evaluation of the tools necessary to support their teams, training, and most important for the scope of this paper, the inclusion of “Gov” in their digital transformation process. Traditional governance frameworks are not an option because the company operates in a digital platform ecosystem [19], involving multiple suppliers (e.g., datasets, sensors), partners, customer segments, and regulatory bodies. 4. 4.1. BPMN Extension Development Key Attributes for Inter-Organizational Business Process Governance Table 2 introduces eight relevant attributes for the domain of IO-BPG extracted from the literature review. RIBEIRO ET AL. MODELLING INTER-ORGANIZATIONAL... Table 2. Key attributes of Inter-Organizational Business Process Governance. Attribute Accountability Autonomy Compliance Authority Traceability Collaboration IT Governance Operations IT Governance Roles Description Organizations should define mechanisms for accountable decisions and activities at specific process points. Organizations should identify autonomous decisions and tasks (e.g., one organization can innovate (part of) the process). Organizations may need to deal with several regulations according to their geographical location and industry context. The organizations should define the decision-making capacity of global and local actors in diverse contexts. The business partners should ensure traceability throughout the processes' lifespan, activities, resources, data, and decisions to guarantee transparency of operations and decentralized performance. The business partners can perform activities in collaboration. IT governance deployment relies on five sub-types of activities: risk management, resources management, performance management, strategic alignment, and value delivery. Organizations use and share several technological devices and software to execute their activities, manage them, and govern the processes. Each organization's members are responsible for performing several types of IT governance activities and decisions. Reference [22, 23] [29] [5, 22, 24] [24] [11] [2] [21] [21] The attributes in Table 2 capture specificities of governance in decentralized contexts, such as the need to track decisions and tasks, exchange process information and data, perform collaborative tasks, and the necessity for strategic planning for process innovation. In the ontology presented in Fig. 1, we contextualize several process-interdependent organizations’ domains, attributes, relationships, and concepts (on the top). The participating organizations operate according to formal agreements established for the SaaS operation [22] (see top left). The regulatory space (e.g., standards, contracts, industry procedures) varies according to geographical location and industry field [22, 24] (see centre-left). Decentralized operations require continuous monitoring (e.g., data, messages, documents, logs) [11] and exchange of resources [22, 30] (see top right). Fig. 1. Domain ontology for Inter-Organizational Business Process Governance. The grey elements in Fig.1 represent the main components of IO-BPG, with the activities performed by actors according to a process flow, a set of partners, the resources involved, and the events that may influence or trigger the activities. In the bottom right of Fig.1, several governance activities must be shared (e.g., risk management, resources management, performance management, strategic alignment, value delivery) to promote ecosystem innovation and ensure the strategic alignment between technology and the ISD2022 ROMANIA network’s business goals [21]. There is a two-way interaction (bottom left) between tasks and events (e.g., time events, partner intervention events) [8]. With decentralized activities and decisions, mechanisms to trace data (that may be public or private) are required [22], as shown in the centre of Fig.1. The inter-organizational process flow can evolve in sequence or parallel in each process participant, as illustrated in the centre left of Fig.1. Involved in business partnerships, organizations need to manage decentralized resources (e.g., human, IT, financial, data), as seen on the right of Fig.1. Decisions are taken (e.g., partner decision, event-based, flow gateway) about the path to follow (e.g., next activity to perform, send a message, terminate the process) according to a predefined decision logic (e.g., partnership agreements, regulations) [8], as shown on the left of Fig. 1. The research team found both artifacts – attributes and ontology – helpful to understand the most critical aspects that must be explicitly included in the IO-BPG models. 4.2. BPMN Extension Elements for IO-BPG Table 3 summarizes the proposed BPMN extension elements for IO-BPG. Table 3. BPMN extension elements for IO-BPG. Attribute Element Authority/Auton omy Partner Decision Gateway Authority/Auton omy Partner Intervention Event The partner intermediate event denotes the participation in an activity that was initiated by an authorized partner. Compliance Private Data The term “private data object” refers to a data object (or one of its offspring) kept secret, meaning that no information about it is shared with the partners. Compliance Shared Data The term “shared data object” refers to a data object (or one of its children) that other business partners can access. Compliance Private Task The private task denotes that a task is private, which means that no information about it is shared with the partners and kept confidential. Compliance Regulations The regulations describe the laws, contracts, and standards that a particular business partner must follow and the norms that must be adhered to (e.g., ISO 9001). Collaboration Collaborative Task The collaborative task is concerned with governance activities performed in collaboration between the partners. Traceability Traceable Task The traceable task designates a task as traceable, implying that a set of metrics is obtained and logged to execute it. IT Governance Operations Value Delivery Task Resource Management Task Performance Management Task IT Governance Operations IT Governance Operations Description The partner gateway is a point in the flow when a specific partner determines the “route” of the actions carried out in the subsequent phases. The value delivery tasks aim to represent activities to ensure optimal business value is obtained from IT. The resource management tasks are concerned with managing the organization's assets and ensuring that the required IT capabilities and resources are provided. The performance management task is concerned with measuring the organization’s strategic objectives. IT Governance Operations Strategic Alignment Task The strategic alignment tasks aim to promote the alignment between the IT services and the organization’s business strategy. IT Governance Operations Risk Management Task The risk management tasks are concerned with activities regarding monitoring and mitigating several types of risks. IT Governance Operations On-premise Server infrastructures can be deployed and managed by the organizations involved in the collaborative network. IT Governance Operations Cloud Cloud infrastructures may host digital services used by the organizations involved in the partnerships. Graphic RIBEIRO ET AL. Attribute IT Governance Operations / Accountability IT Governance Role MODELLING INTER-ORGANIZATIONAL... Element Virtual InterOrganizational Governance Pool Description The governance pool is concerned with representing the activities and resources involved in the governance activities of the business process. CIO The CIO is responsible for governance activities concerned with the strategic alignment of business and IT. Board of Administrators The Board of Administrators is concerned with significant decisions and strategies of the organization. IT Governance Role Operations Operations are responsible for performing IT resource management activities. IT Governance Role Business Business is responsible for activities concerned with the business model implementation and strategy. External Stakeholder External stakeholders (e.g., regulators and financial entities) can be involved in the governance activities. IT Governance Role IT Governance Role Graphic We propose a total of 21 elements in our BPMN extension, adapting some from the domain of collaborative business processes (e.g., traceable/private tasks, private/shared data) [2]. We also improved some elements of our previous work on inter-organizational business processes for Industry 4.0 (e.g., collaborative task, partner intervention event, partner decision gateway) [35]. The DSR team ensured that each new element was distinctive while remaining consistent with those currently in the standard. Additionally, there are elements concerned with the roles (e.g., CIO, board of administrators). The graphical representations were created with Lucidchart [26] and IconFinder database [45]. The most relevant motivations for the extension include the lack of representation in the standard BPMN for the specificities of governance (e.g., value delivery task, resource management task, performance management task, strategic alignment task, risk management task), the need to explicitly include privacy (e.g., shared data, private data, private task, traceable task), the complexity of shared gateways (e.g., partner decision gateway), and more representative governance-related icons (e.g., CIO, board of administrators, external stakeholder, operations, business). 5. Demonstration of IO-BPG Fig. 2 shows a simplified segment of the SaaS operation process modelled in standard BPMN. For clarity, the process focuses on the cloud platform configuration and setup. Fig. 2. Simplified SaaS operation using BPMN. The selected business process starts when the team receives a request for a new customer configuration (we omit platform development, commercial stages, and other preconfiguration tasks). The 5G policy control setup is followed by adjusting the customer price policy plan. Next, the data pipeline sub-process is started according to the customer’s configuration (e.g., the solution may require ML as a service that needs to be trained, deployed, and included in the subsequent monitoring tasks). The customer pool (on the top) includes the business operations in a sub-process (that depends on the customer ISD2022 ROMANIA profile: a healthcare provider, a TSP, a manufacturing company involved in Industry 4.0). Simultaneously, the case company monitors metrics and logs the performance of the data platform, continuously optimizing the system. Fig. 3 models the inter-organizational process management governance of the same excerpt using our proposed BPMN extension. Fig. 3. SaaS operation using IO-BPG. Fig. 3 introduces three main improvements of the BPMN extension. First, a new virtual governance pool (on the bottom, dashed line) represents the governance structure (virtual lanes) and BPG-specific tasks that cannot be represented in the original diagram. Our goal is not to alter the process but to model inter-organizational aspects of its governance. Second, improving the primary process elements using the new notation with elements concerned with the traceability and privacy of the activities developed by the business parties. Finally, describing governance-specific tasks and the interactions. The extension enables the representation of IO-BPG activities such as data monitoring, digital resources alignment according to the TSP operator needs, risk-related activities, resource management tasks, strategic alignment tasks, and performance management tasks. Regulations are crucial for governance and are explicitly represented in our proposal (e.g., ISO 9001), like the elements concerned with technological infrastructure. Furthermore, the extension describes the privacy and traceability of data (e.g., the report is a shared document) and tasks (e.g., deploying the platform is a private task) across the participants. The selected use case of the SaaS represents profound changes in the TSP business model (providing communications, hardware, models, and software that drives the customers' business). The impact is also relevant to their increasingly interdependent customers who base decisions on provided AI models and real-time IoT tools. 6. Discussion The most immediate benefit of using the proposed BPMN extension for IO-BPG is that process models are improved with new layers of information. Governance activities can be explicit without distorting the original process representation or the intended use of the standard BPMN symbols. Furthermore, each element can contain more specific aspects regarding data, shared IT resources, and compliance requirements. We found the selected approach more effective for process readability by separating governance-related tasks in the virtual pool. While IT resources and data requirements pertain to the traditional process representation, the capabilities, governance structure, governance process, and relational mechanisms relate to the virtual pool. We chose the qualifier “virtual” because (1) the pool aggregates different process participants from multiple organizations, unlike traditional pools, (2) it represents a “shadow process operation,” sometimes invisible to process participants, and (3) it presents scalability advantages. For example, we can continuously improve the same virtual pool (and reuse RIBEIRO ET AL. MODELLING INTER-ORGANIZATIONAL... when applicable), including more processes in the overall model of the digital platform ecosystem. However, we did not yet explore the scalability of the complete process model. Business partners can use the models as a communication tool. For example, to support the coordination of innovation activities and process assessment. The models also seem promising for audits, guiding the assessment of process execution, data resources, IT, applicable regulations, and the “shadow” governance tasks of the digital business that have now become explicit. Moreover, the models can be used to train new staff in the companies. The use cases also allowed us to identify several limitations in our artifacts. First, compared to the standard BPMN business processes, the additional information adds complexity to the design, making the models harder to read (legends can be created to improve readability). Second, redundancies may occur in the extension elements when modelling multiple business processes. This problem also exists in standard BPMN elements (e.g., data objects), requiring a consistency check. Finally, how the virtual pool can evolve with more processes is a priority for the next steps of our inquiry. We found three important avenues for future research. First, gathering inspiration from the work of [14], integrating elements in the BPMN extension concerned with the representation of KPIs. Second, is the possibility of using the new IO-BPG models for GDPR or security certification audits (e.g., ISO 27001). Third, creating governance archetypes for digital transformation. This line of research already started in the case company is to identify the most suitable governance configurations for specific scenarios. The MIT-CISR proposed different governance archetypes in a foundational work, including “business monarchy, IT monarchy, feudal, federal, and anarchy” [43]. However, these are "static" views of the organization. We argue that digital transformation requires process governance archetypes that can constantly adapt to context changes. 7. Conclusions We presented the results of a DSR project aiming to develop a BPMN extension for IOBPG. The results include (1) a set of domain attributes, (2) a domain ontology, (3) a graphical representation of the BPMN extension elements, and (4) a demonstration of the extension in a TSP case company. We must acknowledge some limitations of our study besides those mentioned in the discussion about the artifact. First, the artifacts created during this cycle improve the current practice of modelling IO-BPG. However, we do not hold evidence of IO-BPG performance improvements (e.g., comparing KPIs). Second, we used literature research and process documentation analysis from a single firm to identify domain concepts, ontology, and critical domain attributes. Conducting industry surveys in the future may add more information layers or IO-BPG elements to the graphical notation. Third, the telecommunication service sector is vital for digital transformation. Nevertheless, the case company does not represent the entire sector, and other sectors may reveal different governance requirements. Future DSR cycles need to integrate more companies adopting IO-BPG, improving the study validation, and providing a deeper evaluation of the extension. Fourth, the project team evaluated the results without involving customers or telecommunication services regulators. Improving the IO-BPG model with more processes will allow exploring its use in audits and understanding readability for practitioners. Finally, our models are “static” at this stage. For example, we cannot represent changes in governance when specific situations occur (e.g., cyber-attacks), which is crucial to make the modelling proactive. The solution envisioned is the creation of IO-BPG archetypes. Acknowledgements This work is funded by the project POWER (grant number POCI-01-0247-FEDER070365), co-financed by the European Regional Development Fund (FEDER), through Portugal 2020 (PT2020), and by the Competitiveness and Internationalization Operational Programme (COMPETE 2020). It is also co-funded by national funds through the FCTFoundation for Science and Technology, I.P., within the scope of the project CISUCUID/CEC/00326/2020 and by European Social Fund, through the Regional Operational Program Centro 2020. ISD2022 ROMANIA References 1. Aguilar-Savén, R.S.: Business process modelling: Review and framework. Int. J. Prod. Econ. 90 (2), 129–149 (2004) 2. Amdah, L., Anwar, A.: A DSL for collaborative Business Process. 2020 Int. Conf. Intell. Syst. Comput. Vision, ISCV 2020. 1–6 (2020) 3. Baiyere, A., Salmela, H., Tapanainen, T.: Digital transformation and the new logics of business process management. Eur. J. Inf. Syst. 29 (3), 238–259 (2020) 4. Bala, H., Venkatesh, V.: Assimilation of interorganizational business process standards. Inf. Syst. Res. 18 (3), 340–362 (2007) 5. Barata, J., da Cunha, P.R.: Modeling the organizational regulatory space: A joint design approach. Lect. Notes Bus. Inf. Process. 165 LNBIP 206–220 (2013) 6. Bocciarelli, P., D’Ambrogio, A., Giglio, A., Paglia, E.: A BPMN extension for modeling Cyber-Physical-Production-Systems in the context of Industry 4.0. IEEE 14th Int. Conf. Networking, Sens. Control. 599–604 (2017) 7. Bouchbout, K., Akoka, J., Alimazighi, Z.: Proposition of a Generic Metamodel for Interorganizational Business Processes. In: Proceedings of the 6th International Workshop on Enterprise & Organizational Modeling and Simulation. pp. 42–56. CEUR-WS.org, Aachen, DEU (2010) 8. Bouchbout, K., Alimazighi, Z.: Inter-organizational business processes modelling framework. CEUR Workshop Proc. 789 45–54 (2011) 9. Braun, R., Schlieter, H.: Requirements-based development of BPMN extensions: The case of clinical pathways. 2014 IEEE 1st Int. Work. Interrelat. Between Requir. Eng. Bus. Process Manag. REBPM 2014 - Proc. 39–44 (2014) 10. Braun, R., Schlieter, H., Burwitz, M., Esswein, W.: BPMN4CP: Design and implementation of a BPMN extension for clinical pathways. Proc. - 2014 IEEE Int. Conf. Bioinforma. Biomed. IEEE BIBM 2014. 9–16 (2014) 11. Breu, R., Dustdar, S., Eder, J., Huemer, C., Kappel, G., Kopke, J., Langer, P., Mangler, J., Mendling, J., Neumann, G., Rinderle-Ma, S., Schulte, S., Sobernig, S., Weber, B.: Towards living inter-organizational processes. IEEE Int. Conf. Bus. Informatics. 363–366 (2013) 12. Cartwright, J., Hahn-Steichen, J., He, J., Miller, T.: Rosetta Net for Intel’s Trading Entity Automation. Intel Technol. J. 9 (3), (2005) 13. Danese, P., Romano, P., Vinelli, A.: Managing business processes across supply networks: The role of coordination mechanisms. J. Purch. Supply Manag. 10 (4-5 SPEC. ISS.), 165– 177 (2004) 14. del-Río-Ortega, A., Resinas, M., Durán, A., Bernárdez, B., Ruiz-Cortés, A., Toro, M.: Visual ppinot: A Graphical Notation for Process Performance Indicators. Bus. Inf. Syst. Eng. 61 (2), 137–161 (2019) 15. Ding, W.W., Liang, X., Hou, J., Wang, G., Yuan, Y., Li, J., Wang, F.Y.: Parallel governance for decentralized autonomous organizations enabled by blockchain and smart contracts. Proc. 2021 IEEE 1st Int. Conf. Digit. Twins Parallel Intell. 78–81 (2021) 16. Fedorowicz, J., Gelinas, U.J., Gogan, J.L., Howard, M., Markus, M.L., Usoff, C., Vidgen, R.: Business process modeling for successful implementation of interorganizational systems. AMCIS 2005. (2005) 17. Giaglis, G.M., Paul, R.J., Doukidis, G.I.: Simulation for intra- and inter-organisational business process modelling. In: WSC90 Proceedings. pp. 1297–1304. , USA (1996) 18. Haes, S. De, Grembergen, W. Van: Enterprise Governance of Information Technology Achieving Alignment and Value, Featuring COBIT 5. Springer Publishing Company, Incorporated (2015) 19. Hein, A., Schreieck, M., Riasanow, T., Setzke, D.S., Wiesche, M., Böhm, M., Krcmar, H.: Digital platform ecosystems. Electron. Mark. 30 (1), 87–98 (2020) 20. Huiskonen, J., Pirttilä, T.: Lateral coordination in a logistics outsourcing relationship. Int. J. Prod. Econ. 78 (2), 177–185 (2002) 21. ISACA: COBIT®2019 Framework: Governance and Management Objectives. ISACA (2018) 22. Kirchmer, M.: Business Process Governance. In: High Performance Through Business RIBEIRO ET AL. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45. MODELLING INTER-ORGANIZATIONAL... Process Management. pp. 81–101. Springer International Publishing, Cham (2017) Kirchmer, M.: Digital Transformation of Business Process Governance. In: Shishkov, B. (ed.) Business Modeling and Software Design. pp. 243–261. Springer International Publishing, Cham (2021) Legner, C., Wende, K.: The Challenges of Inter-Organizational Business Process Design A Research Agenda. In: ECIS. (2007) Levstek, A., Hovelja, T., Pucihar, A.: IT governance mechanisms and contingency factors: Towards an adaptive IT governance model. Organizacija. 51 (4), 286–310 (2018) Lucidchart: Lucidchart: Online Diagram Software & Visual Solution, https://lucid.app/documents#/dashboard, Accessed: February 16, 2021, (2021) Mangalaraj, G., Singh, A., Taneja, A.: IT governance frameworks and COBIT - A literature review. 20th Am. Conf. Inf. Syst. AMCIS 2014. 1–10 (2014) March, S.T., Smith, G.F.: Design and natural science research on information technology. Decis. Support Syst. 15 (4), 251–266 (1995) Markus, M.L., Jacobson, D.D.: Business Process Governance. In: vom Brocke, J. and Rosemann, M. (eds.) Handbook on Business Process Management 2. pp. 201–222. Springer Berlin Heidelberg, Berlin, Heidelberg (2010) Markus, M.L., Jacobson, D.D.: The Governance of Business Processes. In: vom Brocke, J. and Rosemann, M. (eds.) Handbook on Business Process Management 2: Strategic Alignment, Governance, People and Culture. pp. 311–332. Springer Berlin Heidelberg, Berlin, Heidelberg (2015) Markus, M.L., Steinfield, C.W., Wigand, R.T.: Industry-wide information systems standardization as collective action: the case of the US residential mortgage industry. MIS Q. 439–465 (2006) Object Management Group, I.: Business Process Model and Notation (BPMN) v2.0.2. (2014) Peffers, K., Tuunanen, T., Rothenberger, M.A., Chatterjee, S.: A design science research methodology for information systems research. J. Manag. Inf. Syst. 24 (3), 45–77 (2007) Rahimi, F., Møller, C., Hvam, L.: Alignment between business process governance and IT governance. 20th Am. Conf. Inf. Syst. AMCIS 2014. (2014) Ribeiro, V., Barata, J., Cunha, P.R.: A BPMN Extension to Model Inter-Organizational Processes in Industry 4.0. Int. Conf. Inf. Syst. Dev. (2021) Rosemann, M.: The service portfolio of a BPM center of excellence. In: Handbook on Business Process Management 2: Strategic Alignment, Governance, People and Culture, Second Edition. pp. 381–398. Springer (2015) Rosemann, M., Brocke, J. vom: The six core elements of business process management. In: Handbook on business process management 1. pp. 105–122. Springer (2015) Santana, A.F.L., Alves, C.F., Santos, H.R.M., De Lima Cavalcanti Felix, A.: BPM governance: An exploratory study in public organizations. Lect. Notes Bus. Inf. Process. 81 LNBIP 46–60 (2011) Schoenthaler, F., Augenstein, D., Karle, T., Draghici, A., Popescu, A.-D., Gogan, L.M.: Design and Governance of Collaborative Business Processes in Industry 4.0. Procedia Soc. Behav. Sci. i (0), 544–551 (2015) Stroppi, L.J.R., Chiotti, O., Villarreal, P.D.: Extending BPMN 2.0: Method and tool support. In: Dijkman, R., Hofstetter, J., and Koehler, J. (eds.) LNBIP Proceedings. pp. 59– 73. Springer Berlin Heidelberg, Berlin, Heidelberg (2011) Vial, G.: Understanding digital transformation. Manag. Digit. Transform. 13–66 (2021) Webb, P., Pollard, C., Ridley, G.: Attempting to define IT governance: Wisdom or folly? Proc. Annu. Hawaii Int. Conf. Syst. Sci. 8 (C), 1–10 (2006) Weill, P., Woodham, R.: Don’t Just Lead, Govern: Implementing Effective IT Governance. SSRN Electron. J. (2005) Zarour, K., Benmerzoug, D., Guermouche, N., Drira, K.: A systematic literature review on BPMN extensions. Bus. Process Manag. J. 26 (6), 1473–1503 (2019) 6,200,000+ free and premium vector icons, illustrations and 3D illustrations, https://www.iconfinder.com/, Accessed: March 07, 2022