Navigating the compliance center
Compliance management allows organizations to monitor the fulfillment or violation of their service level agreements (SLAs) and regulatory requirements. In earlier versions of Apromore, we could create compliance rules for a process by creating filters on the event log. For instance, in an international payment process, we can have a compliance rule that rejects payments to blacklisted individuals. This is done by creating the filter condition on the log. However, operationalizing this workflow is a bottleneck.
When we have multiple compliance rules to check, we must create multiple filters. Also, if we want to create the same compliance rules on other logs, we must create the filters for each log and apply the filter each time. To streamline the process of operationalizing compliance management in Apromore, we introduced the compliance center.
The compliance center allows us to create compliance items used to track the SLAs or compliance violations. A compliance item can be either of the three options:
Risks: These are potential events that could cause businesses to not achieve their compliance or regulatory objectives. For instance, payments to individuals on a blacklist are successful.
Obligations: These are the duties from SLAs or regulatory requirements that must be fulfilled. For instance, the time between approving payment and disbursing payment should be less than 12 hours.
Controls: These are manual or automated actions performed during a process execution that aim to mitigate risks and ensure the obligations are met. For instance, to mitigate the risk of approving payments to a blacklisted individual, we can create a control rule that ensures that before a payment is approved, a due diligence check has been performed. In Apromore, controls are defined using control templates. Then, such control templates are applied to an event log to instantiate the actual control rule (also referred to as compliance rule).
While controls are used both for documentation and instantiation of compliance rules, risks and obligations are primarily used for documentation and governance purposes. Compliance items are saved in a risk, obligation, control (ROC) register. The ROC register helps us track our compliance status and serves as a reference for managing SLAs or regulatory requirements.
Note
While defining the risks and obligations is not mandatory for running a compliance check, we are required to define a control to run a compliance check.
Having defined the compliance items of interest, we can then check the compliance of our processes to identify the controls that are being violated.
As an example, in international banking, the anti-money laundering (AML) Act opens banks to the following risk during payment processing.
Risk #1: The beneficiary bank might have pending sanctions or might not be eligible to receive the funds due to regulations (e.g., funds cannot be transferred to banks of a specific region). To avoid violating this risk, a bank screening is required. This is an activity in the process called Enhanced Due Diligence Check (EDD Check). During this check, all the information related to the beneficiary bank is checked and validated against blacklists. The screening outcome must be positive for the process to continue with the payment.
Risk #2: The beneficiary of the payment might be on a blacklist (i.e., an individual that is flagged as a high-risk profile that should not receive international payments). Similar to the bank’s screening, there exists also another activity in the payment process to perform a check on the beneficiary of the payment. This is called Customer Due Diligence Check (CDD Check).
Meanwhile, in the context of payment processing, the bank is exposed to the risk of overdraft.
Risk #3: The payee’s bank account might not have enough funds to complete the payment, and its account might not allow overdraft (i.e., negative balance). This is checked by verifying that there exist enough funds in the payer’s account or that the payee’s account allows a negative balance.
Given these risks, we can create compliance items in Apromore to check whether the bank complies with these regulatory requirements.
Here are the steps to create compliance items and run a compliance check in Apromore.
Create the risk or obligation of interest.
Create the corresponding control for the risk or obligation.
When creating the control, define its control template.
Assign the control to the risk or obligation register.
Select the created control and edit its compliance rule.
Operationalise the control. This is done by assigning an event log to the control so that the compliance rule is based on the data in the event log.
When creating a compliance rule, a compliance check for that rule is automatically run in the background, and violations are recorded if any exist.
Visualize the results of the compliance check in a dashboard tile, table, or chart.
Create risks or obligations
To begin, go to the Apromore Portal and click Compliance Center.
This opens the compliance center environment where we can specify the compliance items. Click Add new > New item to add a compliance item.
First, we create Risk #1: High-risk profile beneficiary bank. In the Item drop-down, Risk will be selected by default.
Specify the risk name, ID, and description. Other fields might be available if a risk and control register was uploaded into Apromore (in this example, they are category and sub-category).
To complete the risk creation, we need to add its associated control. However, since we have two other risks, we can first create the risks and then create the controls for each of these risks. Finally, we return to the risks and add the controls.
Click Save to save the current risk.
Next, we create Risk #2: High-risk profile beneficiary. Click Add new > New item. Select Risk and fill in the details accordingly.
Click Save.
Next, we define Risk #3: Overdraft when the account type is not credit. Click Add new > New item. Select Risk and fill in the risk details.
Create controls
Now that we have created the risks, we can create the associated control for each of the risks. We begin with the control for risk #1. Click Add new > New item.
Change the Item drop-down to Control.
For Risk #1, the associated control is that “EDD Check” precedes “Approve funds clearance”. Specify the name of the control, ID, and description.
We can check “This control will apply to a subpopulation of all process cases”.
When we do, Apromore allows us to specify the subset of the log where the compliance result will apply. For instance, we may want this control to only apply for cases where the activity “Approve funds clearance” occurred. There will be no need for this control to consider cases where no funds were approved in the case. We are also prompted to enter a description for the subpopulation to be created.
Note
If we specify that the control should be specified on a subpopulation of the log, we will be prompted to define the log population (using filters) when assigning the control to a log.
When defining a control rule in Apromore, we use control templates. A control template represents the structure for creating the control rule. For instance, for a control rule, an “EDD check” must be done before “Approve funds clearance”. We define a “precedes” template.
Control templates can be classified into four control types.
Sequence flow: When we select this type, the template to be created can only involve pathway rules. For instance, activity X precedes activity Y.
Data: When we select this type, we can only create a template that involves the comparison of process attribute values to other attribute values or manually inputted data values. For instance, the payment amount is greater than $1,000.
Resources: When we select this type, we can only create a template that is based on a resource or role. For instance, activity X is performed by resource Y.
Duration: When we select this type, we can only create a template that checks an activity or a sequence of activities is completed no later than, no earlier than, within, or exactly at a given time. For instance, the flow of activities in a case leads to “triage”, and triage happens less than 1 hour from the first activity of the sequence.
In the Control Type drop-down, select the control type needed to build the control template. By default, all four control types are selected.
To create a “precedes” template, we require the “Sequence Flow” control type. Select Sequence Flow.
We can now proceed to define the control template. Click “+”.
In the drop-down, select Precedes.
This creates a template block with the selected template.
To create a complex control template, we may need to combine multiple templates. Templates within the same block will be checked with an “AND” condition, which means all the conditions in the block must be true for the template condition to be met. However, templates in different blocks are linked with an “OR” condition. This means that if a condition in any block is true, the overall template condition is met.
To add templates within a block, click + inside the block and select another template.
To add a new block, click + outside the block.
For this control, we require only the “precedes” template. After creating the control template, click Save.
We can create a similar control for Risk #2. The control template for this risk is that “CDD Check” precedes “Approve funds clearance”. Click Add new > New item. Fill in the control information accordingly. Here too, we check “This control will apply to a subpopulation of all process cases”.
Click Save.
We then create the control for Risk #3. This time, we need a control that confirms that the payer’s balance is greater than the payment amount, OR that the payer’s account type is “Credit”.
Add a new control and enter its name, ID, description, and control type.
Next, we add the control template. The control template will involve the combination of two templates: greater than or equal to and equal to.
The screenshot below shows the control template required.
Click Save.
Add controls to risks
Now we have created the controls, we can add each control to its corresponding risk.
Click the risk and click the edit icon to edit it.
Click Add control.
We see a list of controls that have already been saved. Click the control we wish to add and click Select.
The control now appears in the risk.
Click Save.
We add other controls to their risks. The screenshot below shows the updated Risk #2.
The screenshot below shows the updated Risk #3.
Operationalize a control
Now that we have defined the controls and have added them to the risks, we can assign the controls to a log or operationalize the control. This will instantiate the compliance rules based on the log data, making the controls operative. Click the control and click the Assign process logs icon.
To assign the control to a log, click Add.
Click the folder icon to select the log.
Since we checked “This control will apply to a subpopulation of all process cases” when creating the control, we are now prompted to define the population filter. We will retain only cases were “Approve funds clearance” occurred. Click the pen icon to define the filter.
This opens the filter log window. Retain cases where “Approve funds clearance” and click OK.
Click OK to confirm the filter condition.
After selecting the log and defining the population filter, we are now prompted to fill in the control template based on the log data. Now, we fill the control template as “EDD Check” precedes “Approve funds clearance”. Click OK.
Click OK to save the compliance rule for the control.
For Risk #2, the rule is that “CDD Check” precedes “Approve funds clearance”.
For Risk #3, the rule is that “Balance >= Payment_amount” or “Credit_Account” = 1.
Note
When comparing an attribute to a value, check the box Enter value? And type the value.
Run compliance check
After creating a compliance rule for a control, the compliance check is automatically run in the background. However, it is also possible to run the compliance check manually. To do so, select a control, then click the icon Run compliance check in the top toolbar.
Apromore always performs the compliance checks in the background.
Note
When the event log is updated, the compliance check is automatically run on the updated log.
View compliance check results
We can view the results of the compliance checks in the dashboard as a tile, table, or compliance chart.
View result as a tile
Create a dashboard from the event log and add a tile. In the Stats type drop-down, click Compliance.
This displays the total compliant cases.
We can also view the percentage by clicking Percentage.
We can also view the total non-compliant cases by changing the drop-down to Total non-compliant cases.
We can view the minimum, maximum, median, average and total number of violations that were detected.
We can modify the timeframe of when the violations were detected by changing the From and To values. This timeframe is completely independent of the log timeframe, as it relates to when the compliance checks were performed.
View result as a table
We can also view the compliance results as a dashboard table by creating a compliance table. This table can display the list of compliant or non-compliant cases or the list of violations. To do this, create a table in the dashboard and select Compliance as the table type.
Let’s select to list the Violations by control. Then click Edit and select the controls we are interested in. Click OK to confirm the selection.
Now, our table shows a set of statistics regarding the violations per control.
If we display violations By cases, the table will list all the case IDs that violate the controls.
View result as a chart
Lastly, we can also display the compliance result as a chart. By selecting the X-axis of the chart as “Compliance overview”. Then, as for the table, click on Edit and select the controls of interest. For each control selected, the chart will create a data point (in the example below, a column) reporting the total number of cases violating that specific control.
Upload compliance items as a file
Instead of creating compliance items manually, one at a time, it is also possible to upload a risk and control register file in CSV format.
To showcase this additional functionality, let us consider the following example. Loan application processes are subject to several risks and obligations, which have corresponding controls to keep the process complaint. Among these, we can find the following:
Risk (LAR1): When a customer applies for a loan, the credit officer performing the credit check to determine the eligibility for the loan could be the same credit officer who will approve the offer of credit. Violating this risk might lead to employee theft as well as the inability of the applicant to repay the loan.
Control (SOD1): Segregation of duties.
Risk (LAR2): The credit offer is approved by a credit officer whose CAD level (Credit Authorization Delegation) is below the required one. For regulations, depending on the loan amount, the credit officer approving the offer must have a given CAD level; e.g., for loans of $500,000 to $1,000,000, the CAD level must be 2 or higher.
Control (CADV1): CAD Validity
Obligation (LAO1): The bank has an SLA to process the loan application and provide an offer or a rejection to the applicant within four weeks of the application submission.
Control (DTA1): Decision-to-approval within KPI
If we organize these compliance items into a register in CSV format, as shown below, we can then import it automatically. This will also automatically link the controls to the risks and obligations.
To upload the created CSV file as a risk and control register. Within the compliance center, click Add new > Register upload.
A modal window to upload a file will open. Select the correct file. Ensure it is in CSV UTF-8 format. Click OK to proceed.
Another modal window will open, allowing to map each column of the register to its corresponding field. When doing so, some fields will be mandatory: name, description, type (when uploading a register containing a mix of compliance item types), and Item ID. All other fields are optional to map, and they represent fields that are already present in the system because they were uploaded previously in other registers. However, another important field to map is the “Linked ID”, which represents a link between risks and obligations with controls.
If a Linked ID field is available (i.e., a field linking each risk and obligation to a control and/or vice versa via their IDs), the mapping between risks and obligations and controls will be done automatically.
When ready to upload the register, click Upload.
After the upload is completed, all the risks, obligations, and controls will be ready for use in the compliance center. While we could automatically link controls to risks and obligations during the upload, we still need to define the control templates for each control. Let us do that as we did in the previous example. Open each of the three controls and add the required control templates, as shown below.
Control SOD1
Control CADV1
Control DTA1
Having assigned the control templates, we can now instantiate the controls by creating compliance rules for the loan management log. Select one control at a time and assign it to the log by defining the compliance rules (as shown in the example above).
Control SOD1
Control CADV1
Control DTA1
To validate the effectiveness of our controls, we can create a dashboard, as we showed in example 1 above. For this scenario, let us add three tiles, a chart, and a table.
The dashboard shows that 300 cases out of 5,589 violated one control: 273 violated the CADV1 (CAD Validity) control, and 27 the DTA1 (Decision-to- approval) control. While no cases violated the SOD1 (Segregation of Duties) control or violated more than one control.
The final dashboard view will look as follows.