Using the compliance center

Compliance management allows organizations to monitor the fulfillment or violation of their service level agreements (SLAs) and regulatory requirements. In earlier versions of Apromore, we could create compliance rules for a process by creating filters on the event log. For instance, in an international payment process, we can have a compliance rule that rejects payments to blacklisted individuals. This is done by creating the filter condition on the log. However, operationalizing this workflow is a bottleneck.

When we have multiple compliance rules to check, we must create multiple filters. Also, if we want to create the same compliance rules on other logs, we must create the filters for each log and apply the filter each time. To streamline the process of operationalizing compliance management in Apromore, we introduced the compliance center.

The compliance center allows us to create compliance items used to track the SLAs or compliance violations. A compliance item can be either of the three options:

  • Risks: These are potential events that could cause businesses to not achieve their compliance or regulatory objectives. For instance, payments to individuals on a blacklist are successful.

  • Obligations: These are the duties from SLAs or regulatory requirements that must be fulfilled. For instance, the time between approving payment and disbursing payment should be less than 12 hours.

  • Controls: These are manual or automated actions performed during a process execution that aim to mitigate risks and ensure the obligations are met. For instance, to mitigate the risk of approving payments to a blacklisted individual, we can create a control rule that ensures that before a payment is approved, a due diligence check has been performed. In Apromore, controls are defined using control templates. Then, such control templates are applied to an event log to instantiate the actual control rule (also referred to as compliance rule).

While controls are used both for documentation and instantiation of compliance rules, risks and obligations are primarily used for documentation and governance purposes. Compliance items are saved in a risk, obligation, control (ROC) register. The ROC register helps us track our compliance status and serves as a reference for managing SLAs or regulatory requirements.

Note

While defining the risks and obligations is not mandatory for running a compliance check, we are required to define a control to run a compliance check.

Having defined the compliance items of interest, we can then check the compliance of our processes to identify the controls that are being violated.

As an example, in international banking, the anti-money laundering (AML) Act opens banks to the following risk during payment processing.

  • Risk #1: The beneficiary bank might have pending sanctions or might not be eligible to receive the funds due to regulations (e.g., funds cannot be transferred to banks of a specific region). To avoid violating this risk, a bank screening is required. This is an activity in the process called Enhanced Due Diligence Check (EDD Check). During this check, all the information related to the beneficiary bank is checked and validated against blacklists. The screening outcome must be positive for the process to continue with the payment.

  • Risk #2: The beneficiary of the payment might be on a blacklist (i.e., an individual that is flagged as a high-risk profile that should not receive international payments). Similar to the bank’s screening, there exists also another activity in the payment process to perform a check on the beneficiary of the payment. This is called Customer Due Diligence Check (CDD Check).

Meanwhile, in the context of payment processing, the bank is exposed to the risk of overdraft.

  • Risk #3: The payee’s bank account might not have enough funds to complete the payment, and its account might not allow overdraft (i.e., negative balance). This is checked by verifying that there exist enough funds in the payer’s account or that the payee’s account allows a negative balance.

Given these risks, we can create compliance items in Apromore to check whether the bank complies with these regulatory requirements.

Here are the steps to create compliance items and run a compliance check in Apromore.

  • Create the risk or obligation of interest.

  • Create the corresponding control for the risk or obligation.

  • When creating the control, define its control template.

  • Assign the control to the risk or obligation register.

  • Select the created control and edit its compliance rule.

  • Operationalise the control. This is done by assigning an event log to the control so that the compliance rule is based on the data in the event log.

  • When creating a compliance rule, a compliance check for that rule is automatically run in the background, and violations are recorded if any exist.

  • Visualize the results of the compliance check in a dashboard tile, table, or chart.

Create risks or obligations

To begin, go to the Apromore Portal and click Compliance Center.

Compli002

This opens the compliance center environment where we can specify the compliance items. Click Add new > New item to add a compliance item.

Compli003

First, we create Risk #1: High-risk profile beneficiary bank. In the Item drop-down, Risk will be selected by default.

Compli004

Specify the risk name, ID, and description. Other fields might be available if a risk and control register was uploaded into Apromore (in this example, they are category and sub-category).

Compli005

To complete the risk creation, we need to add its associated control. However, since we have two other risks, we can first create the risks and then create the controls for each of these risks. Finally, we return to the risks and add the controls.

Click Save to save the current risk.

Compli006

Next, we create Risk #2: High-risk profile beneficiary. Click Add new > New item. Select Risk and fill in the details accordingly.

Compli007

Click Save.

Next, we define Risk #3: Overdraft when the account type is not credit. Click Add new > New item. Select Risk and fill in the risk details.

Compli008

Create controls

Now that we have created the risks, we can create the associated control for each of the risks. We begin with the control for risk #1. Click Add new > New item.

Compli009

Change the Item drop-down to Control.

Compli010

For Risk #1, the associated control is that “EDD Check” precedes “Approve funds clearance”. Specify the name of the control, ID, and description.

Compli011

When defining a control rule in Apromore, we use control templates. A control template represents the structure for creating the control rule. For instance, for a control rule, an “EDD check” must be done before “Approve funds clearance”. We define a “precedes” template.

Control templates can be classified into four control types.

  • Sequence flow: When we select this type, the template to be created can only involve pathway rules. For instance, activity X precedes activity Y.

  • Data: When we select this type, we can only create a template that involves the comparison of process attribute values to other attribute values or manually inputted data values. For instance, the payment amount is greater than $1,000.

  • Resources: When we select this type, we can only create a template that is based on a resource or role. For instance, activity X is performed by resource Y.

  • Duration: When we select this type, we can only create a template that checks an activity or a sequence of activities is completed no later than, no earlier than, within, or exactly at a given time. For instance, the flow of activities in a case leads to “triage”, and triage happens less than 1 hour from the first activity of the sequence.

In the Control Type drop-down, select the control type needed to build the control template. By default, all four control types are selected.

Compli012

To create a “precedes” template, we require the “Sequence Flow” control type. Select Sequence Flow.

Compli013

We can now proceed to define the control template. Click “+”.

Compli014

In the drop-down, select Precedes.

Compli015

This creates a template block with the selected template.

Compli016

To create a complex control template, we may need to combine multiple templates. Templates within the same block will be checked with an “AND” condition, which means all the conditions in the block must be true for the template condition to be met. However, templates in different blocks are linked with an “OR” condition. This means that if a condition in any block is true, the overall template condition is met.

To add templates within a block, click + inside the block and select another template.

Compli017

To add a new block, click + outside the block.

Compli018

For this control, we require only the “precedes” template. After creating the control template, click Save.

Compli019

We can create a similar control for Risk #2. The control template for this risk is that “CDD Check” precedes “Approve funds clearance”. Click Add new > New item. Fill in the control information accordingly.

Compli020

Click Save.

We then create the control for Risk #3. This time, we need a control that confirms that the payer’s balance is greater than the payment amount, OR that the payer’s account type is “Credit”.

Add a new control and enter its name, ID, description, and control type.

Compli021

Next, we add the control template. The control template will involve the combination of two templates: greater than or equal to and equal to.

The screenshot below shows the control template required.

Compli022

Click Save.

Add controls to risks

Now we have created the controls, we can add each control to its corresponding risk.

Click the risk and click the edit icon to edit it.

Compli023

Click Add control.

Compli024

We see a list of controls that have already been saved. Click the control we wish to add and click Select.

Compli025

The control now appears in the risk.

Compli026

Click Save.

We add other controls to their risks. The screenshot below shows the updated Risk #2.

Compli027

The screenshot below shows the updated Risk #3.

Compli028

Operationalize a control

Now that we have defined the controls and have added them to the risks, we can assign the controls to a log or operationalize the control. This will instantiate the compliance rules based on the log data, making the controls operative. Click the control and click the Assign process logs icon.

Compli029

To assign the control to a log, click Add.

Compli030

Click the folder icon to select the log.

Compli031

After selecting the log, we are now prompted to fill in the control template based on the log data.

Compli032

We fill it as “EDD Check” precedes “Approve funds clearance”. Click OK.

Compli033

Click OK to save the compliance rule for the control.

For Risk #2, the rule is that “CDD Check” precedes “Approve funds clearance”.

Compli034

For Risk #3, the rule is that “Balance >= Payment_amount” or “Credit_Account” = 1.

Compli035

Note

When comparing an attribute to a value, check the box Enter value? And type the value.

Run compliance check

After creating a compliance rule for a control, the compliance check is automatically run in the background. However, it is also possible to run the compliance check manually. To do so, select a control, then click the icon Run compliance check in the top toolbar.

Compli036

Apromore always performs the compliance checks in the background.

Note

When the event log is updated, the compliance check is automatically run on the updated log.

View compliance check results

We can view the results of the compliance checks in the dashboard as a tile, table, or compliance chart.

View result as a tile

Create a dashboard from the event log and add a tile. In the Stats type drop-down, click Compliance.

Compli037

This displays the total compliant cases.

Compli038

We can also view the percentage by clicking Percentage.

Compli039

We can also view the total non-compliant cases by changing the drop-down to Total non-compliant cases.

Compli040

We can view the minimum, maximum, median, average and total number of violations that were detected.

Compli041

We can modify the timeframe of when the violations were detected by changing the From and To values. This timeframe is completely independent of the log timeframe, as it relates to when the compliance checks were performed.

View result as a table

We can also view the compliance results as a dashboard table by creating a compliance table. This table can display the list of compliant or non-compliant cases or the list of violations. To do this, create a table in the dashboard and select Compliance as the table type.

Compli042

Let’s select to list the Violations by control. Then click Edit and select the controls we are interested in. Click OK to confirm the selection.

Compli043

Compli044

Now, our table shows a set of statistics regarding the violations per control.

Compli045

If we display violations By cases, the table will list all the case IDs that violate the controls.

Compli046

View result as a chart

Lastly, we can also display the compliance result as a chart. By selecting the X-axis of the chart as “Compliance overview”. Then, as for the table, click on Edit and select the controls of interest. For each control selected, the chart will create a data point (in the example below, a column) reporting the total number of cases violating that specific control.

Compli047

Upload compliance items as a file

Instead of creating compliance items manually, one at a time, it is also possible to upload a risk and control register file in CSV format.

To showcase this additional functionality, let us consider the following example. Loan application processes are subject to several risks and obligations, which have corresponding controls to keep the process complaint. Among these, we can find the following:

Risk (LAR1): When a customer applies for a loan, the credit officer performing the credit check to determine the eligibility for the loan could be the same credit officer who will approve the offer of credit. Violating this risk might lead to employee theft as well as the inability of the applicant to repay the loan.

Control (SOD1): Segregation of duties.

Risk (LAR2): The credit offer is approved by a credit officer whose CAD level (Credit Authorization Delegation) is below the required one. For regulations, depending on the loan amount, the credit officer approving the offer must have a given CAD level; e.g., for loans of $500,000 to $1,000,000, the CAD level must be 2 or higher.

Control (CADV1): CAD Validity

Obligation (LAO1): The bank has an SLA to process the loan application and provide an offer or a rejection to the applicant within four weeks of the application submission.

Control (DTA1): Decision-to-approval within KPI

If we organize these compliance items into a register in CSV format, as shown below, we can then import it automatically. This will also automatically link the controls to the risks and obligations.

Compli048

To upload the created CSV file as a risk and control register. Within the compliance center, click Add new > Register upload.

Compli049

A modal window to upload a file will open. Select the correct file. Ensure it is in CSV UTF-8 format. Click OK to proceed.

Compli050

Another modal window will open, allowing to map each column of the register to its corresponding field. When doing so, some fields will be mandatory: name, description, type (when uploading a register containing a mix of compliance item types), and Item ID. All other fields are optional to map, and they represent fields that are already present in the system because they were uploaded previously in other registers. However, another important field to map is the “Linked ID”, which represents a link between risks and obligations with controls.

Compli051

If a Linked ID field is available (i.e., a field linking each risk and obligation to a control and/or vice versa via their IDs), the mapping between risks and obligations and controls will be done automatically.

Compli052

When ready to upload the register, click Upload.

After the upload is completed, all the risks, obligations, and controls will be ready for use in the compliance center. While we could automatically link controls to risks and obligations during the upload, we still need to define the control templates for each control. Let us do that as we did in the previous example. Open each of the three controls and add the required control templates, as shown below.

Control SOD1

Compli053

Control CADV1

Compli054

Compli055

Control DTA1

Compli056

Having assigned the control templates, we can now instantiate the controls by creating compliance rules for the loan management log. Select one control at a time and assign it to the log by defining the compliance rules (as shown in the example above).

Control SOD1

Compli057

Control CADV1

Compli058

Control DTA1

Compli059

To validate the effectiveness of our controls, we can create a dashboard, as we showed in example 1 above. For this scenario, let us add three tiles, a chart, and a table.

Compli060Compli061

Compli062

Compli063

Compli064

Compli065

The dashboard shows that 300 cases out of 5,589 violated one control: 273 violated the CADV1 (CAD Validity) control, and 27 the DTA1 (Decision-to- approval) control. While no cases violated the SOD1 (Segregation of Duties) control or violated more than one control.

The final dashboard view will look as follows.

Compli066Compli067