EAFLOW · CASE · PREVISIONAL

The criminal-compliance model, connected to the process over the graph

A social-security contributions financial-services organization —social-security contributions collection— tested Risk & Control Assurance as a proof of concept, over a representative scenario with sample data of the social-security domain in Chile: risk, control, responsible subject, offense type, process and evidence connected as a single compliance model over the Operational Graph, with the catalog of figures of the Law 20.393 framework versionable.

The proof of concept showed that the solution works over a representative scenario of the social-security domain and the value it delivers: the trail risk → responsible subject → control → process → evidence is traversed as a query over the graph, not as a spreadsheet reassembled by hand on every regulatory change or audit.

See Risk & Control Assurance Proof of concept · sample data

The challenge

Organizations subject to corporate criminal liability in Chile —the Law 20.393 framework and its expansions— hold their offense-prevention model in loose spreadsheets and documents, disconnected from the process that originates them.

The prevention model lives in spreadsheets. The map of offense risks, the controls that mitigate them, the responsible subjects and the applicable criminal figures are kept in spreadsheets and presentations, with no connected model.
The responsible subject is not connected to the process or the control. Knowing which subject answers for which offense risk, in which process it can materialize and which control mitigates it is a manual reconstruction exercise.
The catalog of criminal figures changes and the model does not. Expansions of the legal framework force spreadsheets to be redone; there is no versionable catalog connected to the risk model.
Evidence is rebuilt on every audit. The traceability offense risk → control → evidence is not continuously available, and corporate GRC platforms model generic risk-control without bringing the specific attributes of the Chilean framework.

The compliance model is not sustained with loose nodes in a spreadsheet. It is sustained with risks, controls, responsible subjects and evidence connected to the process, current and traceable.

The EAFlow solution

Risk & Control Assurance is a cross-cutting solution of EAFlow Platform built on the shared Operational Graph layer. In this proof of concept it was extended, as a scoped delivery (custom delivery) over the solution, with the specific legal attributes of the Law 20.393 framework for the Chilean social-security domain. The proof of concept covered, over a representative scenario with sample data:

Risk-control universe with Law 20.393 framework attributes. Risks and controls connected as graph nodes, extended with the legal attributes of the framework: responsible subject, offense type and regulatory reference.
Responsible subject as a first-class entity. The model connects each offense risk with the applicable responsible subject, the process where it can materialize and the control that mitigates it, with tenant isolation.
Versionable catalog of offense types. The figures of the Chilean framework live in a versionable catalog connected to the risks, so that a regulatory change is reflected without redoing the model.
Risk-control-process-subject matrix. Coverage, gaps and orphans of the criminal-compliance model become visible as a graph query, not as a report assembled by hand.
Evidence connected to the control. The supporting documentation of each control is linked to the control and the process, ready for audit over the sample scenario.
Coverage reporting of the compliance model. By responsible subject, by offense type and by process, as a deterministic query over the same graph.

In this proof of concept the support was analytical —traversal over the graph, matrix and connected reporting. Natural-language querying with Max over published evidence is an available capability of the solution that was not activated in this experience; it remains an evolutionary option over the same connected corpus, always with human control. The catalog of figures and the compliance model are tools that organize and connect; legal interpretation and responsibility over the Law 20.393 framework remain with the client and its legal counsel.

What was tested

The proof of concept was run over a representative scenario with sample data of the social-security domain —not over the client's real universe—. The team walked the Law 20.393 compliance model over the graph: risk-control universe with legal attributes, responsible subject as a first-class entity, versionable catalog of offense types, risk-control-process-subject matrix, evidence connected to the control and coverage reporting. What is tested is the capability of the model, not an implementation with the client's production universe.

Demonstrated capabilities

Operational Graph as the shared context base.
Law 20.393 framework attributes (responsible subject, offense type, regulation) over the risk-control model.
Versionable catalog of offense types, connected to the risks.
Responsible subject as a first-class entity, with tenant isolation.
Risk-control-process-subject matrix as a navigable query over the graph.
Evidence connected to the control over the sample scenario.
Coverage reporting by responsible subject, offense type and process.

Observed result

The offense-prevention model went from "living in loose spreadsheets" to being a connected model over the graph, where the trail offense risk → responsible subject → control → process → evidence is navigated as a query, not as a manual reconstruction. The compliance matrix became available with coverage, gaps and orphans visible, and the catalog of criminal figures showed that a regulatory change is reflected without redoing the model.

The proof of concept confirmed the functional viability of the Law 20.393 model over the Operational Graph as a step prior to loading the client's real universe.

Why it matters for other organizations

The pattern repeats in Chilean organizations subject to corporate criminal liability: the offense-prevention model lives in disconnected spreadsheets, the responsible subject is not connected to the process or the control, and the catalog of figures changes faster than the spreadsheets are redone. Modeling it over the Operational Graph —with the specific attributes of the framework and a versionable catalog— turns compliance into a navigable and traceable layer.

Starting with the compliance model is also a low-risk entry point: the same Operational Graph that connects risks, controls and responsible subjects later sustains processes, documentary evidence and continuity.

How it scales — related solutions

The connected risk-control universe is reused over the same Operational Graph:

Toward implementation with the client universe Risk & Control Assurance
Loading the client risk and control universe, connecting it to their processes, documentary evidence, tests, self-assessments, findings and action plans, and the auditor trail.
Toward continuity Operational Continuity & Resilience
Disruption risks are connected to the compliance model and the Law 20.393 framework, closing the continuity ↔ assurance relationship.
Toward processes Process Knowledge
The processes where criminal-liability risks can materialize become a connected corpus.
Toward living documents Document Governance & Evidence
The evidence that backs the controls is governed with an approval, publication and validity flow.

Evaluate my use case See Risk & Control Assurance