EAFLOW · CASE · PREVISIONAL
The risk, control and compliance model, connected to the process over the graph
The risk and control layer connects to the process as a natural extension of the operational model. In this proof of concept, a social-security contributions financial-services organization —pension-contributions collection— walked Risk & Control Assurance over a representative scenario of the social-security domain in Chile: from documented and critical processes you can see associated risks, controls, evidence, owners, tests and gaps as a single GRC model over the Operational Graph, with a representative model of the Law 20.393 regulatory framework and its versionable catalog of obligations.
The risk and control layer lives connected to the process: the trail compliance risk → compliance owner → control → process → evidence is traversed as a query over the graph, ready to answer on every regulatory change or audit. EAFlow shows a representative scenario to validate traceability and reportability, leaving the real load for Discovery — without assuming a full migration from an existing GRC platform nor using the client's production data.
The challenge
Organizations subject to compliance obligations under the Law 20.393 regulatory framework in Chile —and its expansions— hold their compliance model in loose spreadsheets and documents, disconnected from the process that originates them.
- The compliance model lives in spreadsheets. The map of compliance risks, the controls that mitigate them, the compliance owners and the applicable framework obligations are kept in spreadsheets and presentations, with no connected model.
- The compliance owner is not connected to the process or the control. Knowing which owner answers for which compliance risk, in which process it can materialize and which control mitigates it is a manual reconstruction exercise.
- The catalog of framework obligations changes and the model does not. Expansions of the regulatory framework force spreadsheets to be redone; there is no versionable catalog connected to the risk model.
- Evidence is rebuilt on every audit. The traceability compliance risk → control → evidence is not continuously available, and corporate GRC platforms model generic risk-control without bringing the specific attributes of the Chilean framework.
The compliance model is not sustained with loose nodes in a spreadsheet. It is sustained with risks, controls, owners and evidence connected to the process, current and traceable.
The EAFlow solution
Risk & Control Assurance is a cross-cutting solution of EAFlow Platform built on the shared Operational Graph layer. In this proof of concept it was extended, as a scoped delivery (custom delivery) over the solution, with the specific attributes of the Law 20.393 regulatory framework for the Chilean social-security domain. The proof of concept covered, over a representative scenario with sample data:
- Risk-control universe with Law 20.393 regulatory-framework attributes. Risks and controls connected as graph nodes, extended with the attributes of the framework: compliance owner, obligation type and regulatory reference.
- Compliance owner as a first-class entity. The model connects each compliance risk with the applicable owner, the process where it can materialize and the control that mitigates it, with tenant isolation.
- Versionable catalog of framework obligations. The obligations of the Chilean framework live in a versionable catalog connected to the risks, so that a regulatory change is reflected without redoing the model.
- Risk-control-process-owner matrix. Coverage, gaps and risks or controls without sufficient traceability of the compliance model become visible as a graph query, not as a report assembled by hand.
- Evidence connected to the control. The supporting documentation of each control is linked to the control and the process, ready for audit over the sample scenario.
- Coverage reporting of the compliance model. By compliance owner, by obligation type and by process, as a deterministic query over the same graph.
In this proof of concept the support was analytical —traversal over the graph, matrix and connected reporting—. Natural-language querying with Max over published evidence remains an evolutionary option over the same connected corpus, always with human control. The catalog of obligations and the compliance model are tools that organize and connect; interpretation of the Law 20.393 regulatory framework and responsibility over its compliance remain with the client and its advisors.
What was tested
The proof of concept was run over a representative scenario to validate traceability and reportability of the social-security domain, leaving the real load for Discovery. The team walked the Law 20.393 compliance model over the graph: risk-control universe with framework attributes, compliance owner as a first-class entity, versionable catalog of obligations, risk-control-process-owner matrix, evidence connected to the control and coverage reporting. The proof shows the capability of the model, ready to extend to the client's production universe in Discovery.
Demonstrated capabilities
- Operational Graph as the shared context base.
- Law 20.393 regulatory-framework attributes (compliance owner, obligation type, regulation) over the risk-control model.
- Versionable catalog of framework obligations, connected to the risks.
- Compliance owner as a first-class entity, with tenant isolation.
- Risk-control-process-owner matrix as a navigable query over the graph.
- Evidence connected to the control over the sample scenario.
- Coverage reporting by compliance owner, obligation type and process.
Observed result
The compliance model went from "living in loose spreadsheets" to being a connected GRC model over the graph, where the trail compliance risk → compliance owner → control → process → evidence is navigated as a query, not as a manual reconstruction. The compliance matrix became available with coverage, gaps and risks or controls without sufficient traceability visible, and the catalog of framework obligations showed that a regulatory change is reflected without redoing the model.
The proof of concept confirmed the functional viability of the Law 20.393 compliance model over the Operational Graph as a step prior to loading the client's real universe.
Why it matters for other organizations
The pattern repeats in Chilean organizations subject to compliance obligations under the Law 20.393 regulatory framework: the compliance model lives in disconnected spreadsheets, the compliance owner is not connected to the process or the control, and the catalog of obligations changes faster than the spreadsheets are redone. Modeling it over the Operational Graph —with the specific attributes of the framework and a versionable catalog— turns compliance into a navigable and traceable layer.
Starting with the compliance model is also a low-risk entry point: the same Operational Graph that connects risks, controls and owners later sustains processes, documentary evidence and continuity.
How it scales — related solutions
The connected risk-control universe is reused over the same Operational Graph:
- Toward implementation with the client universe Risk & Control Assurance
Loading the client risk and control universe, connecting it to their processes, documentary evidence, tests, self-assessments, findings and action plans, and the auditor trail.
- Toward continuity Operational Continuity & Resilience
Disruption risks are connected to the compliance model and the Law 20.393 regulatory framework, closing the continuity ↔ assurance relationship.
- Toward processes Process Knowledge
The processes where compliance risks can materialize become a connected corpus.
- Toward living documents Document Governance & Evidence
The evidence that backs the controls is governed with an approval, publication and validity flow.