EAFLOW · CASE · INSURANCE

Risk-and-control catalog migrated and queryable, without losing years of model

A leading insurance organization, with an operation in Argentina, validated the first adoption phase of Risk & Control Assurance: the risk-and-control catalog of its enterprise GRC platform migrated to the Operational Graph —inherited codes, classic categories and initial scoring preserved— with Max enabled for natural-language querying over the migrated catalog from day one.

The validation showed that the solution works over the client's real operation and the value it delivers: the risk-control universe available as a navigable layer of the graph, queryable by category, code, score or description, and ready to connect to processes and applications in later phases.

See Risk & Control Assurance Operational validation · early adopter

The challenge

Insurance-sector organizations with an assurance function —Risk, Internal Control, Compliance, Audit— usually have years invested in an enterprise GRC platform. The risk-and-control catalog is curated, categorized, scored and known by the team. The problem is not the lack of a model: it is that the catalog lives in proprietary structures, isolated from the rest of the operation.

The R&C catalog is a valuable asset: hundreds of risks and thousands of controls represent years of workshops with the business, external-audit reviews, RCSA cycles and governance decisions. Throwing the catalog away is not an option.
Enterprise GRC platforms are not trivially migratable: inherited codes, model attributes, proprietary taxonomies, domain hierarchies and categories live in the modeler's proprietary structures. Migrating requires preserving what the team knows.
The catalog does not answer in natural language: the legacy GRC platform delivers tabular views, flat exports and traditional reporting. "Which controls apply to high-score operational risks?" is answered by hand over spreadsheets.
The catalog is isolated from the rest of the operational model: the risks do not appear next to the processes that originate them, nor the applications that support them, nor the documentation that holds up the control.
The traditional options are binary —switch platforms with a full migration (long, costly project) or migrate nothing (the legacy bill keeps growing)—, with no option that moves the catalog without forcing a commitment of the whole operational model from day one.

Assurance does not start by rebuilding the catalog. It starts with the catalog migrated, with codes and categories preserved, and queryable over the graph.

The EAFlow solution

Risk & Control Assurance is a cross-cutting solution of EAFlow Platform built on the common Operational Graph layer. This validation is positioned as the first adoption phase: migration of the catalog from the legacy enterprise GRC platform and Max over what was migrated, without forcing the client to commit the rest of the operational model from the start. The validation covered, over the assurance catalog of the client's operation:

Risk-catalog migration at scale. Hundreds of risks from the legacy GRC-platform catalog migrated to the Operational Graph with inherited codes, descriptions, categories, initial probability-and-impact scoring and the associated governance attributes. The catalog is not redone: it is preserved.
Control-catalog migration at scale. Almost a thousand controls associated with the risk universe migrated to the graph with their classification of type, frequency and implementation status. The team recognizes the migrated catalog by name, code and category.
Classic categorization of the R&C model preserved. The usual categories of the assurance model —operational, compliance, security, technology, strategic, financial— are kept as dimensions of the migrated catalog, enabling the views the team already operated.
Risks and controls as first-class graph entities. The migrated catalog stops living in parallel spreadsheets and becomes a navigable layer of the Operational Graph, with direct querying by category, code, score or description.
Max enabled over the migrated catalog. Natural-language queries —"which risks are in the compliance category?", "which controls apply to operational risks?", "which risks have a high score?"— answer citing risk, control, code and category, always with human control. Max does not invent: it answers over the migrated catalog, with mandatory citation to the source.
A foundation ready for connection to the rest of the model. The migrated risks and controls are ready to connect, in later phases, to the modernized processes, the portfolio applications, the current documents and the assurance tests / self-assessments.

Connecting the migrated catalog to the rest of the operational model —processes, applications, documents, tests, findings, action plans, end-to-end auditor trail— belongs to the evolutionary phases of the solution, not to this first phase. The connection to the GRC platform and to the client's official sources is established by maturity and technical validation in discovery; the solution operates over the client's sources, without replacing them or migrating en masse what already fulfills its role.

What was validated

The experience was run over the assurance catalog of the enterprise GRC platform of the client's operation, executed at scale. The Risk team went through the full catalog migration: reading the legacy catalog, preserving inherited codes, descriptions, categories and initial scoring, migrating the associated control catalog with its classification, a quality report with orphans and missing attributes explicitly listed, and natural-language querying with Max over the migrated catalog citing risk, control, code and category. The traceability of the migration —author, date and reason per node— was recorded for future audit.

Demonstrated capabilities

Operational Graph as the common context foundation.
Risk-catalog migration at scale with inherited codes preserved.
Control-catalog migration at scale with type, frequency and implementation status.
Classic categories of the R&C model preserved as catalog dimensions.
Risks and controls as first-class graph entities.
Natural-language querying with Max over the migrated catalog, with mandatory citation to source and a non-AI fallback available.
Quality report of the migrated catalog (orphans, missing attributes, out-of-range values).
Provenance traceability per migrated node.

Observed outcome

The assurance catalog moved from "living in proprietary structures and parallel spreadsheets" to being available as a navigable layer of the graph, with inherited codes, classic categories and initial scoring preserved. Natural-language querying over the catalog —which the legacy platform could not offer— started answering citing risk, control, code and category, without rebuilding anything by hand.

The validation confirmed that the solution migrates the R&C catalog at scale over the client's real operation as the first adoption phase, leaving the connection to the rest of the model —risk ↔ process, control ↔ application, the full scope of assurance— as an evolutionary path the Risk team decides, with the migration as evidence and not as a forced decision.

Why it matters for other organizations

The pattern repeats in insurance-sector organizations with an assurance function: the enterprise GRC platform exists and fulfills its role, but the catalog stays isolated from the process, does not answer in natural language and the migration is perceived as an all-or-nothing project. Demonstrating, over the client's operation, that hundreds of risks and almost a thousand controls migrate at scale while preserving codes and categories, and become queryable with Max from day one, turns a "commit the whole model" decision into one informed by evidence, phase by phase.

Starting with the catalog migration is also a low-risk entry point: the same Operational Graph that holds the catalog later holds processes, applications, living documents and the full scope of assurance.

How it scales — related solutions

The migrated risk-control catalog is reused on the same Operational Graph:

Toward the full scope of assurance Risk & Control Assurance
Activate RCSA, control tests, findings, action plans, connected documentary evidence, the auditor trail over the graph and assurance reporting, over the already-migrated catalog.
Toward processes Process Knowledge
Each risk in the migrated catalog connects to the operational process that originates or executes it, and the risk-control-process matrix becomes queryable over the graph.
Toward the IT portfolio Live IT Inventory
Each control that applies over an application is anchored in the inventory, and functional criticality connects to the control that covers it.
Toward living documents Document Governance & Evidence
The current documents that back each control are linked, completing the evidence trail.
Toward operational continuity Operational Continuity & Resilience
The continuity risks in the migrated catalog feed the BIA, RTO/RPO and critical-dependency model when it is activated.

Assess my use case See Risk & Control Assurance