From d1ca643d94cd9dc491ef516f8e07587a4ac32929 Mon Sep 17 00:00:00 2001 From: rg4444 Date: Sat, 21 Mar 2026 20:17:36 +0200 Subject: [PATCH] init --- README.md | 71 +++++ agent.chat.yaml | 79 +++++ enterprise.yaml | 13 + lifecycle.yaml | 18 ++ mappings.yaml | 75 +++++ ownership.yaml | 24 ++ processgit.mcp.yaml | 54 ++++ sanctions-exception.cmmn.xml | 145 +++++++++ uapf.yaml | 35 +++ vendor-onboarding.bpmn.xml | 567 +++++++++++++++++++++++++++++++++++ vendor-risk-scoring.dmn.xml | 226 ++++++++++++++ 11 files changed, 1307 insertions(+) create mode 100644 README.md create mode 100644 agent.chat.yaml create mode 100644 enterprise.yaml create mode 100644 lifecycle.yaml create mode 100644 mappings.yaml create mode 100644 ownership.yaml create mode 100644 processgit.mcp.yaml create mode 100644 sanctions-exception.cmmn.xml create mode 100644 uapf.yaml create mode 100644 vendor-onboarding.bpmn.xml create mode 100644 vendor-risk-scoring.dmn.xml diff --git a/README.md b/README.md new file mode 100644 index 0000000..ab3f14a --- /dev/null +++ b/README.md @@ -0,0 +1,71 @@ +# Vendor Onboarding & Approval — UAPF Level 4 Process Package + +> **HeliosGroup** · Procurement Operations · Process-as-Code + +## Overview + +This repository contains a fully executable, AI-governed **Level-4 UAPF process package** for the end-to-end Vendor Onboarding & Approval workflow at HeliosGroup. + +The process covers everything from initial vendor submission through sanctions screening, financial risk scoring, legal review, and IT provisioning — with AI agents orchestrating compliance checks at every gate. + +## Process Summary + +| Stage | Owner | AI Role | +|---|---|---| +| Vendor Submission | Procurement Officer | Form validation & completeness check | +| Sanctions & Compliance Screening | AI Compliance Agent | Real-time OFAC/EU sanctions lookup | +| Financial Risk Scoring | Finance & Tax | DMN-driven risk tier assignment | +| Legal Review | Legal & Contracts | AI-assisted contract clause review | +| IT Provisioning | IT Systems | Automated account & access setup | +| Approval & Activation | Procurement Officer | Final sign-off with audit trail | + +## Repository Structure + +``` +vendor-onboarding-l4/ +├── uapf.yaml # UAPF L4 package manifest +├── enterprise/ +│ └── enterprise.yaml # Enterprise index reference +├── bpmn/ +│ └── vendor-onboarding.bpmn.xml # Main process (5 swim lanes) +├── dmn/ +│ └── vendor-risk-scoring.dmn.xml # Risk tier decision table +├── cmmn/ +│ └── sanctions-exception.cmmn.xml # Sanctions escalation case +├── resources/ +│ └── mappings.yaml # System & agent bindings +├── metadata/ +│ ├── lifecycle.yaml +│ └── ownership.yaml +├── processgit.mcp.yaml # MCP server configuration +└── agent.chat.yaml # AI chat assistant configuration +``` + +## Key Features + +- **AI-first design** — Sanctions screening, risk scoring, and contract review are all AI-executed tasks +- **Sanctions exception handling** — Dedicated CMMN case manages the full escalation path when a vendor matches a watchlist +- **DMN risk scoring** — Vendor risk tier is computed from country risk, financial health, and ownership structure +- **MCP-accessible** — All process data is queryable by AI agents via the built-in MCP server +- **Full audit trail** — Every decision is version-controlled and replayable + +## Quick Start (Chat Assistant) + +This repository includes an AI chat assistant. Click the **Chat** icon in the file tree to ask questions like: + +- *"What should I do if the onboarding organization is under sanctions?"* +- *"Describe the full vendor onboarding process"* +- *"What documents are required for a Tier 1 high-risk vendor?"* +- *"Who approves vendors from high-risk jurisdictions?"* + +## Standards & Compliance + +- UAPF v1.0 compliant (Level 4 — executable process) +- BPMN 2.0 · DMN 1.3 · CMMN 1.1 +- OFAC / EU Consolidated Sanctions List screening +- GDPR-aware data handling (vendor PII minimized) +- EU AI Act Art. 9 risk management documentation + +--- + +*Powered by [ProcessGit](https://processgit.org) — Git for Processes* diff --git a/agent.chat.yaml b/agent.chat.yaml new file mode 100644 index 0000000..59d1408 --- /dev/null +++ b/agent.chat.yaml @@ -0,0 +1,79 @@ +version: "1.0" + +ui: + name: "Helios Procurement AI" + subtitle: "Vendor Onboarding & Compliance Assistant" + welcome_message: | + Welcome to the **HeliosGroup Vendor Onboarding Assistant**. + + I have full knowledge of our vendor onboarding process, risk scoring rules, sanctions procedures, and compliance requirements. + + Ask me anything — for example: + - *"What should I do if the vendor is under sanctions?"* + - *"Describe the full vendor onboarding process"* + - *"What documents are required for a high-risk vendor?"* + - *"Who approves a Tier 1 vendor from a high-risk country?"* + + quick_questions: + - "What should I do if the onboarding organization is under sanctions?" + - "Describe the full vendor onboarding process step by step" + - "What documents are required for vendor onboarding?" + - "How is vendor risk tier calculated?" + - "Who has authority to approve a high-risk Tier 1 vendor?" + - "What is the difference between a direct and indirect sanctions match?" + +llm: + provider: "anthropic" + model: "claude-sonnet-4-5" + api_key_ref: "ANTHROPIC_API_KEY" + max_tokens: 1500 + temperature: 0.2 + system_prompt: | + You are the HeliosGroup Procurement AI Assistant — an expert on the company's + Vendor Onboarding & Approval process. + + You have access to the complete process documentation through MCP tools, including: + - The full BPMN onboarding workflow with 5 swim lanes + - DMN risk scoring rules (Tier 1/2/3 classification) + - CMMN sanctions exception and escalation case + - System and agent resource mappings + + Your role is to help procurement officers, legal staff, and finance teams + understand and navigate the vendor onboarding process confidently. + + Communication style: + - Be clear, concise, and actionable + - Always cite the specific process step or rule when relevant + - For sanctions questions, be precise about escalation paths + - For risk questions, explain the scoring criteria clearly + - Use numbered steps for procedural answers + + When a user asks about sanctions, always: + 1. Explain what the AI Compliance Agent does first (automatic screening) + 2. Describe the escalation path to Legal + 3. Mention the CMMN exception case that is opened + 4. Clarify that direct matches require CEO/CLO review + + When a user asks about risk tiers: + - Tier 1 = Enhanced Due Diligence, CPO + legal approval, 30-day review + - Tier 2 = Standard Due Diligence, Director approval, 10-14 days + - Tier 3 = Simplified Due Diligence, Officer approval, 5-7 days + +mcp: + use_repo_mcp: true + allowed_tools: + - search + - get_entity + - list_entities + - describe_model + - generate_document + +access: + visibility: "public" + rate_limits: + requests_per_minute: 20 + requests_per_day: 200 + max_conversation_turns: 30 + +history: + enabled: false diff --git a/enterprise.yaml b/enterprise.yaml new file mode 100644 index 0000000..9d8d805 --- /dev/null +++ b/enterprise.yaml @@ -0,0 +1,13 @@ +kind: uapf.enterprise.index +level: 0 +enterprise: + id: heliosgroup + name: HeliosGroup + description: > + HeliosGroup enterprise process catalog — AI-governed operational + processes across procurement, finance, legal, and IT domains. +packages: + - ref: ../vendor-onboarding-l4 + level: 4 + domain: procurement + description: Vendor Onboarding & Approval with AI compliance screening diff --git a/lifecycle.yaml b/lifecycle.yaml new file mode 100644 index 0000000..5f299d9 --- /dev/null +++ b/lifecycle.yaml @@ -0,0 +1,18 @@ +kind: uapf.metadata.lifecycle +status: stable +version: 1.0.0 +effectiveFrom: "2026-01-01" +effectiveUntil: null +reviewCycle: annual +lastReview: "2026-01-15" +nextReview: "2027-01-15" +approvals: + - approver: Chief Procurement Officer + date: "2026-01-15" + status: approved + - approver: Chief Legal Officer + date: "2026-01-15" + status: approved + - approver: Chief Compliance Officer + date: "2026-01-15" + status: approved diff --git a/mappings.yaml b/mappings.yaml new file mode 100644 index 0000000..d3879e1 --- /dev/null +++ b/mappings.yaml @@ -0,0 +1,75 @@ +version: "1.0" +mappings: + - taskId: Task_ValidateSubmission + type: human_role + resource: procurement-officer + role: Procurement Officer + + - taskId: Task_RegisterVendor + type: system_api + resource: master-data-management + endpoint: /api/v1/vendors/register + + - taskId: Task_SanctionsScreening + type: ai_agent + resource: ai-compliance-agent + capabilities: + - ofac_screening + - eu_sanctions_lookup + - un_consolidated_list + endpoint: /api/v1/compliance/sanctions-check + + - taskId: Task_OwnershipCheck + type: ai_agent + resource: ai-compliance-agent + capabilities: + - ubo_analysis + - corporate_structure_mapping + - pep_screening + + - taskId: Task_RiskScoring + type: decision_engine + resource: dmn-engine + decisionRef: Decision_VendorRiskTier + inputs: + - countryCode + - creditScore + - ownershipStructure + - annualContractValue + - yearsTrading + + - taskId: Task_LegalReview + type: human_role + resource: legal-counsel + role: Legal & Compliance Officer + + - taskId: Task_ContractDrafting + type: human_role + resource: legal-counsel + role: Contract Specialist + ai_assist: true + ai_capabilities: + - clause_suggestion + - risk_clause_detection + + - taskId: Task_CreateVendorProfile + type: system_api + resource: sap-erp + endpoint: /api/v1/vendors/create + system: SAP S/4HANA + + - taskId: Task_ProvisionPortalAccess + type: system_api + resource: vendor-portal + endpoint: /api/v1/access/provision + + - taskId: Task_SetupPaymentDetails + type: system_api + resource: treasury-system + endpoint: /api/v1/payment/setup + + - taskId: Task_IntegrateERP + type: system_api + resource: sap-erp + endpoint: /api/v1/vendors/activate + system: SAP S/4HANA diff --git a/ownership.yaml b/ownership.yaml new file mode 100644 index 0000000..06d1bc0 --- /dev/null +++ b/ownership.yaml @@ -0,0 +1,24 @@ +kind: uapf.metadata.ownership +owner: + team: procurement-ops + contact: procurement@heliosgroup.com + department: Group Procurement Operations + +stakeholders: + - name: Legal & Compliance + role: Process Reviewer + contact: legal@heliosgroup.com + - name: Finance & Tax + role: Risk Scoring Owner + contact: finance@heliosgroup.com + - name: IT & Systems + role: Integration Owner + contact: it@heliosgroup.com + - name: Group Risk Committee + role: Oversight + contact: risk@heliosgroup.com + +escalation: + level_1: procurement@heliosgroup.com + level_2: legal@heliosgroup.com + level_3: cpo@heliosgroup.com diff --git a/processgit.mcp.yaml b/processgit.mcp.yaml new file mode 100644 index 0000000..9b6ab58 --- /dev/null +++ b/processgit.mcp.yaml @@ -0,0 +1,54 @@ +version: 1 + +server: + name: "HeliosGroup Vendor Onboarding MCP" + description: > + MCP server for the HeliosGroup Vendor Onboarding & Approval process package. + Provides AI agents with structured access to process definitions, risk scoring + rules, sanctions handling procedures, and compliance requirements. + instructions: > + This server exposes the complete Vendor Onboarding & Approval process at HeliosGroup. + Use 'search' to find process steps, compliance rules, or risk criteria by keyword. + Use 'get_entity' to retrieve full details of specific tasks, decisions, or cases. + Use 'list_entities' to browse by type (task, decision, case, resource). + Use 'generate_document' to produce a formatted process summary. + Key entities: vendor-onboarding-process (BPMN), vendor-risk-scoring (DMN), + sanctions-exception (CMMN), resource-mappings. + +sources: + - path: "bpmn/vendor-onboarding.bpmn.xml" + type: "xml" + description: > + Main vendor onboarding BPMN process — 5 swim lanes covering Procurement, + AI Compliance, Legal, Finance, and IT. Includes sanctions screening path, + parallel compliance checks, risk-tiered due diligence, and IT provisioning. + + - path: "dmn/vendor-risk-scoring.dmn.xml" + type: "xml" + description: > + Vendor risk scoring DMN decision tables. Computes risk tier (1/2/3), + required due diligence level, approval authority, and review timeline + based on country risk, financial health, and ownership structure. + Includes country risk classification and FATF/sanctions list checks. + + - path: "cmmn/sanctions-exception.cmmn.xml" + type: "xml" + description: > + Sanctions exception and escalation CMMN case. Activated when AI agent + detects a sanctions match. Covers initial assessment, legal investigation, + executive escalation (for direct matches or contracts > €500K), + and formal resolution with audit trail. + + - path: "resources/mappings.yaml" + type: "xml" + description: > + System and agent resource mappings — shows which AI agents, human roles, + and enterprise systems (SAP ERP, vendor portal, treasury) handle each task. + + - path: "uapf.yaml" + type: "xml" + description: "UAPF package manifest with process metadata, owners, and tags." + + - path: "README.md" + type: "xml" + description: "Process overview, stage summary table, compliance standards." diff --git a/sanctions-exception.cmmn.xml b/sanctions-exception.cmmn.xml new file mode 100644 index 0000000..21e2abd --- /dev/null +++ b/sanctions-exception.cmmn.xml @@ -0,0 +1,145 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + create + + + + + complete + + + + + sanctionsMatchType == "DIRECT" || contractValue > 500000 + + + + + complete + + + + + complete + + + + + + + + + + + + + + + + + complete + + + + + complete + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/uapf.yaml b/uapf.yaml new file mode 100644 index 0000000..44d1ed4 --- /dev/null +++ b/uapf.yaml @@ -0,0 +1,35 @@ +kind: uapf.package +id: uapf.heliosgroup.vendor-onboarding +name: Vendor Onboarding & Approval +description: > + End-to-end vendor onboarding process with AI-powered sanctions screening, + financial risk scoring, legal review, and IT provisioning. + Fully executable at Level 4 with MCP-accessible process data. +level: 4 +version: 1.0.0 +includes: [] +cornerstones: + bpmn: true + dmn: true + cmmn: true + resources: true +paths: + bpmn: bpmn + dmn: dmn + cmmn: cmmn + resources: resources + metadata: metadata +owners: + - type: team + id: procurement-ops + contact: procurement@heliosgroup.com + - type: team + id: legal-compliance + contact: legal@heliosgroup.com +lifecycle: stable +tags: + - procurement + - vendor-management + - sanctions-screening + - ai-governance + - eu-ai-act diff --git a/vendor-onboarding.bpmn.xml b/vendor-onboarding.bpmn.xml new file mode 100644 index 0000000..7c3b110 --- /dev/null +++ b/vendor-onboarding.bpmn.xml @@ -0,0 +1,567 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Start_VendorRequest + Task_ValidateSubmission + GW_SubmissionComplete + Task_RequestMissingDocs + Task_RegisterVendor + GW_ForkCompliance + GW_JoinCompliance + GW_OverallDecision + Task_FinalApproval + Task_NotifyVendorApproved + Task_NotifyVendorRejected + Task_ArchiveRejection + End_Approved + End_Rejected + + + Task_SanctionsScreening + Task_OwnershipCheck + GW_SanctionsHit + Task_AutoReject_Sanctions + Task_GenerateRiskProfile + Evt_SanctionsTimeout + + + Task_LegalReview + Task_ContractDrafting + GW_LegalDecision + Task_SanctionsEscalation + GW_EscalationDecision + + + Task_RiskScoring + Task_FinancialDueDiligence + GW_RiskTier + Task_EnhancedDueDiligence + Task_TaxVerification + + + Task_CreateVendorProfile + Task_ProvisionPortalAccess + Task_SetupPaymentDetails + GW_ForkIT + GW_JoinIT + Task_IntegrateERP + + + + + + Flow_1 + + + + + + Flow_1 + Flow_2 + + + + Flow_2 + Flow_3_Yes + Flow_3_No + + + + Flow_3_No + Flow_RetryValidation + + + + Flow_3_Yes + Flow_4 + + + + Flow_4 + Flow_ToSanctions + Flow_ToRiskScoring + Flow_ToLegal + + + + Flow_SanctionsOK + Flow_RiskComplete + Flow_LegalComplete + Flow_ToDecision + + + + Flow_ToDecision + Flow_Approved + Flow_Rejected + + + + Flow_Approved + Flow_ToIT + + + + Flow_FromIT + Flow_ToEnd_Approved + + + + Flow_Rejected + Flow_AutoRejected + Flow_ToArchive + + + + Flow_ToArchive + Flow_ToEnd_Rejected + + + + Flow_ToEnd_Approved + + + + Flow_ToEnd_Rejected + + + + + Flow_ToSanctions + Flow_CheckSanctionsResult + + + + Flow_SanctionsTimedOut + + PT48H + + + + + Flow_CheckSanctionsResult + Flow_SanctionsTimedOut + Flow_SanctionsHit_Yes + Flow_SanctionsHit_No + + + + Flow_SanctionsHit_No + Flow_SanctionsOK + + + + Flow_SanctionsHit_Yes + Flow_ToSanctionsEscalation + + + + Flow_EscalationApproved + Flow_SanctionsOK_Escalated + + + + + Flow_ToLegal + Flow_LegalReviewDone + + + + Flow_LegalReviewDone + Flow_LegalOK + Flow_LegalFail + + + + Flow_LegalOK + Flow_LegalComplete + + + + Flow_ToSanctionsEscalation + Flow_EscalationDecision + + + + Flow_EscalationDecision + Flow_EscalationApproved + Flow_EscalationDenied + + + + + Flow_ToRiskScoring + Flow_RiskTierResult + + + + Flow_RiskTierResult + Flow_HighRisk + Flow_MediumLowRisk + + + + Flow_HighRisk + Flow_EDD_Done + + + + Flow_MediumLowRisk + Flow_FDD_Done + + + + Flow_EDD_Done + Flow_FDD_Done + Flow_RiskComplete + + + + + Flow_ToIT + Flow_IT_Profile + Flow_IT_Portal + Flow_IT_Payment + + + + Flow_IT_Profile + Flow_IT_Profile_Done + + + + Flow_IT_Portal + Flow_IT_Portal_Done + + + + Flow_IT_Payment + Flow_IT_Payment_Done + + + + Flow_IT_Profile_Done + Flow_IT_Portal_Done + Flow_IT_Payment_Done + Flow_IT_Integrate + + + + Flow_IT_Integrate + Flow_FromIT + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/vendor-risk-scoring.dmn.xml b/vendor-risk-scoring.dmn.xml new file mode 100644 index 0000000..b095778 --- /dev/null +++ b/vendor-risk-scoring.dmn.xml @@ -0,0 +1,226 @@ + + + + + + + + + + + countryRiskLevel + "HIGH","MEDIUM","LOW" + + + financialRiskLevel + "HIGH","MEDIUM","LOW" + + + ownershipStructure + "COMPLEX","SIMPLE","PUBLIC" + + + + + + + + "HIGH" + - + - + "TIER_1_HIGH_RISK" + "ENHANCED" + "Chief Procurement Officer + Legal Counsel" + 30 + + + + - + "HIGH" + - + "TIER_1_HIGH_RISK" + "ENHANCED" + "Chief Procurement Officer + CFO" + 30 + + + + - + - + "COMPLEX" + "TIER_1_HIGH_RISK" + "ENHANCED" + "Chief Procurement Officer + Legal Counsel" + 30 + + + + "MEDIUM" + "MEDIUM" + - + "TIER_2_MEDIUM_RISK" + "STANDARD" + "Procurement Director" + 14 + + + + "MEDIUM" + "LOW" + - + "TIER_2_MEDIUM_RISK" + "STANDARD" + "Procurement Manager" + 10 + + + + "LOW" + "LOW" + "PUBLIC" + "TIER_3_LOW_RISK" + "SIMPLIFIED" + "Procurement Officer" + 5 + + + + "LOW" + "LOW" + - + "TIER_3_LOW_RISK" + "SIMPLIFIED" + "Procurement Officer" + 7 + + + + + + + + + + countryCode + + + onFATFList + + + + + + - + true + "HIGH" + "Country on FATF grey or black list" + + + + "RU","BY","IR","KP","CU","SY","VE" + - + "HIGH" + "Sanctioned jurisdiction — EU/OFAC restrictions apply" + + + + "CN","AE","TR","PK","NG","KZ" + false + "MEDIUM" + "Elevated AML/corruption risk jurisdiction" + + + + "DE","FR","US","GB","JP","AU","CA","NL","SE","DK","NO","FI","CH" + false + "LOW" + "Low-risk jurisdiction with strong AML framework" + + + + - + false + "MEDIUM" + "Standard risk — insufficient data for low classification" + + + + + + + + + + creditScore + + + yearsTrading + + + annualContractValue + + + + + < 40 + - + - + "HIGH" + + + + - + < 2 + >= 500000 + "HIGH" + + + + [40..70) + - + - + "MEDIUM" + + + + - + - + >= 1000000 + "MEDIUM" + + + + >= 70 + >= 3 + < 1000000 + "LOW" + + + + + + + + + + + + + + + + + + + + + + + + +