You've already forked vendor-onboarding-l4
Import UAPF package
227 lines
12 KiB
XML
227 lines
12 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<definitions xmlns="https://www.omg.org/spec/DMN/20191111/MODEL/"
|
|
xmlns:dmndi="https://www.omg.org/spec/DMN/20191111/DMNDI/"
|
|
xmlns:dc="http://www.omg.org/spec/DD/20100524/DC"
|
|
id="VendorRiskScoring"
|
|
name="Vendor Risk Scoring"
|
|
namespace="https://processgit.org/heliosgroup/vendor-risk-scoring">
|
|
|
|
<!-- ── VENDOR RISK TIER (composite decision) ── -->
|
|
<decision id="Decision_VendorRiskTier" name="Vendor Risk Tier">
|
|
<informationRequirement id="IR_Country"><requiredDecision href="#Decision_CountryRisk"/></informationRequirement>
|
|
<informationRequirement id="IR_Financial"><requiredDecision href="#Decision_FinancialRisk"/></informationRequirement>
|
|
<informationRequirement id="IR_Ownership"><requiredInput href="#Input_OwnershipStructure"/></informationRequirement>
|
|
<decisionTable id="DT_VendorRiskTier" hitPolicy="FIRST">
|
|
<input id="In_CountryRisk" label="Country Risk Score">
|
|
<inputExpression typeRef="string"><text>countryRiskLevel</text></inputExpression>
|
|
<inputValues><text>"HIGH","MEDIUM","LOW"</text></inputValues>
|
|
</input>
|
|
<input id="In_FinancialRisk" label="Financial Risk Score">
|
|
<inputExpression typeRef="string"><text>financialRiskLevel</text></inputExpression>
|
|
<inputValues><text>"HIGH","MEDIUM","LOW"</text></inputValues>
|
|
</input>
|
|
<input id="In_Ownership" label="Ownership Structure">
|
|
<inputExpression typeRef="string"><text>ownershipStructure</text></inputExpression>
|
|
<inputValues><text>"COMPLEX","SIMPLE","PUBLIC"</text></inputValues>
|
|
</input>
|
|
<output id="Out_Tier" name="riskTier" typeRef="string" label="Risk Tier"/>
|
|
<output id="Out_DDLevel" name="dueDiligenceLevel" typeRef="string" label="Due Diligence Level"/>
|
|
<output id="Out_ApprovalAuthority" name="approvalAuthority" typeRef="string" label="Approval Authority"/>
|
|
<output id="Out_ReviewDays" name="reviewDays" typeRef="number" label="Max Review Days"/>
|
|
<!-- Tier 1: Any HIGH + Complex -->
|
|
<rule id="R1">
|
|
<inputEntry><text>"HIGH"</text></inputEntry>
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<outputEntry><text>"TIER_1_HIGH_RISK"</text></outputEntry>
|
|
<outputEntry><text>"ENHANCED"</text></outputEntry>
|
|
<outputEntry><text>"Chief Procurement Officer + Legal Counsel"</text></outputEntry>
|
|
<outputEntry><text>30</text></outputEntry>
|
|
</rule>
|
|
<!-- Tier 1: Complex ownership + Medium financial -->
|
|
<rule id="R2">
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<inputEntry><text>"HIGH"</text></inputEntry>
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<outputEntry><text>"TIER_1_HIGH_RISK"</text></outputEntry>
|
|
<outputEntry><text>"ENHANCED"</text></outputEntry>
|
|
<outputEntry><text>"Chief Procurement Officer + CFO"</text></outputEntry>
|
|
<outputEntry><text>30</text></outputEntry>
|
|
</rule>
|
|
<!-- Tier 1: Complex ownership regardless -->
|
|
<rule id="R3">
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<inputEntry><text>"COMPLEX"</text></inputEntry>
|
|
<outputEntry><text>"TIER_1_HIGH_RISK"</text></outputEntry>
|
|
<outputEntry><text>"ENHANCED"</text></outputEntry>
|
|
<outputEntry><text>"Chief Procurement Officer + Legal Counsel"</text></outputEntry>
|
|
<outputEntry><text>30</text></outputEntry>
|
|
</rule>
|
|
<!-- Tier 2: Medium country + Medium financial -->
|
|
<rule id="R4">
|
|
<inputEntry><text>"MEDIUM"</text></inputEntry>
|
|
<inputEntry><text>"MEDIUM"</text></inputEntry>
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<outputEntry><text>"TIER_2_MEDIUM_RISK"</text></outputEntry>
|
|
<outputEntry><text>"STANDARD"</text></outputEntry>
|
|
<outputEntry><text>"Procurement Director"</text></outputEntry>
|
|
<outputEntry><text>14</text></outputEntry>
|
|
</rule>
|
|
<!-- Tier 2: Medium country + Low financial -->
|
|
<rule id="R5">
|
|
<inputEntry><text>"MEDIUM"</text></inputEntry>
|
|
<inputEntry><text>"LOW"</text></inputEntry>
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<outputEntry><text>"TIER_2_MEDIUM_RISK"</text></outputEntry>
|
|
<outputEntry><text>"STANDARD"</text></outputEntry>
|
|
<outputEntry><text>"Procurement Manager"</text></outputEntry>
|
|
<outputEntry><text>10</text></outputEntry>
|
|
</rule>
|
|
<!-- Tier 3: All LOW, Public company -->
|
|
<rule id="R6">
|
|
<inputEntry><text>"LOW"</text></inputEntry>
|
|
<inputEntry><text>"LOW"</text></inputEntry>
|
|
<inputEntry><text>"PUBLIC"</text></inputEntry>
|
|
<outputEntry><text>"TIER_3_LOW_RISK"</text></outputEntry>
|
|
<outputEntry><text>"SIMPLIFIED"</text></outputEntry>
|
|
<outputEntry><text>"Procurement Officer"</text></outputEntry>
|
|
<outputEntry><text>5</text></outputEntry>
|
|
</rule>
|
|
<!-- Tier 3: Default LOW -->
|
|
<rule id="R7">
|
|
<inputEntry><text>"LOW"</text></inputEntry>
|
|
<inputEntry><text>"LOW"</text></inputEntry>
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<outputEntry><text>"TIER_3_LOW_RISK"</text></outputEntry>
|
|
<outputEntry><text>"SIMPLIFIED"</text></outputEntry>
|
|
<outputEntry><text>"Procurement Officer"</text></outputEntry>
|
|
<outputEntry><text>7</text></outputEntry>
|
|
</rule>
|
|
</decisionTable>
|
|
</decision>
|
|
|
|
<!-- ── COUNTRY RISK CLASSIFICATION ── -->
|
|
<decision id="Decision_CountryRisk" name="Country Risk Level">
|
|
<informationRequirement id="IR_Country2"><requiredInput href="#Input_CountryCode"/></informationRequirement>
|
|
<decisionTable id="DT_CountryRisk" hitPolicy="FIRST">
|
|
<input id="In_CountryCode" label="Country Code (ISO 3166)">
|
|
<inputExpression typeRef="string"><text>countryCode</text></inputExpression>
|
|
</input>
|
|
<input id="In_FATFList" label="FATF Grey/Black List">
|
|
<inputExpression typeRef="boolean"><text>onFATFList</text></inputExpression>
|
|
</input>
|
|
<output id="Out_CountryRisk" name="countryRiskLevel" typeRef="string" label="Country Risk Level"/>
|
|
<output id="Out_CountryReason" name="countryRiskReason" typeRef="string" label="Reason"/>
|
|
<!-- FATF blacklist -->
|
|
<rule id="CR1">
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<inputEntry><text>true</text></inputEntry>
|
|
<outputEntry><text>"HIGH"</text></outputEntry>
|
|
<outputEntry><text>"Country on FATF grey or black list"</text></outputEntry>
|
|
</rule>
|
|
<!-- Sanctioned jurisdictions -->
|
|
<rule id="CR2">
|
|
<inputEntry><text>"RU","BY","IR","KP","CU","SY","VE"</text></inputEntry>
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<outputEntry><text>"HIGH"</text></outputEntry>
|
|
<outputEntry><text>"Sanctioned jurisdiction — EU/OFAC restrictions apply"</text></outputEntry>
|
|
</rule>
|
|
<!-- Medium risk — emerging markets with AML concerns -->
|
|
<rule id="CR3">
|
|
<inputEntry><text>"CN","AE","TR","PK","NG","KZ"</text></inputEntry>
|
|
<inputEntry><text>false</text></inputEntry>
|
|
<outputEntry><text>"MEDIUM"</text></outputEntry>
|
|
<outputEntry><text>"Elevated AML/corruption risk jurisdiction"</text></outputEntry>
|
|
</rule>
|
|
<!-- EU + trusted jurisdictions -->
|
|
<rule id="CR4">
|
|
<inputEntry><text>"DE","FR","US","GB","JP","AU","CA","NL","SE","DK","NO","FI","CH"</text></inputEntry>
|
|
<inputEntry><text>false</text></inputEntry>
|
|
<outputEntry><text>"LOW"</text></outputEntry>
|
|
<outputEntry><text>"Low-risk jurisdiction with strong AML framework"</text></outputEntry>
|
|
</rule>
|
|
<!-- Default -->
|
|
<rule id="CR5">
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<inputEntry><text>false</text></inputEntry>
|
|
<outputEntry><text>"MEDIUM"</text></outputEntry>
|
|
<outputEntry><text>"Standard risk — insufficient data for low classification"</text></outputEntry>
|
|
</rule>
|
|
</decisionTable>
|
|
</decision>
|
|
|
|
<!-- ── FINANCIAL RISK CLASSIFICATION ── -->
|
|
<decision id="Decision_FinancialRisk" name="Financial Risk Level">
|
|
<informationRequirement id="IR_Financial2"><requiredInput href="#Input_CreditScore"/></informationRequirement>
|
|
<decisionTable id="DT_FinancialRisk" hitPolicy="FIRST">
|
|
<input id="In_CreditScore" label="Credit Score (0–100)">
|
|
<inputExpression typeRef="number"><text>creditScore</text></inputExpression>
|
|
</input>
|
|
<input id="In_YearsTrading" label="Years in Business">
|
|
<inputExpression typeRef="number"><text>yearsTrading</text></inputExpression>
|
|
</input>
|
|
<input id="In_ContractValue" label="Annual Contract Value (EUR)">
|
|
<inputExpression typeRef="number"><text>annualContractValue</text></inputExpression>
|
|
</input>
|
|
<output id="Out_FinancialRisk" name="financialRiskLevel" typeRef="string" label="Financial Risk Level"/>
|
|
<!-- High: Low credit + Large contract -->
|
|
<rule id="FR1">
|
|
<inputEntry><text>< 40</text></inputEntry>
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<outputEntry><text>"HIGH"</text></outputEntry>
|
|
</rule>
|
|
<!-- High: New company + Large contract -->
|
|
<rule id="FR2">
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<inputEntry><text>< 2</text></inputEntry>
|
|
<inputEntry><text>>= 500000</text></inputEntry>
|
|
<outputEntry><text>"HIGH"</text></outputEntry>
|
|
</rule>
|
|
<!-- Medium: Moderate credit -->
|
|
<rule id="FR3">
|
|
<inputEntry><text>[40..70)</text></inputEntry>
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<outputEntry><text>"MEDIUM"</text></outputEntry>
|
|
</rule>
|
|
<!-- Medium: Large contract regardless of credit -->
|
|
<rule id="FR4">
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<inputEntry><text>-</text></inputEntry>
|
|
<inputEntry><text>>= 1000000</text></inputEntry>
|
|
<outputEntry><text>"MEDIUM"</text></outputEntry>
|
|
</rule>
|
|
<!-- Low: Strong credit, established company -->
|
|
<rule id="FR5">
|
|
<inputEntry><text>>= 70</text></inputEntry>
|
|
<inputEntry><text>>= 3</text></inputEntry>
|
|
<inputEntry><text>< 1000000</text></inputEntry>
|
|
<outputEntry><text>"LOW"</text></outputEntry>
|
|
</rule>
|
|
</decisionTable>
|
|
</decision>
|
|
|
|
<!-- INPUT DATA DEFINITIONS -->
|
|
<inputData id="Input_CountryCode" name="Country Code"/>
|
|
<inputData id="Input_OwnershipStructure" name="Ownership Structure"/>
|
|
<inputData id="Input_CreditScore" name="Credit Score"/>
|
|
|
|
<dmndi:DMNDI>
|
|
<dmndi:DMNDiagram id="DMNDiagram_1">
|
|
<dmndi:DMNShape id="S_VendorRiskTier" dmnElementRef="Decision_VendorRiskTier"><dc:Bounds x="350" y="80" width="200" height="80"/></dmndi:DMNShape>
|
|
<dmndi:DMNShape id="S_CountryRisk" dmnElementRef="Decision_CountryRisk"><dc:Bounds x="150" y="240" width="180" height="80"/></dmndi:DMNShape>
|
|
<dmndi:DMNShape id="S_FinancialRisk" dmnElementRef="Decision_FinancialRisk"><dc:Bounds x="380" y="240" width="180" height="80"/></dmndi:DMNShape>
|
|
<dmndi:DMNShape id="S_CountryCode" dmnElementRef="Input_CountryCode"><dc:Bounds x="150" y="390" width="125" height="45"/></dmndi:DMNShape>
|
|
<dmndi:DMNShape id="S_Ownership" dmnElementRef="Input_OwnershipStructure"><dc:Bounds x="610" y="150" width="125" height="45"/></dmndi:DMNShape>
|
|
<dmndi:DMNShape id="S_CreditScore" dmnElementRef="Input_CreditScore"><dc:Bounds x="380" y="390" width="125" height="45"/></dmndi:DMNShape>
|
|
<dmndi:DMNEdge id="E_CR" dmnElementRef="IR_Country"><di:waypoint x="240" y="240"/><di:waypoint x="400" y="160"/></dmndi:DMNEdge>
|
|
<dmndi:DMNEdge id="E_FR" dmnElementRef="IR_Financial"><di:waypoint x="470" y="240"/><di:waypoint x="450" y="160"/></dmndi:DMNEdge>
|
|
<dmndi:DMNEdge id="E_OW" dmnElementRef="IR_Ownership"><di:waypoint x="610" y="172"/><di:waypoint x="550" y="120"/></dmndi:DMNEdge>
|
|
<dmndi:DMNEdge id="E_CC" dmnElementRef="IR_Country2"><di:waypoint x="212" y="390"/><di:waypoint x="240" y="320"/></dmndi:DMNEdge>
|
|
<dmndi:DMNEdge id="E_CS" dmnElementRef="IR_Financial2"><di:waypoint x="442" y="390"/><di:waypoint x="470" y="320"/></dmndi:DMNEdge>
|
|
</dmndi:DMNDiagram>
|
|
</dmndi:DMNDI>
|
|
</definitions>
|