TRANSFORMATION ANALYSIS

NiSource SCRM Process Transformation: From Manual Fragmentation to Agentic Orchestration

A comprehensive transformation initiative to revolutionize vendor and supply chain risk management through AI-powered orchestration, reducing cycle times from 30+ days to same-day processing while ensuring 100% audit coverage and risk-aligned contract terms.

21-30

Current Cycle Time (Days)

→ Same Day Processing

25

Manual Form Questions

→ 3-5 Smart Questions

30%

Risk-Contract Alignment

→ 95% Coverage

15+

Manual Touch Points

→ 3 Human Gates

Strategic Context

NiSource's current vendor management ecosystem operates across fragmented systems—ServiceNow for intake, TPRM/Fortress for assessments, Archer for GRC, and disparate CLM tools for contracts. This analysis, derived from L5 process mapping sessions, whiteboard reviews, and stakeholder interviews, reveals 47 distinct process activities across 10 major workflow stages, with significant manual rework, unclear accountability, and no unified view of vendor risk posture.

Critical Business Drivers

Regulatory Pressure: Increasing scrutiny on third-party risk management from utility regulators
Operational Inefficiency: 8-10 FTEs dedicated to manual vendor communications and data re-entry
Risk Exposure: Critical vendors operating without contractual risk controls due to process gaps
Audit Findings: Inability to demonstrate consistent risk assessment and remediation tracking

Current State Process Analysis

Process Fragmentation Landscape

Our analysis identified fundamental disconnects across the vendor lifecycle, with each stage operating in isolation and requiring manual handoffs that introduce delays, errors, and compliance gaps.

Current State Vendor Lifecycle (As Documented)

Intake

• 25+ question form
• 45 min completion
• Manual routing
• Inconsistent data

Risk Assessment

• Manual scoring
• 5-10 day delay
• Email-based
• No standards

VCA/TPRM

• 10-20 day cycle
• Manual evidence
• Re-keying data
• Lost artifacts

Remediation

• Email tracking
• 2-3 day notify
• No SLA enforce
• Manual follow-up

Contract

• 21-30 days
• Risk disconnect
• Email redlines
• No automation

Detailed Issues Analysis

1. Vendor Communications

Unstandardized outreach templates result in inconsistent evidence quality. No SLA differentiation by risk tier means high-risk vendors aren't prioritized. Communications via email aren't logged back into tracking systems.

Impact: 15-20 hours/week wasted on follow-ups

2. Contract Review Gaps

Contract terms don't reflect actual risk findings from assessments. Security clauses selected ad-hoc without mapping to identified vulnerabilities. No systematic review of remediation requirements in contract language.

Impact: 70% of contracts lack appropriate risk controls

3. System Integration Voids

ServiceNow tickets don't flow to TPRM. TPRM findings manually transcribed to Archer. Contract events not reflected in risk registers. No unified vendor view across systems.

Impact: 4-6 hours per vendor in data re-entry

4. Evidence Collection

Same artifacts (SOC2, pen tests) requested multiple times. No central repository for vendor documents. Evidence expires without notification. Manual validation of all submissions.

Impact: 40% of assessments delayed by missing evidence

5. Remediation Tracking

Findings identified but not converted to trackable objects. Notifications via unstructured email. No escalation workflows. Business owners unaware of open items.

Impact: Average 45 days to close critical findings

6. Monitoring Blindness

No continuous monitoring post-contract. Renewal dates missed. Vendor changes undetected. Risk posture degrades silently between assessments.

Impact: 25% of vendors operate with expired assessments

Current State Process Swimlane

Actor

Intake

Assessment

Remediation

Contract

Monitoring

Business User

Complete 25-question form

Review contract terms

SCRM Team

Manual review & routing

Create assessment

Chase evidence

Track via email

Manual follow-ups

Ad-hoc checks

Legal/Procurement

Negotiate terms

Email redlines

Systems

ServiceNow

TPRM/Fortress

Archer/GRC

CLM (various)

None

Key Performance Gaps

Metric	Current Performance	Industry Benchmark	Gap
End-to-end cycle time	21-30 days	5-7 days	-76%
Manual touch points	15+ interactions	3-5 interactions	-70%
First-pass accuracy	60%	95%	-35%
Risk coverage in contracts	30%	90%	-60%
Evidence re-use rate	0%	80%	-80%

Future State: Agentic Transformation

The 3-Agent Pattern Architecture

Our transformation employs a sophisticated 3-agent pattern that revolutionizes each process stage through intelligent orchestration, domain expertise, and continuous monitoring.

1

Orchestrator Agent

Controls end-to-end workflow execution
Enforces business policies and gates
Routes based on risk and complexity
Manages state transitions
Handles exceptions and escalations
Coordinates between other agents

2

Specialist Agent

Enriches and normalizes data
Performs domain-specific analysis
Generates risk scores and ratings
Creates contract clause bundles
Builds remediation packages
Produces intelligent recommendations

3

Monitor Agent

Creates comprehensive audit trails
Tracks SLA compliance
Detects anomalies and patterns
Logs all events to data lake
Ensures regulatory compliance
Generates performance metrics

See the Agents in Action

Intelligent Intake Transformation

                                // User Input

                                Request: "We need DocuSign for contract management"

                                // Agent 1: Orchestrator

                                Analyzing: Vendor profile, request context, business unit

                                // Agent 2: Enrichment

                                Inferred: {

                                  "service_type": "SaaS" (99% confidence)

                                  "data_classification": "Legal/Contracts" (95% confidence)

                                  "hosting_model": "Vendor Cloud" (98% confidence)

                                  "risk_tier": "MEDIUM"

                                  "compliance_required": ["SOC2", "GDPR"]

                                }

                                // Smart Questions Generated (only 3 needed)

                                1. Will this process EU citizen data?

                                2. Which internal systems will integrate?

                                3. Expected monthly transaction volume?

                                // Agent 3: Logger

                                Audit Trail: Intake enriched, risk calculated, routed to VCA

Transformed Process Flow

AI-Enhanced Intake Revolution

The intake transformation leverages vendor knowledge bases and inference engines to reduce a 25-question form to 3-5 targeted questions, while improving data quality and risk assessment accuracy.

User Submits

Basic vendor info
+ description

AI Inference

Vendor profile lookup
Service classification
Risk indicators

Smart Questions

Only unknowns
Pre-filled answers
Confidence scores

Risk Calculated

Tier assigned
Route determined
SLAs set

Key Innovations:

Inference Engine: 80% of fields auto-populated based on vendor knowledge
Confidence Scoring: Each inference includes confidence level for validation
Dynamic Routing: Risk tier automatically determines assessment depth
Pre-configuration: Next steps prepared before human review

Orchestrated Assessment Process

Automated evidence collection, parallel assessment tracks, and intelligent normalization eliminate manual re-work and reduce assessment cycles from 10-20 days to same-day completion.

Actor

Initiation

Evidence

Analysis

Findings

Output

Orchestrator

Create VCA

Request artifacts

Route findings

Specialist

Validate docs

Risk analysis

Normalize

Generate report

Human

Review critical

Approve

Risk-to-Contract Alignment Engine

Every identified risk automatically generates appropriate contract clauses, ensuring 95% coverage of remediation requirements in legal terms.

Contract Generation Flow

Risk Findings

From TPRM
Normalized list

Clause Mapping

Risk → Clause
Severity weighting

Pack Building

Base template
+ Risk clauses
+ Remediation

Review Gate

Legal approval
for high-risk

CLM Integration

Draft created
Workflow started

Event-Driven Continuous Monitoring

Proactive surveillance of vendor changes, contract renewals, and risk indicators with automated response workflows.

Event Type	Detection Method	Automated Response	SLA
Contract Renewal	90-day advance alert	Trigger reassessment, pull latest risks	Same day
Security Incident	Threat intel feeds	Immediate risk recalc, contract review	2 hours
Scope Change	Amendment detection	Re-assess new services, update controls	24 hours
Evidence Expiry	Document tracking	Request refresh, notify stakeholders	5 days
M&A Activity	Vendor monitoring	Full reassessment, contract review	48 hours

Comparative Analysis: Current vs. Future State

Process Area	Current State	Agentic Future State	Improvement
Intake	• 25+ questions • 45 min completion • Manual review • Inconsistent data	• 3-5 smart questions • 5 min completion • AI enrichment • 95% accuracy	89% reduction
Risk Assessment	• 5-10 day delay • Manual scoring • Email-based • No standards	• Real-time scoring • AI-calculated • API-integrated • Standardized	100% automated
VCA Process	• 10-20 days • Manual evidence • Re-keying data • Lost artifacts	• Same-day • Auto-collection • Direct integration • Central repository	95% faster
Remediation	• Email tracking • 2-3 day notification • No SLA enforcement • Manual follow-up	• System tracking • Instant notification • Auto-escalation • AI follow-up	Real-time
Contract	• 21-30 days • Risk disconnect • Email redlines • Manual process	• 5-7 days • Risk-aligned • CLM integrated • AI-generated	76% faster

Technical Architecture & Implementation

Camunda 8 Orchestration Architecture

The implementation leverages Camunda 8 as the central orchestration engine, with OpenAI agents providing intelligence via Model Context Protocol (MCP), all integrated with existing enterprise systems.

High-Level System Architecture

Event Sources

ServiceNow
TPRM/Fortress
CLM Webhooks
Monitoring

Camunda 8

Zeebe Engine
Process State
Service Tasks
Human Tasks

AI Agents (MCP)

Intake Enrichment
Risk Calculator
Contract Builder
Normalizer

Target Systems

Archer/GRC
CLM/Contracts
Databricks
Email/Teams

BPMN Process Definition

                    // Simplified BPMN for Vendor Intake Process

                    <process id="vendor-intake-process">

                      <startEvent id="new-vendor-intake" />

                      <serviceTask id="enrich-intake"

                        name="Enrich & Classify Intake"

                        implementation="openai-agent"

                        agent="intake-enrichment" />

                      <exclusiveGateway id="risk-routing" />

                      <serviceTask id="create-assessment"

                        name="Create TPRM Assessment"

                        condition="risk_tier in ['MEDIUM','HIGH']" />

                      <intermediateCatchEvent id="assessment-complete"

                        message="tprm.assessment.complete" />

                      <serviceTask id="normalize-findings"

                        name="Normalize Findings"

                        implementation="openai-agent"

                        agent="tprm-normalizer" />

                      <serviceTask id="build-contract"

                        name="Build Contract Pack"

                        condition="remediation.contractual == true"

                        implementation="openai-agent"

                        agent="contract-pack" />

                      <userTask id="legal-review"

                        name="Legal/Procurement Review"

                        assignee="legal-team" />

                      <endEvent id="process-complete" />

                    </process>

Agent Specifications

intake-enrichment-agent

                            // Agent Configuration

                            {

                              "name": "intake-enrichment-agent",

                              "model": "gpt-4-turbo",

                              "temperature": 0.3,

                              "capabilities": [

                                "vendor_profile_lookup",

                                "service_classification",

                                "risk_calculation",

                                "confidence_scoring"

                              ],

                              "knowledge_base": {

                                "vendor_profiles": "1000+ vendors",

                                "service_taxonomy": "APQC PCF mapped",

                                "risk_rules": "NiSource specific"

                              },

                              "mcp_tools": [

                                "servicenow_api",

                                "vendor_master_db",

                                "risk_scoring_engine"

                              ]

                            }

tprm-normalizer-agent

                            // Agent Configuration

                            {

                              "name": "tprm-normalizer-agent",

                              "model": "gpt-4-turbo",

                              "capabilities": [

                                "finding_standardization",

                                "severity_mapping",

                                "remediation_classification",

                                "contractual_flagging"

                              ],

                              "input_formats": [

                                "Fortress XML",

                                "TPRM JSON",

                                "Custom assessments"

                              ],

                              "output_schema": {

                                "finding_id": "string",

                                "description": "string",

                                "severity": "HIGH|MEDIUM|LOW",

                                "owner": "vendor|internal",

                                "contractual_required": "boolean",

                                "due_date": "ISO-8601"

                              }

                            }

contract-pack-agent

                            // Agent Configuration

                            {

                              "name": "contract-pack-agent",

                              "model": "gpt-4-turbo",

                              "capabilities": [

                                "risk_to_clause_mapping",

                                "template_selection",

                                "clause_bundling",

                                "remediation_terms"

                              ],

                              "clause_library": {

                                "data_protection": 47,

                                "security_controls": 83,

                                "audit_rights": 12,

                                "remediation": 29

                              },

                              "risk_mappings": {

                                "no_encryption": ["DATA_PROTECTION_3.2"],

                                "offshore_processing": ["GEO_RESTRICT_2.1"],

                                "no_bcdr": ["CONTINUITY_4.1", "SLA_UPTIME"]

                              }

                            }

Databricks Integration Architecture

Every agent action and system event flows to Databricks for real-time analytics, audit trails, and operational intelligence.

                    // Event Schema for Databricks

                    {

                      "event_id": "evt_20240115_123456",

                      "timestamp": "2024-01-15T10:30:00Z",

                      "process_id": "prc_vendor_intake_789",

                      "intake_id": "INC0012345",

                      "vendor_id": "VND-DocuSign-001",

                      "event_type": "INTAKE_ENRICHED",

                      "agent": "intake-enrichment",

                      "payload": {

                        "risk_tier": "MEDIUM",

                        "confidence": 0.92,

                        "fields_inferred": 18,

                        "questions_generated": 4

                      },

                      "sla_status": "ON_TIME",

                      "next_action": "CREATE_VCA"

                    }

System Integration Points

System	Integration Type	Direction	Frequency	Data Elements
ServiceNow	REST API / Webhook	Bi-directional	Real-time	Intake data, status updates
TPRM/Fortress	REST API	Bi-directional	Event-driven	Assessment creation, findings
Archer/GRC	SOAP/REST API	Write	On completion	Remediation items, risk scores
CLM Systems	REST API	Bi-directional	Event-driven	Contract drafts, approvals
Databricks	Streaming API	Write	Continuous	All events, metrics, audit
Email/Teams	Graph API	Write	As needed	Notifications, escalations

Phased Implementation Strategy

A 12-week transformation journey designed to deliver quick wins while building toward comprehensive agentic orchestration. Each phase builds on the previous, with continuous value delivery and minimal disruption to ongoing operations.

Phase 1

Smart Intake on ServiceNow

Weeks 1-3

Deploy AI enrichment service
ServiceNow API integration
Vendor knowledge base setup
Databricks event logging
Pilot with 10 vendors

Phase 2

Orchestrated Assessment

Weeks 4-6

Camunda 8 deployment
TPRM auto-creation
Evidence collection automation
Archer remediation objects
Remove manual re-keying

Phase 3

Contract Intelligence

Weeks 7-9

Contract pack builder agent
CLM integration
Risk-to-clause mapping
Legal review workflow
Automated redlining

Phase 4

Analytics & Optimization

Weeks 10-12

Databricks dashboards
Real-time monitoring
Predictive analytics
Model tuning
Full production rollout

Implementation Requirements

Technical Resources

2 Integration Engineers (Camunda/MCP)
1 AI/ML Engineer (Agent development)
1 Data Engineer (Databricks)
1 Business Analyst (Process mapping)
0.5 Project Manager

Infrastructure

Camunda 8 SaaS or Self-Managed
OpenAI API access (GPT-4)
Databricks workspace
API gateway infrastructure
Dev/Test/Prod environments

Risk Mitigation Strategy

Risk	Likelihood	Impact	Mitigation
API integration complexity	Medium	High	Start with ServiceNow (best documented), use proven connectors
Agent accuracy concerns	Low	High	Human-in-loop for high-risk, confidence scoring, gradual rollout
Change resistance	High	Medium	Quick wins focus, clear communication, training programs
Data quality issues	Medium	Medium	Data cleansing sprint, validation rules, exception handling
Compliance concerns	Low	High	Full audit trail, human gates for critical, regulatory review

Success Metrics & KPIs

Week 2

First AI Intake Live

Quick Win #1

Week 4

Dashboard Available

Visibility Achieved

Week 6

Zero Manual Re-key

Major Efficiency

Week 8

First AI Contract

Risk Alignment

Change Management Approach

Stakeholder Engagement Plan

Stakeholder Group	Current Pain	Value Message	Engagement Strategy
Business Users	Long forms, delays	"5-minute intakes"	Pilot program, champions
SCRM Team	Manual work, rework	"Focus on exceptions"	Co-design sessions, training
Legal/Procurement	Risk gaps, slow contracts	"95% risk coverage"	Review gates, control maintained
IT/Security	Integration complexity	"Modern architecture"	Technical workshops, documentation
Leadership	Audit findings, cost	"$2M savings, full compliance"	Dashboard access, regular updates

Value Realization & ROI Analysis

Quantified Business Value

Based on analysis of 47 process activities, 500+ annual vendor engagements, and 8-10 FTE current allocation, the transformation delivers measurable value across efficiency, risk, and compliance dimensions.

Efficiency Gains

Intake time reduction	89% (45 min → 5 min)
Assessment cycle time	95% (15 days → same day)
Contract generation	76% (25 days → 6 days)
Manual touchpoints	80% (15 → 3)
FTE reallocation	6.5 FTE to strategic work

Risk & Compliance Value

Risk coverage in contracts	95% (from 30%)
Audit trail completeness	100% (from 40%)
SLA compliance	98% (from 60%)
Evidence reuse rate	80% (from 0%)
Finding closure time	75% faster

Financial Analysis

3-Year Financial Model

Category	Year 1	Year 2	Year 3	3-Year Total
Benefits
Labor savings (6.5 FTE @ $85k)	$552,500	$552,500	$552,500	$1,657,500
Risk reduction value	$300,000	$450,000	$500,000	$1,250,000
Compliance penalty avoidance	$200,000	$200,000	$200,000	$600,000
Faster vendor onboarding value	$150,000	$225,000	$300,000	$675,000
Total Benefits	$1,202,500	$1,427,500	$1,552,500	$4,182,500
Costs
Implementation (one-time)	$450,000	-	-	$450,000
Camunda 8 licensing	$75,000	$75,000	$75,000	$225,000
OpenAI API costs	$36,000	$48,000	$60,000	$144,000
Databricks platform	$60,000	$60,000	$60,000	$180,000
Support & maintenance	$50,000	$75,000	$75,000	$200,000
Total Costs	$671,000	$258,000	$270,000	$1,199,000
Net Benefit	$531,500	$1,169,500	$1,282,500	$2,983,500
ROI	79%	453%	475%	249%

Value Story for Leadership

The Four Pillars of Value

1. "We Made Intake Intelligent"

Reduced 25-question forms to 3-5 smart questions through AI inference, cutting intake time by 89% while improving data quality. Business users love the simplicity, SCRM gets better data.

2. "We Linked Risk to Contract"

Every identified risk now automatically generates appropriate contract clauses. 95% coverage of remediation requirements in legal terms, up from 30%. Audit findings resolved.

3. "We Cut the Long Tail"

Eliminated manual chasing, follow-ups, and re-keying. 6.5 FTEs now focused on strategic vendor relationships instead of administrative tasks. 80% reduction in manual touchpoints.

4. "We Can Prove It"

100% audit trail coverage with every decision logged to Databricks. Real-time dashboards show vendor status, SLA compliance, and risk posture. Complete regulatory defensibility.

Competitive Advantage

This transformation positions NiSource as a leader in utility sector vendor risk management:

Industry Leadership: First utility to implement full agentic SCRM orchestration
Vendor Experience: 5-minute onboarding vs. industry average of 2+ hours
Risk Posture: Real-time risk visibility vs. quarterly assessments
Regulatory Position: Proactive compliance vs. reactive remediation
Operational Excellence: 95% automation vs. 70% manual processes

Next Steps & Decision Points

Week 1

Approve Funding

$450K implementation