The two realities of operations: how process mining could reshape regulation

24 June 2026

There are two distinct realities operating simultaneously in all organisations: (i) the theoretical, represented by policy documents, flowcharts and training manuals; (ii)the practical, or what actually happens across systems and teams and the necessary workarounds needed when things go wrong. Process mining is a data-driven discipline designed to uncover the latter.

Today, virtually every corporate action records digital traces in its IT systems—every time a complaint is logged, a payment approved, or a transaction amended, a timestamped digital footprint is created in an ‘event log’. Process mining reconstructs these footprints into a living, empirical map of how work truly flows in practice.

The gap between policy and practice is not hypothetical

Recent enforcement actions illustrate the potential disconnect between documented policy and operational practice. In January 2025, the Financial Conduct Authority issued a Final Notice against Arian Financial LLP, fining the firm £288,962 for failing to ensure its financial crime controls were effective in practice and that its procedures were proportionate to the risks that the firm was actually running.¹^,2In another case in February 2026, the European Securities and Markets Authority imposed a record €1,374,000 fine on REGIS-TR S.A. for seven infringements under EMIR (European Market Infrastructure Regulation) and SFTR (Securities Financing Transactions Regulation).³REGIS-TR had failed to comply with key organisational obligations relating to adequate policies and procedures, organisational structure, and operational risk management.⁴ Neither case turned on the absence of written policies. In both instances, a documented framework existed. What was missing, however, was a reliable mechanism to verify that the framework was being followed.

Process mining can uncover these gaps. Imagine, for example, that a customer files a complaint. The standard procedure dictates a tidy, linear journey.

Figure 1 The standard expected procedure

A process-mining exercise will expose what happens in reality. Process-mining software reads the event logs of customer complaints to uncover the precise sequence of actions and their timing, allowing it to reconstruct the actual flow of thousands or even millions of cases, creating a deep empirical picture of operations in practice.

This typically reveals multiple diverging pathways, including additional consultations, notification failures, and queues during peak hours.

Figure 2 illustrates this conceptually, showing how complaints entering a single process can follow four distinct routes: a standard path resolved in four to six days (40% of cases), a complex specialist-review path taking twelve to fifteen days (35%), a notification failure path stalling for two days without an alert (20%), and a severely delayed path of twenty or more days (5%).

Figure 2 Process mining example (conceptual)

By dealing in activity data that is directly derived from operations, process mining reveals a picture of how a process runs ‘in reality’, rather than on paper and in slide decks. In this way, process mining delivers four core insights.

Process discovery: reconstructing actual workflows from event logs.
Compliance rates: comparing actual behaviour against policies, regulatory rules, or intended models.
Diagnostics: pinpointing bottlenecks, delays, and hidden inefficiencies.
Prediction and simulation: forecasting future outcomes and simulating operational improvements.

The commercial imperative: from efficiency to governance

Many organisations are already using process mining at scale to improve operational efficiency.

For example, when GE HealthCare mapped its order-to-cash and procurement processes, it discovered that a single ‘standardised’ procedure had spawned countless variations in practice. By using process mining to streamline these flows, GE increased its cash flow by $1.3bn—substantially boosting financial performance.⁵

Similarly, BMW now treats this technology as fundamental infrastructure. The automaker currently runs 200 use cases across its business units, deploying over 450 data models to analyse how its systems actually function. To date, BMW has documented 1,100 specific improvements driven by these insights.⁶

What begins as a search for efficiency gains often uncovers compliance issues. For example, Deutsche Telekom optimised its procure-to-pay process with process mining, saving €66m. In doing so, the telecoms giant also uncovered control weaknesses, turning what began as a cost-reduction exercise into a compliance imperative. Today, the company maintains a 96% cash discount capture rate and prevents duplicate payments in real time.⁷

Why regulators are paying attention

The distinction between the theory and practice of operations is becoming increasingly important from a governance perspective, as regulators use more supervisory and conduct-based regulatory tools that focus on consumer outcomes and the actual behaviour of firms, such as the EU’s Digital Services Act (DSA) and the FCA’s Consumer Duty. These tools represent a fundamental shift in regulatory philosophy by focusing more on actual operational data rather than on measuring a firm’s inputs.

Regulators also face mounting pressure to detect problems before they become conduct failures or market disruptions. Traditional oversight relies on periodic audits and sample-based testing—methods that provide useful snapshots but frequently miss systemic patterns.

For regulators operating in this environment—and for the firms under their scrutiny—the question is becoming unavoidable: if operational data exists, why is it not being used to understand, on a continuous basis, how processes work? Consequently, these new trends in regulation in the UK and elsewhere in Europe are making regulation more data-driven. In 2025, the FCA revised its supervisory approach to embed data-led oversight,⁸ and in early 2026 ESMA published a Digital Strategy focused on modernising its supervisory data capabilities.⁹

Process mining provides regulators with the capability to see how processes operate, offering direct, consumer-level evidence of corporate behaviour rather than curated summaries. It reveals exactly how transactions flow through stated controls, where exceptions cluster, and where practice deviates from policy.

When regulators adopt process mining as part of the supervisory toolkit, they are aiming to achieve a continuous flow of insights into where a firm’s processes are working or failing. Consequently, firms lacking equivalent analytical capabilities will find themselves at a distinct disadvantage in regulatory dialogues.

Weighing the shift: benefits and considerations

As process mining reshapes the landscape, both the regulated and the regulators face a new calculus, warranting a balanced consideration.

For companies

The benefits: risk management and operational efficiency. Firms can proactively demonstrate compliance with objective, comprehensive evidence rather than narrative assertions. They can use process mining for early detection of regulatory deviations and the targeted elimination of bottlenecks and inefficiencies.
The considerations: high demands on IT and new risks. Process mining demands high-quality, integrated data, requiring significant upfront investment in IT and governance. Centralising and sharing operational data at a granular level increases the attack surface for cyber threats, necessitating robust security protocols. Furthermore, there is a distinct visibility risk—comprehensive analysis will almost always expose some control weaknesses, requiring a measured approach to how such ‘incidental findings’ should be handled.

For regulators

The benefits: the complete picture. Supervisors gain an objective, evidence-based view of actual practices. By analysing complete data populations—rather than relying on samples and summary metrics—they can identify systemic issues early, catching compliance failures before they escalate into market-wide problems.
The considerations: investment, complexity and security. Effective deployment requires regulatory bodies to invest heavily in new technical skills, analytical expertise, and infrastructure. They must also navigate complex data privacy obligations and methodological challenges, as comparing disparate systems across different entities remains difficult to standardise.

Is process mining coming to regulation?

The shift currently underway in regulatory approaches is structural. The regulatory landscape is moving decisively from ‘tell me’ to ‘show me’, arriving at the exact moment organisations are generating exponentially larger volumes of operational data.

This transition is already visible in many industries. In financial services, process mining is being deployed to assess the effectiveness of transaction monitoring and complaints-handling controls.¹⁰ What began purely as a backend efficiency tool is fast becoming the bedrock of modern governance and assurance.

For supervisors, population-level visibility solves a chronic challenge: it allows them to move beyond periodic, sample-based audits towards continuous oversight. We can therefore expect that regulators will increasingly demand digital evidence of how a process functioned, rather than summary metrics and a neat flowchart of how it was supposed to work.

For firms, investment in process mining also yields distinct advantages: (i) they gain internal clarity on process performance before external scrutiny arrives; (ii) they embed operational efficiency as a standard practice; (iii) they can shape the narrative.

In an ideal world, process mining would thus serve as the perfect bridge, allowing firms to answer supervisory enquiries with immediate, empirical proof rather than frantic, after-the-fact reconstruction.

However, the leap from theory to practice is steep. Meaningful implementation of process mining is not just a software purchase; it requires investments in governance, data infrastructure, internal expertise, and heightened cybersecurity.

Process mining will dictate who holds the analytical high ground when the regulator comes knocking. Before a firm can confidently show a supervisor its data, its leadership must first be prepared to confront the reality of its own operations.

Footnotes

¹ Financial Conduct Authority (2025), ‘Final Notice: Arian Financial LLP’, 10 January, accessed 4 June 2026.

² Financial Conduct Authority (2025), ‘FCA fines Arian Financial LLP for failings relating to cum-ex trading’, press release, 10 January, accessed 4 June 2026.

³European Securities and Markets Authority (2026), ‘ESMA sanctions REGIS-TR for serious breaches of organisational obligations’, press release, 17 February, accessed 4 June 2026.

⁴European Securities and Markets Authority (2026), ‘ESMA sanctions REGIS-TR for serious breaches of organisational obligations’, 17 February, accessed 4 June 2026.

⁵Celonis, ‘GE Healthcare + Celonis: Customer Story’, accessed 23 April 2026.

⁶Celonis, ‘BMW + Celonis: Customer Story’, accessed 23 April 2026.

⁷Celonis, ‘Deutsche Telekom + Celonis: Customer Story’, accessed 23 April 2026.

⁸Ernst & Young (2025), ‘What to expect: UK financial services regulation in 2026’, accessed 4 June 2026.

⁹ European Securities and Markets Authority (2026), ‘ESMA’s Digital and Data strategies support supervision of EU financial markets’, 13 January, accessed 4 June 2026.

¹⁰ Hill, M. (2024), ‘Process mining in financial transactions – 3 key benefits’, Process Excellence Network (PEX), 1 October, accessed 4 June 2026.

Contact

Dr Sebastian Wernicke

Partner

SECTORS

EXPERTISE

22 June 2026

Articles

2 minute read

Oxera AI policy map – June 2026

For this fourth edition of the AI Policy Map,1 we have updated our database that tracks key national and supranational AI policy developments across the European Economic Area (EEA) and the UK. This curated collection brings together legal texts, strategy documents and other influential publications relevant to… Read More

19 June 2026