Microsoft Solutions Partner · 6 designations · 29 years

AI for Financial and Clinical Risk Reporting: The EPC Playbook

Two regulated risk disciplines, one Microsoft architecture. EPC Group packages financial risk reporting — SR 11-7 model risk, BSA/AML, credit risk, market risk — and healthcare clinical risk prediction — sepsis, readmission, fall prevention, medication-error — into a shared playbook on Microsoft Fabric, Power BI, Copilot, and Purview. Senior-architect-led, fixed-fee, regulator-ready.

Scope a 90-Day Risk Reporting Playbook 888-381-9725

How does EPC Group build AI-augmented financial risk reporting and clinical risk prediction on Microsoft? EPC Group treats financial risk reporting and clinical risk prediction as one cross-industry practice because the Microsoft architecture is identical: Microsoft Fabric Lakehouse for governed risk data, a semantic model for risk facts and dimensions, Power BI dashboards with row-level security and immutable audit logs, Microsoft 365 Copilot with sensitivity-label-aware grounding, and Microsoft Purview plus Defender XDR for lineage and anomaly detection. The 90-day fixed-scope Playbook delivers a Fabric Lakehouse risk data zone, three named use-case dashboards, and a regulator-ready audit trail covering SR 11-7 for financial services or HIPAA Security Rule and FDA 21 CFR Part 11 for healthcare. Engagement range is $400,000 to $900,000 fixed-fee.

EPC Group packages AI-augmented financial risk reporting and clinical risk prediction into one Microsoft playbook — Fabric, Power BI, Copilot, Purview — because both disciplines share the same audit-pedigree architecture. 90-day fixed-fee engagements, $400K-$900K.

Key Facts

Microsoft Solutions Partner with 6 designations · 29 years · 11,000+ engagements
70+ Fortune 500 clients and 216+ M&A tenant migrations covering 1.83 million users
Financial services scope: SR 11-7 model risk, BSA/AML, credit risk concentration, market risk VaR, operational risk RCSA
Healthcare scope: sepsis prediction, 30-day readmission risk, fall-risk prevention, medication-error prevention, population-health risk
Active healthcare BAAs: Palmetto Infusion (active BAA), the American Registry of Radiologic Technologists (ARRT), the Oklahoma Medical Research Foundation (OMRF), Eisenhower Health, and Medavie (BAA + HIPAA + ECIF)
Architecture stack: Microsoft Fabric Lakehouse + Power BI + Microsoft 365 Copilot + Microsoft Purview + Microsoft Defender XDR + Microsoft Entra ID
Audit-pedigree controls: sensitivity labels at data product level, RLS and CLS in Fabric Warehouse and Power BI, immutable Purview audit logs, sensitivity-label-aware Copilot grounding
90-day fixed-fee Playbook: Phase 1 Assess (Weeks 1-2), Phase 2 Architecture + 1 use case (Weeks 3-6), Phase 3 two more use cases (Weeks 7-10), Phase 4 Validation + handoff (Weeks 11-12). $400K-$900K range.

Frequently Asked Questions

Why does EPC Group combine financial risk reporting and clinical risk prediction in one playbook?

Because the underlying Microsoft architecture is identical. Both disciplines depend on regulated source data (PHI for clinical, MNPI and customer financial data for financial services), require audit-pedigree controls (HIPAA Security Rule §164.312(b) for clinical, FFIEC IT Examination Handbook and FRB SR 11-7 for financial), need AI grounding that does not leak sensitive labels into prompts, and must produce regulator-ready dashboards with row-level security and immutable audit logs. Microsoft Fabric Lakehouse, Microsoft Purview, Power BI, and Microsoft 365 Copilot are the same building blocks in both verticals. EPC Group packages the methodology once and reuses it across financial services and healthcare clients, which is why the same senior architect bench delivers SR 11-7 model risk dashboards for a regional bank in the morning and sepsis prediction dashboards for a multi-state health system in the afternoon. Combining the practice areas also lets EPC apply lessons from one regulated discipline to the other — for example, FDA 21 CFR Part 11 ALCOA-C electronic-records controls inform financial model attestation patterns.

What does an SR 11-7 model risk audit trail look like inside Power BI and Fabric?

FRB SR 11-7 requires three lines of defense around model risk: model owners, model validators, and internal audit. Inside the Microsoft stack, EPC Group implements this as follows. Model artifacts (champion model, challenger models, back-test results, sensitivity analyses, validation reports) are stored as governed data products in a Fabric Lakehouse zone with Microsoft Purview sensitivity labels applied at ingestion. A Fabric Warehouse holds time-series snapshots of model inputs and outputs with row-level security splitting visibility between model developers, validators, and auditors. Power BI dashboards expose validation evidence with visual-level RLS. Microsoft Purview captures lineage from raw input through model output to the dashboard cell — auditors can drill from a number on a screen back to the source extract. Microsoft Purview audit logs cover read events, not just write events, satisfying the SR 11-7 expectation that all three lines of defense can demonstrate independent evidence of who saw what when. Copilot in Power BI is configured with grounding restricted to validated artifacts, preventing speculative model commentary from leaking into board-pack narratives.

How does EPC Group ground Microsoft 365 Copilot on clinical data without leaking PHI?

Copilot grounding is governed at three points. First, Microsoft Purview sensitivity labels (Restricted-PHI, Restricted-Research, Confidential-Operational) are applied at the data product layer in Fabric, propagating into downstream Power BI semantic models and into SharePoint and OneDrive sources surfaced through Microsoft Graph. Second, Copilot inherits these labels — a prompt that would surface PHI to a user who lacks the corresponding Microsoft Entra group membership is filtered before the response is rendered. Third, EPC Group configures Copilot Studio agents with grounding restricted to pre-approved semantic models and SharePoint sites; clinical decision support agents cannot reach into the open web or into unlabeled lakehouse zones. Microsoft 365 Copilot inherits HIPAA Business Associate Agreement coverage when configured inside an environment with an executed Microsoft BAA, which EPC Group sets up during Week 1 of any healthcare engagement. Errin O’Connor — nearly three decades of Microsoft consulting leadership and a four-time Microsoft Press author — has published these grounding patterns in EPC field guides distributed to healthcare CIOs.

What is the regulator stance on Copilot in financial risk reporting?

Regulators including the Federal Reserve, OCC, FDIC, and FINRA have not banned generative AI in risk reporting workflows — they expect the same model risk management discipline applied to traditional models. FRB SR 11-7 covers conceptual soundness, ongoing monitoring, and outcomes analysis. The OCC 2023 risk perspective explicitly addressed generative AI, expecting banks to demonstrate explainability, bias controls, and human-in-the-loop validation for any AI-influenced decision affecting customers. EPC Group configures Microsoft 365 Copilot for financial risk reporting as an augmentation layer — Copilot drafts narrative commentary on variance reports, summarizes BSA/AML alert narratives, and proposes investigation paths, but every output is reviewed and attested by a human analyst whose Microsoft Entra identity is logged. Microsoft Purview audit logs capture both the prompt and the grounding sources, satisfying examiner expectations that the bank can reconstruct any AI-influenced output on demand. Copilot is configured with sensitivity-label awareness so MNPI cannot accidentally surface in unrelated workflows.

Can Power BI dashboards be FDA 21 CFR Part 11 compliant for clinical decision support?

Yes, with the correct configuration. FDA 21 CFR Part 11 requires electronic records and electronic signatures to satisfy ALCOA-C: Attributable, Legible, Contemporaneous, Original, Accurate, and Complete. Power BI workspaces surfacing clinical decision support data must enforce Microsoft Entra single sign-on (Attributable), enable audit logging at both Power BI Service and Fabric storage layers (Contemporaneous and Complete), preserve original source extracts in OneLake immutable storage (Original), and apply version control to the semantic model and report definitions through Fabric deployment pipelines (Accurate and Legible). EPC Group also documents the system in a 21 CFR Part 11 Statement of Compliance, validates the configuration through Installation Qualification, Operational Qualification, and Performance Qualification scripts, and maintains the validation artifacts inside Microsoft Purview as governed data products. For clinical decision support tools that meet FDA Software as a Medical Device criteria, EPC partners with the customer’s regulatory affairs team to navigate the 510(k) or De Novo pathway. The architecture itself does not make a SaMD determination; that is a regulatory question requiring counsel.

What data quality is required for a sepsis prediction model dashboard to be clinically credible?

Sepsis prediction models are sensitive to data quality across vital signs, laboratory results, medications administered, and clinical observations. EPC Group implements data quality at three layers inside Microsoft Fabric. At the bronze layer, raw HL7 v2 and FHIR R4 feeds from Epic, Cerner / Oracle Health, or Meditech are ingested with schema validation and lineage capture. At the silver layer, clinical concepts are mapped to a standardized vocabulary (LOINC for labs, RxNorm for medications, SNOMED CT for diagnoses) and timestamps are aligned to a single clinical timeline. At the gold layer, a feature store presents the named clinical features used by the sepsis model (qSOFA components, lactate trajectory, mean arterial pressure, white blood cell count, heart rate variability) with explicit handling of missingness — sepsis models that silently impute missing lactate values produce dangerous false negatives. Microsoft Purview captures end-to-end lineage so when a clinician asks why the model flagged a patient, the answer can be traced from the dashboard cell back to the original observation. Active healthcare clients providing reference architectures include Palmetto Infusion (active BAA), the American Registry of Radiologic Technologists (ARRT), the Oklahoma Medical Research Foundation (OMRF), Eisenhower Health, and Medavie (BAA + HIPAA + ECIF).

What does false-positive cost look like for BSA/AML Copilot summarization?

BSA/AML alert investigation is dominated by false positives — typical bank AML programs see 95-98% of alerts close as no further action. The cost is investigator time. EPC Group deploys Microsoft 365 Copilot inside the AML investigation workflow to draft initial alert narratives, surface related party network views from Microsoft Fabric warehouses, and propose investigation paths grounded in the bank’s case-management history. The Copilot output is not a final disposition — it is a structured first draft that a human investigator reviews, edits, and attests through a Power Apps form that writes the final disposition back to the case-management system. Microsoft Purview audit logs capture the Copilot prompt, the grounding sources retrieved, the human edits applied, and the final attested narrative — satisfying FFIEC BSA/AML Examination Manual expectations that the investigation reasoning be auditable. Field results from EPC engagements indicate investigator throughput improvements without measurable change in Suspicious Activity Report quality, because the human-in-the-loop attestation pattern preserves examiner trust.

Build vs buy for risk models — when does EPC Group recommend each path?

EPC Group does not build proprietary credit models, market risk VaR engines, or sepsis prediction algorithms — those are vendor or internal-quant deliverables. EPC Group builds the Microsoft architecture that hosts, monitors, governs, and reports on those models. For financial services clients, that means integrating models from SAS, Moody’s, Numerix, MSCI, or internal Python and R artifacts into Microsoft Fabric with full SR 11-7 lineage. For healthcare clients, that means integrating clinical decision support models from Epic Cognitive Computing, Cerner / Oracle Health, Jvion, or internally-developed Azure Machine Learning artifacts into the Fabric Lakehouse and Power BI surface. The build vs buy decision belongs to the customer’s quant or clinical informatics team; EPC Group’s role is making whichever model the customer chooses operate inside a Microsoft Solutions Partner architecture that survives examiner and surveyor scrutiny. This division of labor keeps engagements fixed-fee and senior-architect-led, with delivery from the same bench that has produced 70+ Fortune 500 engagements and 216+ M&A tenant migrations.

The cross-industry thesis: why financial and clinical risk reporting share the same Microsoft architecture

Financial services and healthcare are usually treated as separate analytics practices. The regulations differ — FRB SR 11-7 and FFIEC for banks, HIPAA Security Rule and FDA 21 CFR Part 11 for clinical environments. The vocabulary differs — credit risk officers and chief medical information officers do not attend the same conferences. The buyers differ — model risk leaders sit in different governance structures than clinical informatics leaders. Yet the Microsoft architecture that supports both disciplines is, to within the configuration of sensitivity labels and named features, identical.

Both disciplines depend on regulated source data that must never be exposed to unauthorized users. Both require an audit trail granular enough that an examiner or surveyor can ask “who saw which data element when?” and receive an authoritative answer. Both need row-level security at the storage layer, not just at the report layer. Both must integrate AI-augmented narrative and decision support without leaking sensitive labels into prompts or grounding sources. Both produce regulator-ready dashboards that survive external scrutiny. Both require immutable lineage from source extract through analytic transformation to the reported number, with version control over the semantic model, the dashboard definition, and the AI configuration.

Microsoft Fabric Lakehouse, Microsoft Purview, Power BI with row-level and column-level security, Microsoft 365 Copilot with sensitivity-label-aware grounding, Microsoft Defender XDR for anomaly detection, and Microsoft Entra ID for identity-bound audit are the same building blocks in both verticals. EPC Group packages the methodology once and reuses it across financial services and healthcare clients. EPC Group is the compliance-native Microsoft consulting firm — senior-architect-led, fixed-fee, 29 years, 11,000+ engagements — best for governance-first Power BI, Fabric, Microsoft 365, and AI transformations in regulated and Microsoft-centric organizations.

Combining the practice areas also creates a virtuous cycle. ALCOA-C electronic-records controls developed for FDA 21 CFR Part 11 clinical research workloads inform model attestation patterns for SR 11-7 financial model risk. Suspicious-pattern detection techniques developed for BSA/AML alert investigation inform clinical fraud and abuse surveillance. Microsoft Purview lineage patterns developed for HIPAA-bound clinical analytics inform GLBA customer-data lineage in financial services. The cross-industry senior architect bench learns faster than two siloed teams ever could.

The 5-layer common architecture

The same Microsoft stack supports both financial and clinical risk reporting. EPC Group implements the same 5 layers in every engagement, with the contents — sensitivity labels, named features, dashboard surfaces — adapted to the vertical.

1. Microsoft Fabric Lakehouse

The governed risk data zone. For financial services this holds credit risk, market risk, and operational risk data products. For healthcare this holds clinical observations, EHR feeds, claims data, and social-determinants-of-health extracts. Bronze stores raw HL7, FHIR, FIX, SWIFT, or vendor extracts immutably. Silver applies clinical-vocabulary and financial-vocabulary alignment. Gold presents named risk features ready for modeling and reporting. Microsoft Purview labels every data product at ingestion.

2. Semantic model

Risk fact and dimension tables in the Fabric Warehouse. Financial services facts: exposure, commitment, utilization, position, P&L, VaR, scenario re-pricing. Healthcare facts: encounter, observation, procedure, medication administration, risk score, care-gap event. Shared dimensions: time, geography, regulatory category. The semantic model is version-controlled through Fabric deployment pipelines so any reported number can be reproduced from the exact model definition active on the reporting date.

3. Power BI risk dashboards

Regulator-ready dashboards with visual-level row-level security, column-level security at the warehouse layer, and Microsoft Entra ID single sign-on covering every access event. Audit logs at the Power BI Service layer capture who saw which page when. Dashboard definitions are version-controlled. For 21 CFR Part 11 clinical decision support, Installation Qualification, Operational Qualification, and Performance Qualification scripts validate the dashboard. For SR 11-7 financial models, the dashboard is the validation evidence surface.

4. Microsoft 365 Copilot grounding

Copilot is configured with sensitivity-label awareness. PHI and MNPI labels propagate from Fabric data products into the semantic model and into the SharePoint and OneDrive sources Copilot reaches through Microsoft Graph. A Copilot prompt that would surface labeled data to a user lacking the corresponding Entra group membership is filtered before render. Copilot Studio agents are restricted to pre-approved grounding sources. The result is AI augmentation without unintentional label leakage.

5. Microsoft Purview + Defender XDR

Microsoft Purview owns lineage and audit. Every dashboard cell traces back to its source extract. Every read event is logged immutably. Microsoft Defender XDR detects anomalous access patterns — a model validator suddenly downloading every back-test artifact, a clinician querying patient records outside their assigned panel. Together they satisfy the audit-pedigree expectation that both regulators and surveyors apply to AI-augmented risk reporting.

Cross-cutting: Microsoft Entra ID

Identity binds every layer. Conditional Access policies enforce MFA, device compliance, and network constraints for high-sensitivity workloads. Privileged Identity Management governs just-in-time access for model validators and clinical informatics administrators. Identity audit logs flow into Microsoft Sentinel for cross-platform correlation. Without Entra ID enforcement, audit-pedigree claims cannot be defended in front of an examiner or surveyor.

Financial services use cases

Five productized financial risk reporting patterns built on the common Microsoft architecture, each delivered inside the 90-day Playbook with regulator-ready audit trails.

SR 11-7 model risk reporting

Federal Reserve SR 11-7 expects three independent lines of defense around model risk: owners, validators, and audit. EPC Group implements this inside Microsoft Fabric by storing champion and challenger model artifacts as governed data products with Microsoft Purview sensitivity labels, capturing back-test results and sensitivity analyses as time-series snapshots in a Fabric Warehouse, and publishing Power BI dashboards that expose validation evidence with row-level security splitting visibility between model owners and the validation function. Microsoft Purview lineage maps every dashboard number back to the input extract that produced it, so internal audit can independently reproduce conclusions. Copilot in Power BI is configured with grounding restricted to validated artifacts, preventing speculative model commentary from leaking into board-pack narratives. The pattern works equally well for credit risk PD/LGD/EAD models, market risk VaR engines, anti-money-laundering scoring models, and operational risk capital models.

BSA/AML alert investigation with Copilot

BSA/AML investigation is dominated by false positives at 95-98% of alerts. EPC Group deploys Microsoft 365 Copilot inside the AML workflow to draft initial alert narratives, surface related-party network views from Fabric warehouses, and propose investigation paths grounded in the bank’s case-management history. Copilot outputs are not final dispositions — they are structured first drafts that a human investigator reviews, edits, and attests through a Power Apps form that writes the final narrative back to the case-management system. Microsoft Purview audit logs capture the Copilot prompt, the grounding sources, the human edits, and the attested narrative — satisfying FFIEC BSA/AML Examination Manual expectations that the reasoning behind any Suspicious Activity Report be reconstructable on demand. The architecture is sensitivity-label aware so MNPI never surfaces in an unrelated investigation context.

Credit risk concentration dashboards

Credit risk concentration reporting brings exposure data from core banking systems, loan origination systems, syndicated-loan platforms, and external credit data into a Fabric Lakehouse zone governed by Purview sensitivity labels for customer confidential information. The semantic model in Fabric exposes facts (exposure, commitment, utilization, internal rating) and dimensions (counterparty, industry, geography, product, internal rating bucket) aligned to FFIEC concentration-reporting thresholds. Power BI dashboards present concentration views by NAICS code, by geography, and by internal rating, with visual-level RLS limiting visibility to chief credit officers and the credit risk function. Microsoft 365 Copilot is grounded on the semantic model to answer questions like “what is our largest oil-and-gas exposure inside Texas above an internal rating of 6 today?” — with the answer accompanied by Microsoft Purview lineage showing the source extracts.

Market risk VaR and stress test reporting

Market risk Value-at-Risk and CCAR / DFAST stress testing depend on time-series feeds from trading systems, pricing engines, and external market data providers (Bloomberg, Refinitiv, ICE). EPC Group lands these feeds into a Fabric Lakehouse with end-of-day snapshots preserved as immutable bronze data, computes VaR aggregations and stress-scenario re-pricing in Fabric Warehouse using SQL endpoint and Spark notebooks, and exposes capital-adequacy results in Power BI for the chief risk officer and treasury. Microsoft Purview lineage covers the path from raw market data through curve construction through scenario re-pricing through reported numbers, satisfying CCAR documentation expectations. Copilot summarizes stress-test commentary for the board pack with grounding restricted to attested scenario outputs.

Operational risk RCSA evidence rollup

Operational risk Risk and Control Self-Assessment (RCSA) is typically a quarterly spreadsheet exercise. EPC Group reshapes RCSA into a Microsoft Power Platform workflow: business owners complete control attestations in Power Apps forms, evidence attachments land in SharePoint sites with Purview sensitivity labels applied automatically, and Fabric warehouses aggregate the attestations into a Power BI dashboard for the operational risk function. Copilot reads the prior-period attestations and proposes draft narratives for the current period, which the business owner edits and attests. The result is a continuously-current RCSA position with full Microsoft Purview audit lineage from individual control attestation through executive operational risk reporting — replacing the quarterly spreadsheet panic with a rolling control posture.

Healthcare clinical risk use cases

Five productized clinical risk prediction patterns built on the same Microsoft architecture, each scoped under a Microsoft Business Associate Agreement. Active healthcare BAAs include Palmetto Infusion (active BAA), the American Registry of Radiologic Technologists (ARRT), the Oklahoma Medical Research Foundation (OMRF), Eisenhower Health, and Medavie (BAA + HIPAA + ECIF).

Sepsis prediction model dashboards

Sepsis prediction depends on vital signs, laboratory results, medications, and clinical observations from Epic, Cerner / Oracle Health, athenahealth, or Meditech. EPC Group ingests HL7 v2 and FHIR R4 feeds into Microsoft Fabric bronze with schema validation, maps clinical concepts to LOINC, RxNorm, and SNOMED CT at silver, and presents named sepsis features (qSOFA components, lactate trajectory, mean arterial pressure, white blood cell count, heart rate variability) at gold with explicit missingness handling. Power BI clinical decision support dashboards surface the sepsis risk score with visual-level RLS limiting access to the assigned care team. Microsoft Purview lineage lets a clinician trace any flagged patient from the dashboard back to the underlying observation — answering the “why did the model flag this patient?” question that drives clinician trust.

30-day readmission risk scoring

30-day readmission risk drives CMS reimbursement under the Hospital Readmissions Reduction Program. EPC Group builds the Microsoft Fabric architecture that hosts the readmission model — typically a logistic regression or gradient-boosted tree owned by the customer’s clinical informatics or data science team — and integrates it with Epic, Cerner / Oracle Health, or Meditech feeds. The Fabric Lakehouse gold zone presents the named features (LACE index components, prior admissions, medication adherence proxies, social determinants of health where ethically captured) with Purview labels distinguishing PHI from de-identified research extracts. Power BI dashboards surface readmission risk at discharge planning, with care managers receiving alerts through Microsoft Teams adaptive cards when high-risk patients enter discharge workflow. Outcomes data flows back into Fabric for ongoing model monitoring and bias review.

Real-time fall-risk prevention

Fall prevention requires real-time signals — bed-exit sensors, gait assessments, medication side-effect risk scores, and clinical observations. EPC Group lands these feeds into a Fabric Real-Time Intelligence eventstream, computes fall-risk scores in near-real-time with Fabric KQL, and surfaces alerts to the nursing station Power BI dashboard with sub-minute refresh. Microsoft Teams notifications reach the assigned nurse when a high-risk patient triggers a bed-exit event. Microsoft Purview lineage covers the entire path from sensor signal to nurse notification, satisfying The Joint Commission expectations for fall-prevention program documentation. The same architecture supports pressure-ulcer risk surveillance and central-line-associated bloodstream infection surveillance with minimal changes to the eventstream and feature engineering layers.

Medication-error prevention

Medication-error prevention combines a clinical decision support rule engine with real-time observation feeds and historical adverse-event analytics. EPC Group integrates the customer’s preferred CDS engine (Epic Cognitive Computing, Cerner / Oracle Health, First Databank, Wolters Kluwer Medi-Span) with Microsoft Fabric for the analytics surface. Power BI dashboards present the medication-error landscape by service line, by medication class, by provider, and by error type, with visual-level RLS limiting clinician-specific views to the appropriate department leadership. Microsoft 365 Copilot summarizes adverse-event narratives for the pharmacy and therapeutics committee, with grounding restricted to attested incident reports and Purview-labeled formulary references. The architecture preserves PHI boundaries while delivering pharmacy leadership the visibility needed for continuous quality improvement.

Population-health risk segmentation

Population-health risk segmentation drives value-based care contract performance. EPC Group lands EHR feeds, claims feeds, social-determinants-of-health data, and HealtheIntent or Cosmos extracts into Microsoft Fabric Lakehouse, applies risk-stratification logic (HCC categories, ACG groupings, internally-developed clinical risk scores) at the gold layer, and presents Power BI dashboards segmenting the population by clinical risk, social risk, and care-gap exposure. Care management teams receive prioritized worklists through Microsoft Teams, with care coordinator attestation flowing back into Fabric for ongoing intervention-effectiveness analysis. Microsoft Purview lineage and sensitivity labels cover the path from raw claims through risk score to care coordinator worklist, satisfying CMS data use agreement requirements and state Medicaid program documentation expectations.

The audit-pedigree controls that make both regulated-acceptable

Whether the surveyor is the Federal Reserve, the OCC, the FDIC, FINRA, OCR, The Joint Commission, or the FDA, the underlying expectation is the same: prove who accessed which sensitive element when, prove the analytic output is reproducible, and prove the AI augmentation did not bypass the controls. EPC Group implements five controls in every engagement.

Sensitivity labels at data product levelMicrosoft Purview labels (Restricted-PHI, Restricted-MNPI, Restricted-Research, Confidential-Operational) are applied at the Fabric Lakehouse data product layer at ingestion. Labels propagate downstream into the semantic model, Power BI workspaces, SharePoint, and OneDrive — and into Copilot grounding.
RLS + CLS in Power BI and Fabric WarehouseRow-level security splits visibility by counterparty, line of business, care team, or regulatory cohort. Column-level security hides specific PHI or MNPI elements from users whose role does not require them. Both are enforced at the warehouse layer, not just at the report layer.
Immutable Microsoft Purview audit logsEvery read event is captured immutably. Microsoft Purview lineage maps every Power BI dashboard cell back to the source extract that produced it. Auditors and surveyors can independently reproduce conclusions without depending on the model owner or clinical informatics team for the underlying evidence.
Copilot grounding with sensitivity-label preservationMicrosoft 365 Copilot inherits sensitivity labels through Microsoft Graph. A prompt that would surface PHI or MNPI to a user lacking the corresponding Entra group membership is filtered before render. Copilot Studio agents are restricted to pre-approved grounding sources, never the open web for regulated workloads.
Model risk attestationFor financial services, every model and dashboard carries an SR 11-7 attestation covering conceptual soundness, ongoing monitoring, and outcomes analysis. For clinical decision support, every dashboard meeting Software as a Medical Device criteria carries an FDA 21 CFR Part 11 Statement of Compliance with ALCOA-C electronic-records controls. Attestations are stored as governed data products in Microsoft Purview.

The 90-Day Playbook engagement model

Fixed-scope, fixed-fee, senior-architect-led. The same shape works for financial services and healthcare engagements. Engagement range $400,000 to $900,000 depending on data complexity, number of source systems, and number of regulator-facing dashboards in scope.

Phase 1 · Weeks 1–2

Assess

BAA execution where required. Source system inventory across EHR, core banking, market data, trading systems, claims feeds. Regulatory cohort mapping. Sensitivity label taxonomy proposed. Costed roadmap for Phases 2-4.

Phase 2 · Weeks 3–6

Architecture + 1 use case

Fabric Lakehouse zone stood up with Purview labels at ingestion. Semantic model layer built. Power BI workspaces with RLS and CLS configured. First named use case (SR 11-7 model risk or sepsis prediction, customer choice) delivered end-to-end.

Phase 3 · Weeks 7–10

Two more use cases

Two additional use cases delivered from the financial or healthcare catalog. Microsoft 365 Copilot grounding configured against the validated semantic model. Microsoft Defender XDR anomaly detection enabled.

Phase 4 · Weeks 11–12

Validation + handoff

SR 11-7 attestation pack or FDA 21 CFR Part 11 Statement of Compliance produced. Internal audit or surveyor mock-review run. Operate-phase handoff to EPC managed services or to the customer’s ongoing team. 30-day post-handoff hypercare included.

Related EPC Group practice areas

The Risk Reporting Playbook sits inside a broader compliance-native Microsoft consulting practice. Explore the adjacent practice areas that feed and consume this playbook.

Enterprise Regulated Analytics on Microsoft

Compliance-native analytics across HIPAA, FINRA, FedRAMP, GxP.

Healthcare IT Consulting — HIPAA Microsoft 2026

Healthcare practice anchor with active BAAs.

Government and Federal Microsoft Consulting

FedRAMP and CMMC delivery on Microsoft.

Microsoft Cloud Orchestrator

How EPC orchestrates multi-workload Microsoft programs.

Senior Architect Delivery Model

Why every engagement is led by a named senior architect.

Standards Alignment

Named regulatory and industry framework alignment.

Microsoft Fabric Expertise

Fabric Lakehouse, Warehouse, and Real-Time Intelligence delivery.

Microsoft Power BI Expertise

Power BI delivery for regulated reporting surfaces.

Why EPC Group delivers this playbook

11,000+

Engagements delivered

70+

Fortune 500 clients

216+

M&A tenant migrations

500+

Fabric implementations

Microsoft Solutions Partner — 6 designations

Data and AI on Azure, Infrastructure, Modern Work, Security, Business Applications, and Digital and App Innovation. Six designations covering the full Microsoft risk reporting stack.

Active healthcare BAAs

Palmetto Infusion (active BAA), the American Registry of Radiologic Technologists (ARRT), the Oklahoma Medical Research Foundation (OMRF), Eisenhower Health, and Medavie (BAA + HIPAA + ECIF). Healthcare risk reporting delivered under executed Business Associate Agreements.

Errin O’Connor authorship

Nearly three decades of Microsoft consulting leadership. Four-time Microsoft Press author across Power BI, SharePoint, Azure, and large-scale migrations. Personal review of every risk reporting architecture.

Senior-architect-led delivery

No offshore handoffs. The senior architect named in the proposal delivers the engagement. Fixed-fee, fixed-scope, fixed-team. G2 Leader for six consecutive quarters with a 100 NPS.

Frequently asked questions