ENTERPRISE RISK · OPERATIONAL · TECHNOLOGYBook a demo
Enterprise risk management for regulated financial institutions

Enterprise risk, mapped to the process that owns it.

One ERM platform for the two risks that sink banks: operational risk — with RCSA, loss events, and KRIs as first-class workflows — and technology risk, where incidents and failed changes feed straight into the risk and loss model. ISO 27005, NIST CSF, Basel, and NIA Qatar, preloaded.

Op risk with RCSA·Technology risk linked to incidents·Basel · ISO 27005 · NIST CSF · NIA
Risk postureLive
Op risk
68
open items
Tech
5
open incidents
RCSA
82%
cycle complete
Risk × Control coverage
A.5
A.6
A.7
A.8
A.9
A.10
R-001
R-002
R-003
R-004
R-005
R-006
1 CRITICAL GAP2 HIGH· review by Friday
Trusted by risk teams atGulf National BankDoha InsuranceBahrain Finance HouseQatar First BankEmirates Re
01 — How it works

Process first. Then risk, then control.

Enterprise risk lives where the work happens. Map the process, the risks it carries, and the controls that hold — so RCSA, loss events, tech incidents, and risk aggregation all roll up to an owner, not a spreadsheet.

Process

Owned, not orphaned

Every business process has an owner and a hierarchy — payments, treasury, lending, change management. The risks roll up to the people accountable for them.

process → owner → hierarchy
Risk & RCSA

Assessment that gets challenged

RCSA campaigns scoped to each process: inherent, control, residual — with second-line challenge and management sign-off. Not a once-a-year spreadsheet.

inherent → control → residual → sign-off
Control

Mapped once, proven once

Design and operating effectiveness, mapped across ISO 27005, NIST CSF, and NIA Qatar at once. Change a control, watch residual recompute.

ISO 27005 · NIST CSF · NIA

02 — The platform

One ERM platform, two risks, eight disciplines.

Operational risk and technology risk — the two that show up in every regulator's ICAAP letter — most tools scatter across modules. Unified here under one process-centric model, so a loss event links to the process, the risk, and the control that failed.

Process register

Map business processes, owners, and the risks each one carries.

process → risk → control

Risk

Inherent and residual scoring, heatmaps, treatment plans.

R-001 … R-240

RCSA

Self-assessment campaigns with challenge and second-line review.

campaign → review → sign-off

Controls

Design and operating effectiveness, mapped to every framework once.

ISO · NIST · NIA

Loss events

Near-miss to actual loss, Basel-categorised, with root cause.

Basel 7 × business line

Tech incidents

Outages, failed changes, batch failures — linked to risk and loss.

incident → loss → issue

KRIs

Thresholds, tolerances, escalation, and trend forecasting.

breach → action

Scenarios

Forward-looking: outage, fraud, third-party, ransomware.

forward-looking
7
Basel op-risk event types, business-line mapped
4
GCC markets — KSA, Qatar, Bahrain, UAE
100%
of loss events traced to a process and control
1
connected model — process, risk, control, loss, KRI
03 — Why teams switch

The reasons risk teams leave their fragmented ERM stack.

Enterprise risk management on one model op risk, tech risk, controls, loss, KRI — connected
Process-centric by design process → risk → control, not a flat register
RCSA as a first-class workflow campaigns, challenge, second-line review
Basel-aligned loss event data 7 event types × business line, near-miss to actual
Technology risk that links to losses incidents → risk → loss → control issue
ISO 27005 · NIST CSF · NIA Qatar regulator-ready frameworks preloaded
True multi-tenant isolation every institution keeps its own data
Browser-based SaaS nothing to install, evidence-ready day one

04 — The product, not a screenshot

Not a screenshot — the working risk console.

app.auditgrc.com/risks
Gulf National Bank / Operational Risk

Risk register

+ New risk
Open op-risk items
68 · 3 crit
▲ 4 this week
RCSA complete
82%
▲ 6% this cycle
KRIs in breach
5
▲ 2 escalated
Loss events YTD
23
▲ $1.2M exposure
IDRiskSeverityMapped controlEffectivenessOwner
R-042Batch settlement job fails past cut-offCRITICALOPS-CHG-0441%S. Okafor
R-017Unreviewed privileged access in core bankingHIGHISO-A.5.1763%M. Chen
R-091Vendor offboarding lacks access revocationHIGHTPRM-0958%J. Patel
R-008Payment reconciliation breaks on FX cut-overMEDIUMOPS-REC-0271%R. Adeyemi
R-103DR failover untested for the core platformMEDIUMITSC-1377%L. Novak
R-055Manual journal overrides above thresholdLOWFIN-CTL-0788%D. Rossi
05 — Thinking on risk

We write about this in public.

Field notes from people who have run enterprise risk inside regulated banks — RCSA, technology incidents, and practical framework crosswalks for the GCC and beyond.

Operational risk

Your RCSA is a calendar event, not a control.

If it runs once a year and nobody challenges it, it is theatre. How to make RCSA a living second-line process.

7 min read · by S. Visser
Technology risk

A failed change is an operational loss waiting to post.

Core banking outages start as routine changes. Link incidents to risk and loss before the regulator asks.

5 min read · by M. Chen
GCC regulation

Mapping ISO 27005, NIST CSF, and NIA Qatar once.

The overlap is bigger than vendors admit. A practical crosswalk for Gulf financial institutions.

9 min read · by J. Patel

See your enterprise risk posture in 30 minutes.

No deck. We map a process to its risks and controls, run an RCSA, link a tech incident to a loss event, and show you the gaps live. Free, no obligation.