Risk Management | Enhance Your Risk Management Today — RegTechPRO

The Enterprise-GRC Trap

£20,000 a year for a tool, or a spreadsheet. Neither survives the Board challenge.

Enterprise GRC platforms charge £20–40k a year for the depth a Board challenge demands. Excel and PowerPoint cost less but won't evidence it under scrutiny — internal, regulatory or otherwise. There is a third option.

One Score. Three Versions. Zero Truth.

Your Excel register has a single "risk score" column. Inherent vs residual? A comment in column K. Appetite? A separate doc nobody reads. The FCA expects three scores per risk. Inherent, residual and appetite, with control effectiveness as the bridge.

Risk_Register_v14_FINAL.xlsx

Controls_Map_old.xlsx

Appetite_Statement_2024.docx

The Annual Risk Review That Goes Stale by Month Three

Consultants rebuild your register from interviews once a year. You still own every risk. The artefact is constructed once then drifts out of date before Q2 even starts. SYSC 7.1 expects a live register, not a March snapshot.

Annual Risk Review Jan

Stale by Apr

Board Pack PPT

No Live Appetite Breach Signal

Residual risk drifts over threshold mid-year. Nobody notices until the Q4 board pack. SYSC 7.1 expects appetite to be a live control signal, not an annual statement archived in a SharePoint folder.

0 flagged

Live breaches visible to the Board.

Controls Untied to Risks

Your controls register and your risk register are two separate spreadsheets. Which control mitigates which risk? Which is effective, partial, ineffective? The FCA wants one coherent view, not a Q&A session with the MLRO.

Audit → linked risk? Unknown

Transaction Monitoring. Last reviewed?

File Review. Effective? Partial?

Spreadsheet register. PowerPoint heat map. Last year's appetite statement. The operating system below replaces all three — at the price of a software subscription, not an enterprise GRC contract.

Features

Enterprise GRC, without the enterprise price tag.

Three things separate this from a spreadsheet — and from the enterprise GRC contract. The capabilities the CRO actually runs the firm from. Built for any firm with material risk to manage — including but not limited to FCA-regulated firms.

Three ideas no spreadsheet — and no enterprise GRC price tag — can match.

Most SMB risk tools are register CRUD and a heat map. Most enterprise GRC tools are the right depth at the wrong price. The capabilities below are the ones that change what the CRO can put in front of the Board — and the FCA — and they ship in a £500/month module.

The Risk Network. Concentration alerts the spreadsheet hides.

Force-directed graph of every risk in your register. Causal links you define. Shared-vendor and shared-owner edges drawn automatically. Concentration alerts fire when 3+ risks share a single point of failure. The single biggest demo wow factor — and the visualisation enterprise GRC charges £20k a year for.

✗ Spreadsheet: SPOFs hide in the rows
✓ This module: the SPOF surfaces itself

D3 graph · Auto-alerts

RCSA campaigns. Versioned audit snapshots, signed off.

Quarterly Risk and Control Self-Assessment cycles built into the module. Owners attest, the register snapshot freezes at close, the PDF is immutable, the audit trail is the SYSC 7.1.4R evidence the FCA expects. The £8–20k consulting engagement, replaced.

✗ Consultant retainer: £20–40k/year
✓ This module: RCSA + signed snapshot, included

SYSC 7.1.4R · PDF-locked

"Who changed what, when?" Answered in one click.

Append-only field-level audit trail on every risk. Named user, timestamp, before/after diff, derived score changes. The question the FCA increasingly asks gets a one-click answer. Most enterprise GRC platforms charge £20k+ for this. Here it's standard.

✗ Other tools: overwrite silently
✓ This module: every change logged, attributed

Field-level diff · Named user

The capabilities the CRO actually runs the firm from.

Every artefact wired to the others — risks to controls to KRIs to incidents to actions to scenarios to vendors to causal network to attestations. Built for the Board challenge, the supervisor visit, and the £20–40k enterprise GRC contract you don't have to sign.

1 Score & capture Three-score model, FCA-anchored templates, KRIs.

Three-score appetite framework

Inherent · residual · appetite — kept separate, never collapsed. 1–25 scale. Per-risk appetite override on the category default. Breach detection is automatic; "approaching" flagged at 80% threshold.

5×5 · Per-risk override

100 FCA-anchored templates

Operational 17 · Regulatory 15 · Financial Crime 15 · Technology 12 · Conduct 12 · Reputational 10 · Compliance 10 · Strategic 9. Every template carries a regulator citation, suggested ratings, and 1–3 suggested controls. No cold-start.

8 categories · Cited

KRI register with thresholds

Daily · weekly · monthly · quarterly · annually frequencies. Within / Warning / Breach status. Trend captured. Breaches drive escalation actions cited in the Anna report.

5 frequencies · 3 states

2 Network & oversight SPOFs, vendors, the audit trail the FCA increasingly asks for.

Risk Network with concentration alerts

Force-directed D3 graph. Causal · shared-vendor · shared-owner edges. Concentration alerts at 3+ risks per SPOF. Board-pack PDF export at 96vw × 92vh.

3 edge types · Auto-alerts

Third-Party Register (CTP regime)

12 vendor categories. Critical / High / Medium / Low criticality. IBS & CTP designation flags. Exit plan status. Concentration analysis. The SYSC 8 / CTP regime evidence pack — already aligned to 2025 rules.

SYSC 8 · CTP regime

Field-level audit trail

Every change to every risk — logged with named user, timestamp, before/after diff. 100 entries per risk in JotForm; localStorage overflow to 1,000. Recently Changed dashboard tile surfaces 7-day activity.

SYSC 7.1.4R · Append-only

3 Sign-off & report RCSA campaigns, the 15-section Risk Committee Report, exports.

RCSA / Attestation campaigns

4 campaign types · 3-step creation wizard · scope by all / category / owner / manual · per-attestor confirm-or-rerate · close generates immutable PDF audit snapshot signed off by named owners. Cross-posts to Document Library.

SYSC 7.1.4R · PDF-locked

15-section Risk Committee Report

Anna drafts every section from your live risks, KRIs, incidents, third parties, causal network and attestation campaigns. Cited to SYSC 7.1, SYSC 8, SYSC 15A, CTP regime, PRIN 2A and MIFIDPRU 7. Per-section regenerate · edit in place · HTML or PDF export.

14 statute anchors · Live data

Premium-aware Health Score

70% risk-ops + 30% framework, with premium-signal penalties for concentration alerts, overdue DD on critical vendors, untested exit plans and overdue attestations. Transparent on the dashboard. Can't be gamed by managing one input alone.

Composite · Auditable

The regulatory perimeter you actually face. Wired in.

Templates cited to specific regulators. Statute anchors cited in Anna's report. The Critical Third Parties regime, already aligned. For FCA-regulated firms, the SYSC framework is here. For any other firm with material risk to manage, the same governance backbone applies.

100

FCA-anchored templates

SYSC compliance controls

Statute anchors

Anna report sections

Vendor categories

Risk management frameworkSYSC 7.1

RCSA & control testingSYSC 7.1.4R

OutsourcingSYSC 8

Operational resilienceSYSC 15A

Critical Third PartiesCTP regime

Consumer DutyPRIN 2A

ICARA / capital adequacyMIFIDPRU 7

Conduct & SM&CRCOND 2 · COCON

Cross-cutting (FC / DP / MAR)MLR · GDPR · UK MAR

Plus: Premium-aware Health Score with transparent penalty attribution · Risk Network Board-pack PDF at 96vw × 92vh · Closed-campaign audit snapshots cross-posted to Document Library · 21-column third-party CSV with full DD evidence linkage.

Enterprise quality. SME pricing.

From £500/month · No tier gate. No add-ons. No setup fee.

See it in your firm

Inside the Module

Every risk. Every control. Every change, on the record.

A 30-second read on the firm's risk posture, the magnitude-ranked breach list the Board opens with, the force-directed network graph, the third-party register, the RCSA campaign tracker, and the field-level audit trail — one module, one data layer.

A 30-second read on the firm's risk posture: 4-tile KPI strip (Total Risks, High/Critical, Overdue Reviews, Control Gaps), live 5×5 residual heat map and a Breaches Over Appetite chart split by category. One screen — the board pack writes itself.

The 8-column register: ID · Title · Category · Inherent · Residual · Owner · Next Review · Actions. Colour-coded residual pills match the heat-map cell a risk lives in — and supports residual-exceeds-inherent, the realistic case where a control has degraded.

The Board tab. Per-risk appetite threshold, residual score, a horizontal VS APPETITE delta bar showing breach magnitude and a BREACH / APPROACHING / WITHIN status chip. The magnitude-ranked list the Board should open with.

Score the controls behind every risk: design effectiveness, operating effectiveness, last-test date and a residual override when controls have degraded. Weak controls flag automatically — and roll into the Risk Committee Report from the same data.

Common Risk Templates pre-built for FCA-regulated firms: cyber, third-party, regulatory change, conduct, financial crime, op resilience, prudential. Add to your register in one click — fully editable, fully attributed.

Key Risk Indicators tracked over time. Threshold breach alerts, trend lines, traffic-light status — every KRI tied to a risk in the register and a named owner who explains the move.

Every risk event logged: near-miss, loss event, breach, control failure. Root cause, financial impact, regulatory notification status — with the lessons-learned action that prevents the next one.

Scenario library and stress-test workbench. Run a scenario across the register, see which risks breach appetite, which controls fail and what the firm-wide impact looks like — without spreadsheet archaeology.

The Third-Party Register under SYSC 8 and the Critical Third Parties regime. Tier 1 / 2 / 3 classification, dependency mapping, exit plans, concentration alerts — every supplier the FCA expects to see, in one place.

The force-directed Risk Network. Causal links between risks, shared third parties, shared owners — with concentration alerts that surface the systemic risks no register-only view can show.

Risk Owner Attestation Campaigns. Quarterly RCSA cycles fired across the register, named-owner sign-off captured, signed audit snapshot at year-end — the SYSC 7.1.4R evidence the FCA expects, the ergonomics your team will actually live with.

The SYSC 7 Compliance Checklist. Risk Management Function in place, SMF24 oversight, three-lines-of-defence integration, written risk strategy — every item attested by name and mapped to source rule.

The 15-section Risk Committee Report drafted by Anna AI in 60 seconds. Pulls from your live register, KRIs, events, third parties and scenarios — formatted, evidenced and exportable. Three days of risk-team drafting collapsed to a click.

Long compliance days, gentler on the eyes. A full dark mode across every Risk Management screen — same WCAG-compliant contrast, same audit accuracy, just easier to live in.

The Board Risk Report

15 sections, drafted by Anna in 60 seconds. Signed off by your CRO.

Every risk on the register rolled into a single quarterly Board Risk Report. Inherent, residual and appetite scores side by side, a live 5x5 heat map, control effectiveness ratings, and appetite breach deltas. The document the Chair opens at the Board meeting. The document the FCA asks for in a SYSC 7 visit.

Every section. Every SYSC anchor.

A quarterly report built from your live register, vendors, network and attestation campaigns. Each chapter maps to a SYSC, COSO ERM or CTP regime requirement, each table is source-matched to a record, and each heat-map cell reconciles to the underlying Inherent x Impact product.

Sections

Reg Anchors

Risk Categories

12 min

Draft to Export

Executive Summary & CRO Foreword

SYSC 7.1

Risk Profile Overview · Inherent vs Residual

COSO ERM

Top 10 Residual Risks

SYSC 4.1.1R

Risk Appetite Breach Analysis

SYSC 7.1.2R

Control Effectiveness Assessment

SYSC 7.1.16R

Key Risk Indicators (KRIs)

SYSC 7.1.4R

Risk Events & Loss Database

PRIN 11

Action Plan Status · Overdue by Owner

SYSC 7.1.22R

Scenario Analysis & Stress Testing

MIFIDPRU 7 · SYSC 15A

Emerging & Horizon Risks

FG23/5

Three Lines of Defence Effectiveness

SYSC 4.3

Recommendations & Forward Plan

SMF4

Third Party & Outsourcing Risk

SYSC 8 · CTP regime

Risk Concentration & Causal Network

SYSC 15A

Attestation Cycle & RCSA Evidence

SYSC 7.1.4R

Q1 2026 review · 4 breaches open

Named challengers. Dated questions. Logged resolutions.

Every appetite breach raised by a non-exec or Board member is logged against the risk record, with challenger, date raised, response due and status. The Board pack does not leave the room without each one tracked.

Challenger	Risk / Question	Raised	Status
Priya Natarajan Independent NED · Risk Committee Chair	R131598 Conduct Risk Audit Failed: residual is +14 over appetite. Why has the CRO not requested an interim mitigation plan ahead of Q2?	Mar 18, 2026	Attention
Declan Okonkwo SMF9 · Chair of the Board	R754127 Data Exposure: residual (10) exceeds inherent (9). Control has degraded. What has changed since the January RCSA?	Mar 21, 2026	Open
Yasmin El-Sayed SMF1 · CEO	Technology category defaulting to threshold 6. Is this still appropriate after the June cloud migration, or should appetite be recalibrated?	Mar 22, 2026	Resolved
Marcus Vermeulen INED · Audit Committee	R683842 AML control marked PARTIAL with residual green: what conditions would push residual amber before coverage expands?	Mar 24, 2026	Open
Hana Bergstrom SMF4 · Chief Risk Officer	Proposal to split Operational into Cyber and Business-Continuity sub-categories for Q2 reporting, per FCA cyber resilience guidance.	Mar 26, 2026	Resolved

Three named attestors. One accountable chain.

The Board Risk Report is not signed by a committee. It is signed by three named individuals, each accountable under SM&CR for a distinct part of the risk governance loop, with a time-stamped audit trail the FCA can walk through line by line.

Prepared by

Hana Bergstrom

SMF4 · Chief Risk Officer

Mar 27, 2026

Reviewed by

Yasmin El-Sayed

SMF1 · Chief Executive Officer

Mar 28, 2026

Approved by

Declan Okonkwo

SMF9 · Chair of the Board

Mar 29, 2026

Report locked · Mar 29, 2026 · 16:42 GMT Read-only. Source-matched to register R1-R47. Reproducible under SYSC 7 record-retention to 2031.

Anna AI for Risk Management

Your Risk Committee Report — and your live risk advisor — in one assistant.

Anna sits alongside the register, not on top of it. Ask her any risk-management question — she answers, cited to the standards your auditors recognise. Click Generate and she drafts the 15-section Risk Committee Report from your live data in 60 seconds. Two jobs, one assistant, zero invented content.

RISK-COMMITTEE-GRADE · ISO 31000 · SYSC 7.1 / SYSC 8 / CTP TRAINED (WHERE APPLICABLE)

Your Risk Committee Report drafter and concentration-risk early-warning system, in one.

Two distinct jobs. First, Anna answers any risk-management question your team throws at her — appetite breaches, concentration alerts, control effectiveness, scenario design — cited to ISO 31000, internal-audit standards, and (for FCA-regulated firms) the relevant SYSC, MIFIDPRU and CTP-regime references. Second, she drafts the 15-section Risk Committee Report from your firm’s live register, KRIs, incidents, third parties, causal network and attestation campaigns. No invented vendors, no invented alerts, no LLM arithmetic.

Answers risk, appetite, control and scenario questions cited to your own register plus the standards your auditors recognise
Drafts the 15-section Risk Committee Report — live data in, signable PDF out, 60 seconds end to end
Surfaces concentration alerts before the Board does — who shares a vendor, who shares an owner, where the SPOFs hide
Never scores risks for you. The CRO keeps named accountability for every appetite call

Your live risk advisor

Ask Anna any risk question. Get an answer cited to your own data.

“Which of our open risks breach appetite, and what's the concentration story?” “Where are our highest-residual risks dependent on a single critical vendor?” “What scenario should we run for next quarter's stress test?” Anna answers from your live register, the concentration-alert engine, and the standards your auditors recognise — in seconds, with citations.

Reads your live register, KRIs, incidents, vendors and causal links
Cites ISO 31000, internal-audit standards, and FCA Handbook (where applicable)
Surfaces concentration alerts and appetite breaches the Board hasn’t seen yet
Available across every Risk tab

Anna AI

Online · AI Risk Advisor

Which of our open risks breach appetite, and what's the concentration story?

Three open risks currently breach appetite, and they share a common thread:

R-001 Vendor Concentration — Cloud Provider X. Residual 20 vs appetite 12. Owner: Head of Operations. Linked to 4 other risks via shared vendor.
R-014 Outsourced Payment Processor SLA. Residual 16 vs appetite 10. Owner: Finance Director. Same vendor as R-001.
R-022 Critical Person Loss — Head of Compliance. Residual 18 vs appetite 14. Owner: CEO. Single point of failure on regulatory reporting cadence.

All three breach appetite, and the first two cluster on a single critical vendor — that’s a concentration alert under the CTP regime (where applicable). Recommended Board action: trigger an RCSA campaign on the Cloud Provider X exposure, accelerate exit-plan testing, and surface in §13 and §14 of the next Risk Committee Report.

Drawn from: Your Risk Register · Concentration Alert engine · SYSC 8 / CTP regime (where applicable) · ISO 31000

Ask Anna anything about risk, appetite or scenarios…

→

Ready before the next Board challenge.

Anna drafts the 15-section Risk Committee Report from your live data, surfaces concentration alerts before the Board sees them, and answers any risk-management question your team asks — cited to the standards your auditors recognise. See her draft your Risk Committee Report in a live demo.

Book a live demo See everything Anna produces

FAQs

Risk Management Hub. Questions Answered

Everything you need to know about the 5×5 heat map, the three-score model, control mapping, and how Risk Management Hub sits inside SYSC 7.1 and SM&CR.

Is Risk Management Hub only for FCA-regulated firms?

No. Material risk doesn't care about your regulator. The three-score appetite framework (inherent · residual · appetite), the 5×5 heat map, the Risk Network with concentration alerts, the RCSA campaigns, the audit trail and Anna's Risk Committee Report apply to any UK firm with a Board, an internal-audit cycle, or material risk to manage. For FCA-regulated firms, the SYSC 7.1, SYSC 8 and CTP-regime depth is built in and Anna cites it rule-by-rule. For every other firm — corporates, charities, fintechs not yet authorised, accountancy practices, professional services — the same governance backbone applies and is the framework auditors recognise on day one.

How does the 5×5 heat map work?

Classic FCA-style risk matrix: Likelihood (1 Rare → 5 Almost Certain) on the Y-axis, Impact (1 Negligible → 5 Catastrophic) on the X-axis. 25 cells coloured green → amber → red by the L×I product. The heat map is a live roll-up of the residual scores of open risks. Each cell shows the count of risks placed there, and each register row carries the same colour as its cell. Scan the Dashboard, spot the red cell, click through to the register row.

What's in the Risk Register?

An 8-column register: ID (auto-generated R{6-digit}) · Risk Title · Category · Inherent · Residual · Owner · Next Review · Actions. Sortable on every column. Six risk categories in the picker: Conduct, Financial Crime, Operational, Strategic, Regulatory, Technology. Filters per tab: Search + category + score filters. CSV export per-tab and module-wide (18 columns).

Can a residual score exceed the inherent score?

Yes, and this is deliberate. When a control has degraded since the original scoring (say a partial control has drifted to ineffective, or the exposure has widened), residual can legitimately exceed inherent. Many simpler registers enforce residual ≤ inherent by construction and lose this signal. RegTechPRO treats it as a first-class state: the register highlights it, the heat map reflects it, and the Board sees it without anyone having to explain away the maths.

How does Control Effectiveness tie to the register?

The Control Effectiveness tab is the mirrored register of the Risk Register. Same records, different lens. Each control gets a name, an effectiveness rating (Effective / Partially Effective / Ineffective), and is linked to one risk. The row also carries the linked risk's residual score as a coloured pill, so you see "this control is Partial and its linked residual is 20 red" in a single view. That's the single highest-priority remediation row, surfaced without drill-down.

What are the score bands?

Source-verified from the platform code: Low < 8 · Medium 8 to 14 · High 15 to 19 · Critical ≥ 20. These bands drive the residual pill colours, the heat-map cell colouring, and the badge text in the create modal. One taxonomy, applied consistently everywhere: register, Dashboard, appetite delta, CSV export.

How does the appetite threshold work?

Every risk gets its own appetite threshold (1 to 25 slider in the create modal, default 10). Residual score is compared against that threshold. Three states on the Risk Appetite tab: Within Appetite (residual below threshold), Approaching (residual within 1 to 2 points below), Breach (residual above threshold). The VS APPETITE column shows a horizontal delta bar per risk with the signed magnitude (+14, +2, -6). The Board sees a magnitude-ranked list, not a count.

Can I set category-level default thresholds?

Yes. The platform ships with 8 pragmatic category defaults: Technology 6, Operational 8, Conduct 10, Regulatory 10, Compliance 10, Reputational 10, Financial Crime 12, Strategic 15. Technology is tightest (reflecting FCA supervisory focus on cyber/op-tech risk since 2021); Strategic is loosest (because strategic risks are inherently long-dated and board-owned). Per-risk thresholds override category defaults. Your firm's appetite is yours to set. Category defaults are just the starting point.

How is the Inherent × Residual calculated?

Live-recalculated as you drag the sliders in the Add New Risk modal. Inherent Likelihood (1 to 5) × Inherent Impact (1 to 5) → Inherent Rating with an instant Low/Medium/High/Critical badge; same for Residual. Drag Inherent L from 3 to 4 and the rating ticks from 9 Medium to 12 Medium to 15 High. The teaching happens while the user fills the form. No save-and-recalc, no blank rating, no guesswork.

How is risk ownership handled? (SM&CR for FCA firms)

The Add New Risk modal has an Owner Name and an Owner Role field. Every risk has a named role accountable for it, not just a person. For FCA-regulated firms the placeholder is "e.g. SMF16, MLRO, Compliance Officer" and the field cross-references People Compliance's SMF taxonomy and the Prescribed Responsibility for risk (SYSC 7.1.22R). For every other firm the same field captures CRO, COO, Head of Risk, Head of Internal Audit, Department Head — whatever role your governance model uses. The principle is the same either way: every risk has named accountability.

How much does Risk Management Hub cost?

From £500/month. The module delivers a live 5×5 heat map, three-score-per-risk model, control-effectiveness register, and board-ready appetite reporting. See regtechpro.co.uk/pricing for the full modular calculator.

Do I need the whole RegTechPRO platform, or just this module?

Risk Management Hub is an add-on to a RegTechPRO subscription. It sits inside the platform so risk records can feed CMP's Risk Tasks scope, SMF ownership ties into People Compliance, and the MI Dashboard rolls up heat-map and breach counts across modules. Standalone risk registers exist, but the integrated governance loop is the commercial story.

How long does setup take?

Under a day for a small firm. The module ships pre-seeded with the 6-category taxonomy, the 8 category appetite defaults, the Low/Medium/High/Critical score bands, the 5-state risk lifecycle (Open / Under Review / Mitigated / Closed / Accepted) and the 3-state control effectiveness vocabulary. No migration project, no consultant needed to "design the framework". You import your existing register rows, assign SMF owners, and start scoring.

I'm a compliance consultant. Can I run this across my client book?

Yes. Each client has its own workspace with its own register, its own heat map, its own appetite thresholds. The workflow selector at the top of the module lets you switch between clients instantly with selection persisted. The Consultant's role shifts from "construct the register from interviews" to "review the evidenced register". The structural work is done. The judgement work is where your time belongs.

Does Anna score risks for me?

No. Scores are calculated purely from your register data — consistent, reproducible, and audit-stable. Anna's commentary draws from those scores; she doesn't affect them. Anna sits alongside: she drafts structured register entries from plain-English descriptions you give her, proposes controls to map against a risk, and answers your SYSC 7.1 / MIFIDPRU 7 queries. But the Low/Medium/High/Critical band a risk lands in comes from the published rubric, not an AI judgement. The FCA would rather see an objective score than an AI-judged one.

What regulatory anchors does Anna cite?

For FCA-regulated firms (where applicable): SYSC 7.1 (Risk management general), SYSC 7.1.16R (Risk Control function independence), SYSC 7.1.21R/22R (SM&CR Prescribed Responsibility for risk), SYSC 8 (Outsourcing), the CTP regime (Critical Third Parties), PRIN 2A.9 (Consumer Duty Board reporting overlap), MIFIDPRU 7 / ICARA (risk assessment + capital adequacy), FCA Risk Outlook, SM&CR SMF codes, and Own Risk & Solvency Assessment equivalents for insurance / investment firms. For non-FCA firms Anna anchors to ISO 31000, internal-audit standards, and your own appetite thresholds — the universal governance frame any auditor will recognise. In both cases, she cites your own register: the specific risk ID, control or appetite threshold that underpins a claim.

What audit trail does the module produce?

Every risk is a structured record with 18 fields: ID, title, category, inherent likelihood × impact, residual likelihood × impact, owner, role, creation date, review date, appetite threshold, mitigation, controls, status, and evidence files. Edits rewrite the record with full history. Evidence files are embedded in the record itself, so they travel with the risk rather than living in a separate folder. CSV export gives you the full register as a flat file for any external auditor or s.166 reviewer.

How does the Dashboard roll up risks?

Four live KPI tiles: Total Risks, High/Critical count, Overdue Reviews (past Next Review Date), Control Gaps (risks with weak controls). Plus the 5×5 heat map (residual roll-up) and the Breaches Over Appetite bar chart broken out by category. The bar chart is dynamic. It only renders categories with at least one breach, and the magnitude comes from each risk's per-risk threshold (not a category default). Open the Dashboard, read the posture in 30 seconds, drill into the tab that matters.

Enterprise GRC,without the enterprise price tag.