RiSkOps Platform
The operating layer for regulated firms.
Controls, policies, processes, incidents, complaints, and conduct sit on a single decision center. Evidence falls out of the work. Every decision carries its context, so the next board, audit, or regulator question is already answered.
Four layers. One view of operations.
Built by an operator who has seen these challenges from the auditor's and the regulator's perspective. In production at a UK principal firm running 54 Appointed Representatives.
the structural difference
One operating layer underneath the firm. Not a patchwork to reconcile.
A patchwork keeps the governance bandwidth tied up in reconciliation, not management. Evidence sits in different places. Owners are unclear. The pattern behind recurring failures stays invisible until the next finding.
One Operating LAyer
Approach
-
Controls, policies, processes, incidents, and conduct on one layer
-
Every policy principle maps to the controls that evidence it, in real time
-
Compliance evidence falls out of the first-line doing the work
-
Board report traces back to live operational data, not aggregated snapshots
-
The pattern behind three near-misses on the same control is visible before the fourth
Unified Tooling
Fragmented stack
Approach
-
Controls in one spreadsheet, policies in a document store, incidents in a helpdesk tool
-
No connection between a policy principle and the control that evidences it
-
Compliance evidence assembled retrospectively before an audit
-
Board report produced by manually aggregating multiple data sources
-
Recurring findings because the architecture cannot surface patterns
Fragmented Tooling
The architecture
Four layers. Single foundation. Sequenced to the way the firm runs.
LAYER 02
The organisational layer.
Decompose the policy. Map the processes. Place controls on both. Connect intent to delivery.
-
Policy 2.0 splits the monolithic document into named principles, each with its own owner and review cycle.
-
Process Mapper places controls, risks, and indicators on every activity node.
-
When a control fails upstream, the downstream impact is visible across the chain.
MODULE: Policy 2.0 + Process Mapper
LAYER 01
The operating layer.
Define the business activities. Build the risk universe from operations. Set up monitoring.
-
Risks, Controls, Indicators, and Actions (RCIA) held as one connected set, not four separate registers.
-
Each one carries a named owner and a live performance status.
-
The compliance evidence falls out of the first line doing the work, not a separate exercise.
MODULE: CORE
Most platforms sit beside the work. These four layers sit inside it. Define the work, organise it, learn from what fails, keep the conduct commitments oraganised. One foundation underneath all four.
LAYER 04
The conduct layer.
Track the deadlines. Log the hospitality. Manage the conflicts.
-
The regulators treat conduct gaps as evidence of a firm that manages compliance periodically, not continuously.
-
Regulators ask three things: who logged it, when, and what decision was taken.
-
All three are answerable in one view, connected to the same foundation as every other module.
MODULE: Reporting Calendar + G&H + CoI
LAYER 03
The lessons-learnt layer.
Capture the failures. Map them to the broken controls. Learn as a firm, not as an exercise.
-
Risk Incidents log at low friction, so every operator can report, not just the risk team.
-
Each incident surfaces automatically on every connected control, risk, and indicator.
-
Complaints carry the same architecture, plus DISP deadlines and Vulnerable Customer handling.
MODULE: Risk Incidents + Complaints
explore the modules
The modules where the work happens.
The platform is one connected operating model, not a suite of disconnected tools. Three layers sit above CORE. Each module connects back to the same foundation.
what the board sees
Every line in the board report traces back to operational reality.
When the operating layer is the same layer the compliance function reports from, the board report stops being a summary of representations and starts being a summary of what the firm actually did.
Controls and Actions
Structured instruction where work evidences itself.
Every attestation, every action closed, every indicator in threshold is recorded in CORE as the first line does the work. There is no separate compliance-reporting exercise. The board sees what the firm actually did last month, not a summary prepared from secondary sources.
Policy and Process
Intent connects to delivery effortlessly.
Policy 2.0 principles carry live operational status. Process Mapper activities carry the controls assigned to them. The board can see, for any policy commitment, whether the controls that evidence it are performing. Intent and delivery are on the same screen.
Incidents and Conduct
Failures drive learning, not filing.
Risk Incidents, Complaints, and the three conduct registers all write back to the same RCIA entities. The pattern behind recurring failures is visible before the auditor arrives. The board paper shows what the firm learned and what it changed, not just what went wrong.
the Category
GRC was built for the reviewer. RiskOps is built for the doer.
GRC was built around the risk register and the second-line function that owns it. A tool designed for the reviewer cannot also be designed for the doer. The architectures contradict each other.
RiskOps is risk run as an operational discipline: first-line led, evidence-led, continuous. DevOps replaced waterfall IT. RevOps replaced siloed sales operations. RiskOps replaces second-line GRC for regulated firms that have outgrown it. Context Visualised is the first and defining RiskOps platform for regulated firms.
Read the full RiskOps argument.