AIQ Suite translates ICT, operational, and third-party provider risk into board-ready capital impact, concentration exposure, and regulatory evidence — through one governed platform built for European financial-sector operational resilience.
Early access currently prioritised for banks, financial institutions, and regulated organisations.
Each module can be deployed independently or together as AIQ Suite. All three share the same governance workflow, organisational data, AI infrastructure, reporting layer, audit trail, and capital-impact logic — giving banks one consistent view of ICT risk, operational risk, and third-party dependency risk.
Quantifies ICT and cyber risk through FAIR-based methodology applied to ICT assets, threat scenarios, control effectiveness, and loss components. Produces board-ready capital impact metrics aligned with DORA ICT risk management and NIS2 expectations.
Quantifies operational risk through FAIR-based scenario analysis applied to business processes, Basel III Event Type categories, internal loss data, and process controls. Supports RCSA, ICAAP narrative, management reporting, and operational risk capital impact analysis.
Manages ICT third-party provider risk across the full DORA lifecycle: provider registry, ICT services, contracts, critical or important functions, exit strategies, subcontracting, dependency mapping, concentration risk, data quality, and Register of Information export.
Qualitative risk matrices, scattered vendor registers, and manual outsourcing spreadsheets are no longer defensible under DORA, NIS2, and Basel III. Banks need a single governed view of risk, capital impact, third-party dependency, and regulatory evidence.
FAIR-based inputs processed through 10,000-run Monte Carlo simulation — for ICT scenarios (CyberRisk AIQ), Basel Event Type scenarios (OpRisk AIQ), and third-party provider exposure portfolios (TPPRisk AIQ). Multiplicative control reduction model ensures realistic compounding. Outputs include Expected Loss, P50/P90/P95 confidence intervals, Loss Exceedance Curve, and capital impact percentage.
Maps ICT providers to services, contracts, critical functions, internal assets, and quantified exposure. Identifies single-provider concentration, substitutability gaps, missing exit strategies, and group-level vendor dependencies. Generates DORA Register of Information aligned with EBA ITS templates and Commission Implementing Regulation 2024/2956.
Anthropic Claude AI delivers analysis calibrated to your sector, capital base, and jurisdiction. A bank in Montenegro receives CBCG-framed guidance. A bank in Croatia receives DORA and HNB context. A public body in Germany receives NIS2 and BSI framing. 44 European jurisdictions mapped — regulatory references serve as context and benchmark, never a compliance checklist.
End-to-end accountability from analyst assessment to board escalation, across all three modules. 1LoD: Analyst + ICT Custodian / Risk Coordinator / Vendor Manager. 2LoD: CISO + OR Manager + CRO. Full audit trail, structured rework flow, BO Decision Guidance, Tier 1 DORA escalation, signed RoI snapshots. One workflow engine across CR, OR, and TPP.
Two parallel governance flows — quantified risk for CR + OR scenarios, third-party risk for the provider lifecycle — converging in board-ready capital impact and regulator-ready submission evidence.
For Cyber: selects ICT asset with risk intelligence tags, assigns threat scenario with editable description and threat actor, inputs FAIR parameters. For OR: selects business process with asset dependencies, assigns Basel Event Type scenario. AI suggests calibrated FAIR ranges for both.
For Cyber: ICT Custodian rates existing controls from ISO 27002, NIST CSF 2.0, and CIS Controls v8 on a 0–5 scale, with bulk multi-select and duplicate detection. For OR: Risk Coordinator rates process controls effectiveness. Platform calculates residual risk reduction.
For Cyber: CISO validates ICT risk methodology, reviews analyst's treatment recommendation and business risk narrative, and adds their own commentary. For OR: Operational Risk Manager performs the equivalent review. Both act as second-line quality gates before the business decision stage.
With AI analysis, analyst recommendation, and CISO/Operational Risk Manager commentary all visible, the risk owner accepts, mitigates, transfers, or avoids the risk. For OR: Process Owner holds formal accountability. Risks exceeding mandate trigger Board escalation.
Treatment decisions generate structured action plans. ICT Custodian adds controls from the framework library, AI suggestions, or custom entries — with improvement opportunities for existing under-performing controls. All tracked in a unified central view.
Entry into the provider portfolio with EBA ITS B_05.01-aligned data — provider identity, ICT services delivered (closed-list service types), contracts with CIF/non-CIF classification, and supply-chain links. Foundation of the Register of Information.
5-step CIF wizard (Critical or Important Function) — materiality, substitutability, geography, outsourcing depth, and testing — produces a defensible CIF determination per contract. Vendor Manager prepares; CISO/CRO governance reviews.
The platform surfaces concentration exposure: single-provider P95, UNION P95 across the portfolio, diversification benefit, and supply-chain dependencies (B_03.03) including intra-group ICT services (B_03.02). Concentration hot-spots become visible, not hidden in spreadsheets.
HIGH/MEDIUM/LOW data quality bands per provider, with actionable drill-down to specific gaps. Validation gates check Register of Information completeness against the EBA ITS template set before any submission can proceed.
CRO reviews concentration risk, approves the snapshot, and freezes it. The platform generates a signed-ZIP submission package per Commission Implementing Regulation 2024/2956 — ready for the competent authority. Full audit trail preserved.
From provider inventory to regulator-ready Register of Information submission.
Prepares quantitative risk assessments end-to-end for both ICT and operational risk domains.
Provides technical input on control effectiveness and builds the action plan control set.
Second-line methodological review and quality gate — reviews analyst recommendation and narrative before BO decision.
Risk owner making the formal treatment decision with full AI and human context available.
Maintains the registry of organisational assets — ICT assets (Cyber) or business processes (OR) — including ownership assignment, tagging, and dependency mapping.
Maintains ICT provider, service, contract, and dependency records. Coordinates CIF assessments and data quality remediation across the provider portfolio.
Approves critical third-party risk outputs, concentration analysis, and frozen RoI snapshots before regulatory export. Methodological gate aligned with Group CRO mandate.
Platform configuration, module activation, and governance setup.
Group-level oversight across subsidiaries: consolidated CR + OR + TPP exposure, cross-entity provider concentration, group-level RoI readiness. Single accountability layer above per-entity governance.
Not generic advice. Every AI output is contextualised to your organisation's type, capital base, regulatory obligations, and jurisdiction — whether it's a DORA-scope bank in Croatia or a public authority in Montenegro.
Suggests TEF and Vulnerability ranges calibrated to ICT asset criticality and threat actor profiles (Cyber), or to business process type and Basel Event Type category (OR). Confidence levels and value bands signal where human judgement is most needed.
44 European jurisdictions mapped. AI analysis references the frameworks actually applicable to your organisation — CBCG for Montenegrin banks, DORA and HNB for Croatian institutions, NBS for Serbian entities. Regulatory references provide context and benchmark, never a compliance checklist.
Deterministic treatment recommendation at temperature=0, anchored to your 4-tier capital impact framework. Tier thresholds configured per tenant. Tier 1 risks trigger Management Board escalation guidance aligned with DORA Article 5 requirements.
AI generates a structured analyst assessment using regulatory benchmarks and industry context — editable in a rich text editor. The analyst reviews, refines, and saves. What reaches the CISO and Board carries human accountability, not raw AI output.
Use Anthropic Claude (default), Azure OpenAI, or standard OpenAI. Provider configured per tenant in Admin Panel. Master AI switch enables full manual operation when AI is not required or available.
AI supports review, calibration, and narrative drafting. Regulatory accountability — for capital impact decisions, CIF status, RoI submission, and treatment outcomes — remains with the institution and its accountable persons.
Purpose-built for European regulated organisations — combining capabilities that are typically available only separately, at enterprise price points, or not at all. Now including group-level risk intelligence for multi-entity organisations.
Most quantification tools are calculators — they produce a number but leave coordination to email and spreadsheets. AIQ Suite embeds the complete governance workflow: analyst preparation, ICT/process control rating, CISO review, business owner decision, action plan, and approval — all in one platform, with full audit trail.
Cyber risk, operational risk, and third-party risk are typically managed in separate silos — separate teams, separate tools, separate evidence. AIQ Suite unifies them: same assets, same users, same governance workflow, same audit trail, same capital basis. A bank sees its ransomware exposure, its settlement error exposure, and its cloud-hosting concentration side-by-side — and surfaces where the same provider supports multiple critical processes automatically.
All major quantification platforms originate in North America. AIQ Suite is designed from the ground up for European regulatory requirements — DORA, NIS2, Basel III, EBA Guidelines, and 44 national jurisdictions including local regulators (CBCG, NBS, HNB, BaFin, FMA, FINMA). Not an afterthought — the architecture.
Every input, every control rating, every Monte Carlo output is visible and auditable. FAIR inputs, loss components, control reduction calculations, capital impact formula — all accessible for regulatory review. No black box. Designed to withstand supervisory scrutiny under DORA Article 6 and EBA internal model requirements.
FAIR methodology typically requires specialist training or external consultants. AIQ Suite makes FAIR accessible to any risk analyst through AI-assisted calibration, scenario context panels, industry benchmark guidance, and structured workflow. Expertise is embedded in the platform — not a prerequisite for using it.
See how your organisation's capital impact compares to sector peers. Benchmark data sourced from Verizon DBIR, ENISA Threat Landscape, IBM X-Force, and Ponemon Institute — by organisation type, sector, and company size. Gives CISO and board concrete context: are we above or below industry average for this risk?
Most DORA TPP tools stop at registers and templates. Most risk quantification tools stop at scenarios and loss curves. AIQ Suite connects both: ICT providers, contracts, critical functions, internal assets, and quantified P95 exposure — so third-party risk is not just documented, but financially understood and regulator-submittable.
AIQ Suite doesn't treat third-party risk as a static vendor list. It maps providers to ICT services, critical functions, contracts, assets, and risk assessments — revealing where the institution is operationally dependent on a single provider, cloud region, subcontractor, or group-wide vendor relationship.
Most European risk platforms are SaaS-only — a hard constraint for banks under central bank requirements that restrict public cloud deployment of core risk data. AIQ Suite supports three deployment modes: full SaaS (EU data centres), on-premise (institution's own infrastructure), and operating holding (parent entity hosts subsidiaries). Tier-based RSA-signed JWT licensing works offline — no phone-home requirement. Banks meet regulatory data-residency expectations without compromising platform capability.
AIQ Suite structurally aligns internal risk governance with external auditing demands across major regulatory frameworks — through three purpose-built modules.
CyberRisk AIQ, OpRisk AIQ, TPPRisk AIQ, and the Enterprise Scale tier are all live. Multi-tenant, holding architecture, group risk intelligence, and DORA Register of Information are now in production.
Three modules. One defensible mathematical basis — FAIR Monte Carlo for cyber, Quantitative RCSA + FAIR Monte Carlo for operational risk, FAIR-based concentration analytics for third-party risk.
See how MFA + EDR reduce capital impact
Automated Reconciliation (4/5) + Real-time Validation (4/5) reduce capital impact by 56% — investment justified by risk reduction ROI of 6.2:1
Multi-region split + secondary provider arrangement reduces Cloud Hosting P95 to €3.6M (−57%); UNION P95 drops to €12.8M; CIF without exit strategy resolved.
Investment justified — concentration risk reduction ROI 4.8:1; submission timeline preserved.
Simplified scenarios. See your organisation's real risk profile with actual assets, processes, controls, and providers.
Request early access and we'll show you how AIQ Suite quantifies your Cyber and Operational Risk in terms your board and regulators can act on.