Stop reporting risk. Start quantifying it. AIQ Suite translates ICT and operational risk into board-ready capital impact percentages — governed by a structured workflow built for DORA, NIS2, and Basel III environments.
Early access currently prioritised for banks, financial institutions, and regulated organisations.
Each module can be deployed independently or together as AIQ Suite. Both share the same AI engine, governance workflow, reporting infrastructure, and organisational data.
Quantifies ICT and cyber risk through FAIR methodology applied to ICT assets and threat scenarios. Produces capital impact percentages aligned with DORA ICT risk assessment requirements and NIS2 obligations.
Quantifies operational risk using FAIR methodology applied to business processes and Basel Event Type scenarios. Supports Advanced Measurement Approach (AMA) scenario analysis endorsed by ECB internal model guidance.
Qualitative risk matrices leave organisations indefensible under regulatory scrutiny. Capital, compliance, and accountability demand a different language — for both Cyber and Operational Risk.
FAIR methodology inputs processed through 10,000-run Monte Carlo simulation — for both ICT scenarios (CyberRisk AIQ) and Basel Event Type scenarios (OpRisk AIQ). Multiplicative control reduction model ensures realistic compounding. Outputs include Expected Loss, P50/P90/P95 confidence intervals, Loss Exceedance Curve, and capital impact percentage.
Anthropic Claude AI delivers analysis calibrated to your sector, capital base, and jurisdiction. A bank in Montenegro receives CBCG-framed guidance. A bank in Croatia receives DORA and HNB context. A public body in Germany receives NIS2 and BSI framing. 44 European jurisdictions mapped — regulatory references serve as context and benchmark, never a compliance checklist.
End-to-end accountability from analyst assessment to board escalation. 1LoD: Analyst + ICT Custodian + Business Owner. 2LoD: CISO — methodological review and action plan oversight. Full audit trail, structured rework flow, BO Decision Guidance with ROI flags, Tier 1 DORA escalation banner. One workflow engine built around the governance model regulators expect.
A structured governance workflow — shared across both modules — that converts qualitative threat intelligence into quantified, auditable risk decisions.
For Cyber: selects ICT asset with risk intelligence tags, assigns threat scenario with editable description and threat actor, inputs FAIR parameters. For OR: selects business process with asset dependencies, assigns Basel Event Type scenario. AI suggests calibrated FAIR ranges for both.
For Cyber: ICT Custodian rates existing controls from ISO 27002, NIST CSF 2.0, and CIS Controls v8 on a 0–5 scale, with bulk multi-select and duplicate detection. For OR: Risk Coordinator rates process controls effectiveness. Platform calculates residual risk reduction.
For Cyber: CISO validates ICT risk methodology, reviews analyst's treatment recommendation and business risk narrative, and adds their own commentary. For OR: Operational Risk Manager performs the equivalent review. Both act as second-line quality gates before the business decision stage.
With AI analysis, analyst recommendation, and CISO/Operational Risk Manager commentary all visible, the risk owner accepts, mitigates, transfers, or avoids the risk. For OR: Process Owner holds formal accountability. Risks exceeding mandate trigger Board escalation.
Treatment decisions generate structured action plans. ICT Custodian adds controls from the framework library, AI suggestions, or custom entries — with improvement opportunities for existing under-performing controls. All tracked in a unified central view.
Prepares quantitative risk assessments end-to-end for both ICT and operational risk domains.
Provides technical input on control effectiveness and builds the action plan control set.
Second-line methodological review and quality gate — reviews analyst recommendation and narrative before BO decision.
Risk owner making the formal treatment decision with full AI and human context available.
Maintains the ICT asset registry — creation, tagging, business owner assignment, decommissioning.
Platform configuration, module activation, and governance setup.
Not generic advice. Every AI output is contextualised to your organisation's type, capital base, regulatory obligations, and jurisdiction — whether it's a DORA-scope bank in Croatia or a public authority in Montenegro.
Suggests TEF and Vulnerability ranges calibrated to ICT asset criticality and threat actor profiles (Cyber), or to business process type and Basel Event Type category (OR). Confidence levels and value bands signal where human judgement is most needed.
44 European jurisdictions mapped. AI analysis references the frameworks actually applicable to your organisation — CBCG for Montenegrin banks, DORA and HNB for Croatian institutions, NBS for Serbian entities. Regulatory references provide context and benchmark, never a compliance checklist.
Deterministic treatment recommendation at temperature=0, anchored to your 4-tier capital impact framework. Tier thresholds configured per tenant. Tier 1 risks trigger Management Board escalation guidance aligned with DORA Article 5 requirements.
AI generates a structured analyst assessment using regulatory benchmarks and industry context — editable in a rich text editor. The analyst reviews, refines, and saves. What reaches the CISO and Board carries human accountability, not raw AI output.
Use Anthropic Claude (default), Azure OpenAI, or standard OpenAI. Provider configured per tenant in Admin Panel. Master AI switch enables full manual operation when AI is not required or available.
Purpose-built for European regulated organisations — combining capabilities that are typically available only separately, at enterprise price points, or not at all.
Most quantification tools are calculators — they produce a number but leave coordination to email and spreadsheets. AIQ Suite embeds the complete governance workflow: analyst preparation, ICT/process control rating, CISO review, business owner decision, action plan, and approval — all in one platform, with full audit trail.
Cyber risk and operational risk are typically managed in separate silos. AIQ Suite quantifies both on the same capital basis — same assets, same users, same reporting infrastructure, same executive dashboard. A bank sees its ransomware risk and its settlement error risk side-by-side as capital impact percentages.
All major quantification platforms originate in North America. AIQ Suite is designed from the ground up for European regulatory requirements — DORA, NIS2, Basel III, EBA Guidelines, and 44 national jurisdictions including local regulators (CBCG, NBS, HNB, BaFin, FMA, FINMA). Not an afterthought — the architecture.
Every input, every control rating, every Monte Carlo output is visible and auditable. FAIR inputs, loss components, control reduction calculations, capital impact formula — all accessible for regulatory review. No black box. Designed to withstand supervisory scrutiny under DORA Article 6 and EBA internal model requirements.
FAIR methodology typically requires specialist training or external consultants. AIQ Suite makes FAIR accessible to any risk analyst through AI-assisted calibration, scenario context panels, industry benchmark guidance, and structured workflow. Expertise is embedded in the platform — not a prerequisite for using it.
See how your organisation's capital impact compares to sector peers. Benchmark data sourced from Verizon DBIR, ENISA Threat Landscape, IBM X-Force, and Ponemon Institute — by organisation type, sector, and company size. Gives CISO and board concrete context: are we above or below industry average for this risk?
AIQ Suite structurally aligns internal risk governance with external auditing demands across major regulatory frameworks — through two purpose-built modules.
Both CyberRisk AIQ and OpRisk AIQ are live. Intelligence, enterprise, and scale features are in active development.
A simplified scenario — Core Banking System under ransomware threat — quantified through FAIR methodology and 10,000 Monte Carlo runs.
See how MFA + EDR reduce capital impact
This is a simplified scenario. See your organisation's real risk profile with actual assets and controls.
Request early access and we'll show you how AIQ Suite quantifies your Cyber and Operational Risk in terms your board and regulators can act on.