Welcome to The Demo Room – your front-row seat to the future of RegTech, RiskTech, and AI innovation.
In this series, Parker & Lawrence Research documents its research interviews with the most forward-thinking vendors tackling the industry’s biggest challenges. Each blog is built around a comprehensive product demo, providing clear insights into how these innovations address industry challenges.
On this occasion, the company spoke with Ryan Swann, Co-founder of RiskSmart, a connected enterprise risk management platform built for organisations that have outgrown spreadsheets, fragmented workflows and legacy GRC complexity.
Resilience has emerged as one of the defining themes of the current risk and compliance cycle, and for good reason. Firms are navigating an increasingly tangled risk landscape in which technology dependencies, third-party exposure, operational resilience, regulatory obligations, internal controls and AI governance no longer sit in isolation — they overlap, feed into one another, and amplify one another when things go wrong.
The consequences of this interconnection are difficult to contain. A third-party outage can quickly become a customer harm issue. A control weakness can escalate into a regulatory exposure. An AI governance gap can simultaneously create data, conduct, resilience and accountability problems. A disruption that begins in one corner of the business rarely stays there.
Regulators have taken note. With a string of high-profile failures making these risks impossible to ignore, 79% of organisations now report feeling ill-equipped to comply with new operational resilience regulations, and only 20% of executives believe their firms are genuinely prepared to prevent or respond to outages. The gap between regulatory expectation and operational reality is wide — and widening.
It is particularly visible in Europe, where DORA, NIS2 and the CER Directive are already in force. Paradoxically, Europe is simultaneously the most mature region for RegTech adoption in IT security and the least mature when it comes to resilience. The explanation is structural: firms have long prioritised investment in security, where threats are well-defined and outcomes are measurable. Resilience, by contrast, is outcome-based and cross-functional, making it far harder to implement and scale.
Yet regulation only tells part of the story. Risk and compliance functions typically hold one of the most complete views of the business — products, processes, controls, customers, suppliers, incidents, obligations and emerging threats. The potential, with the right technology, is for those functions to move from reactive reporting to genuinely advising the business on which risks to take, how to take them, and how to scale safely.
As RiskSmart co-founder Ryan Swann put it: “Risk is about decisions and data.”
The operational reality for most firms
For many regulated organisations, enterprise risk management (ERM) is still held together by manual processes. Some 80% of compliance teams continue to rely on manual workflows to some degree, while legacy-system spend is projected to rise from $36.7bn in 2022 to $57.1bn by 2028 — a trajectory that points to the scale of the problem rather than its resolution.
The deeper issue is that resilience depends on connection. Risks must be linked to controls, actions, incidents, regulatory obligations, third parties and strategic objectives. When those relationships are spread across spreadsheets, email chains and disconnected tools, risk teams lose the ability to see how one weakness affects the wider business.
The damage to decision-making is real. Controls that are not mapped to multiple risks lead to repeated assurance work. Obligations that are not linked to controls and actions make compliance harder to evidence. First-line owners who cannot easily see what they own leave risk trapped in the second line rather than embedded in the business.
RiskSmart co-founder Ryan Swann said, “Most risk managers, most risk teams don’t want to be doing the admin, they don’t want to be doing the reporting. They want to be getting out there understanding the business.”
There is also a cultural dimension. Firms increasingly want stronger risk ownership, but the tools they provide often make risk feel technical and remote. Risk language fails to translate into business language. Static registers rarely communicate why a risk actually matters. First-line teams disengage when risk management feels like a periodic compliance exercise rather than something embedded in how everyday decisions are made. Boards want better risk culture; risk teams want forward-looking insight; first-line teams need clarity on ownership. Without a connected system, those objectives remain aspirational.
RiskSmart’s connected risk platform
RiskSmart’s response to these challenges is a platform that links risks, controls, actions, indicators, obligations, policies and related records within a single environment. The solution is aimed primarily at small and mid-market regulated organisations that have outgrown spreadsheets but do not need the cost and complexity of a large enterprise GRC implementation.
At its core, the platform replaces one-dimensional risk registers with a genuinely connected model. Risks can be linked to controls, actions, obligations, policies, indicators, strategic objectives, departments and themes. A single control can mitigate several risks; a risk can be tied to multiple obligations and actions. Tags create cross-cutting views across operational resilience, security, regulatory compliance or strategic priorities. The result is a shift in the questions a risk function can ask — from whether a risk has been updated, to which controls are failing across a theme, which actions are overdue against a strategic objective, or which obligations sit against weak residual risk. Over time, the register begins to function less like an administrative record and more like a working model of the business.
Reporting is visual and configurable. Users build dashboards using drag-and-drop widgets, create custom views, filter by data fields and share outputs with the right stakeholders. A chief risk officer may want aggregate exposure and trend analysis; a head of risk may focus on control effectiveness and overdue actions; a risk analyst may need workflow detail; a first-line owner may only need to see their own assigned risks, actions and controls. Making that data accessible to each audience supports risk culture in a practical way — the first line can see what it owns, why it matters, and what needs to happen next.
Workflow automation removes much of the administrative burden that consumes risk team capacity. Recurring assessments, notifications, approvals, action tracking and policy reviews can all be managed within the platform rather than chased by email and maintained in parallel spreadsheets. The consistency this brings to the framework is itself a governance benefit, as ownership and review cadence become reinforced by the system rather than dependent on individual effort.
The platform supports structured assessment of inherent and residual risk, with the option to automate elements of residual scoring based on control performance. That flexibility matters: firms at different stages of maturity need different approaches. Some still require manual scoring while their risk and control environment matures; others are ready for control effectiveness to feed more directly into residual risk. RiskSmart allows firms to move along that curve without requiring a multi-year transformation programme.
On AI, the platform takes a deliberately measured approach. Capabilities focus on practical tasks — suggesting risks and controls, supporting drafting, improving wording and helping users create content more efficiently. The roadmap includes custom prompts, navigation support and further workflow assistance.
RiskSmart account executive Jamie Allan said, “We’re building the risk manager on your shoulder, not a complete automation.”
It is a sensible posture for ERM. The most valuable AI in risk management typically helps professionals work faster and with more consistency while keeping judgement and accountability with the user.
From spreadsheets to strategic risk management
RiskSmart’s proposition is clearest in a familiar but underserved segment: firms that have outgrown spreadsheets but have no appetite for the overhead of a full enterprise GRC programme. By making ERM more usable across the business — particularly for first-line owners — the platform addresses one of the most persistent failure points in risk frameworks: adoption.
The product also aligns with where the resilience market is heading. Operational resilience, third-party risk, internal controls, AI governance and enterprise risk management are becoming progressively harder to manage as separate disciplines. Firms need to see how controls, incidents, obligations and actions connect, and they need reporting that reflects how the business actually operates rather than how it is organised on an org chart.
The practical value is already demonstrable. Comparitec, a FinTech constrained by limited internal resources and spreadsheet-based processes, used RiskSmart’s Risk & Control and Compliance modules to centralise risk activity, improve process consistency and automate key compliance workflows. The firm saved 25 hours per month and made it significantly easier to evidence compliance to auditors.
But the time saving is only the starting point. Risk teams that spend less time maintaining spreadsheets can spend more time understanding the business, challenging decisions and supporting first-line ownership. That shift — from risk administration to risk intelligence — is what gives management a genuinely useful view of exposure.
Risk culture still requires leadership, clear ownership and a defined framework. Technology cannot manufacture those conditions. What RiskSmart offers is a practical route from fragmented risk administration toward connected, decision-useful risk management — one that lowers the operational burden of getting there without requiring firms to overhaul everything at once.
Read the original post from Parker & Lawrence Research here.
Copyright © 2026 FinTech Global
