The Shift Toward Connected Risk Management: RiskSmart’s View of Modern ERM (The Demo Room #16)

Welcome to The Demo Room – your front-row seat to the future of RegTech, RiskTech, and AI innovation. 

​

In this series, we document our research interviews with the most forward-thinking vendors tackling the industry's biggest challenges. Each blog is built around a comprehensive product demo, providing clear insights into how these innovations address industry challenges.

On this occasion, we spoke with Ryan Swann, Co-founder of RiskSmart, a connected enterprise risk management platform built for organisations that have outgrown spreadsheets, fragmented workflows and legacy GRC complexity.

Resilience has become one of the defining risk and compliance themes of the next market cycle. Firms are operating in a more complex risk environment, where technology dependencies, third-party exposure, operational resilience, regulatory obligations, internal controls and AI governance increasingly overlap.

A disruption in one part of the business rarely remains contained. A third-party outage can become a customer harm issue. A weak control can become a regulatory exposure. An AI governance gap can become a data, conduct, resilience and accountability problem at the same time.

A number of high-profile failures have made these risks tangible, and regulators are responding.

This gap is especially visible in Europe, where DORA, NIS2 and CER Directive are already in force. It is also telling that Europe is the most mature region for RegTech adoption in IT Security, and lowest for resilience. Firms have historically prioritised investment in security, where threats are clearer, controls are more defined, and outcomes are easier to measure. Resilience, by comparison, is outcome-based and cross-functional, making it more complex to implement and scale.

Regulation is only part of the story. Risk and compliance functions often hold one of the most complete views of the business. They see products, processes, controls, customers, suppliers, incidents, obligations and emerging threats. With better technology, that position can help the function advise the business on which risks to take, how to take them, and how to scale safely.

“Risk is about decisions and data.” – Ryan Swann, Co-founder, RiskSmart

The practical challenge is to understand how risks connect, how they move through the organisation, and which decisions they should inform.

The Problem for Firms

For many firms, enterprise risk management is still held together by manual processes. 80% of compliance teams still rely on some amount of manual processes, while legacy-system spend is projected to rise from $36.7bn in 2022 to $57.1bn by 2028. 

It matters because resilience depends on connection. Risks need to be linked to controls, actions, incidents, regulatory obligations, third parties and strategic objectives. If those relationships sit across spreadsheets, emails and disconnected tools, risk teams struggle to see how one weakness affects the wider business.

This damages decision-making. If controls are not connected to multiple risks, assurance work is repeated. If obligations are not linked to controls and actions, compliance becomes harder to evidence. And if first-line owners cannot easily see what they own, risk remains trapped in the second line.

“Most risk managers, most risk teams don’t want to be doing the admin, they don’t want to be doing the reporting. They want to be getting out there understanding the business.” – Ryan Swann, Co-founder, RiskSmart

There is also a cultural problem. Firms want stronger risk ownership, but the tools they use often make risk feel technical and siloed. Risk language does not always translate into business language. Static registers rarely show why a risk matters. First-line teams disengage when risk management feels like a periodic compliance exercise rather than part of how decisions are made.

Boards want a better risk culture. Risk teams want more forward-looking insight. First-line teams need clearer ownership. Without a connected system, those objectives are hard to put into practice.

A Solution: RiskSmart’s Connected Risk Platform

RiskSmart links risks, controls, actions, indicators, obligations, policies and related records in one environment. The platform is particularly suited to small and mid-market regulated organisations that need more structure than spreadsheets can provide, but do not want the burden of a large enterprise GRC implementation.

1. A connected model

RiskSmart moves firms away from one-dimensional registers.

In the platform, risks can be connected to controls, actions, obligations, policies, indicators,

strategic objectives, departments and themes. A single control can mitigate several risks. A risk can be linked to multiple obligations and actions. Tags can then be used to create views across areas such as operational resilience, security, regulatory compliance or strategic objectives.

This changes the questions a firm can ask. Instead of asking whether a risk has been updated, the firm can ask which controls are failing across a theme, which actions are overdue against a strategic objective, or which obligations are connected to weak residual risk.

Over time, the register starts to act more like a model of the business.

2. Dashboards that make risk data usable

RiskSmart’s reporting layer is visual and configurable. Users can build dashboards with drag-and-drop widgets, create custom views, filter by data fields and share dashboards with relevant stakeholders.

Different users need different views of the same data. A CRO may want aggregate risk exposure and trend analysis. A head of risk may want control effectiveness and overdue actions. A risk analyst may need workflow detail. A first-line owner may only need the risks, actions and controls assigned to them.

The value is practical. Risk data becomes easier to understand and easier to use. That supports risk culture because the first line can see what it owns, why it matters and what needs to happen next.

3. Workflow automation that reduces admin

RiskSmart automates recurring risk management tasks such as notifications, approvals, action tracking, scheduled assessments, periodic reviews and policy updates.

A recurring risk assessment no longer requires someone to chase dozens of business owners by email. Actions can be assigned, tracked and evidenced inside the platform. Approvals and updates can be routed through the system rather than maintained in parallel spreadsheets.

This gives risk teams more time to interpret information and engage with the business. It also brings more consistency to the framework, because ownership and cadence are reinforced by the system.

4. Automation that fits the firm’s maturity

RiskSmart supports structured assessment of inherent and residual risk, with the option to automate elements of residual scoring based on control performance.

That flexibility matters because firms are at different stages of maturity. Some still need manual scoring while they build out their risk and control environment. Others are ready to use control effectiveness to inform residual risk more directly.

RiskSmart allows firms to move along that maturity curve. Many mid-market firms do not need a multi-year transformation programme. They need a practical starting point that can expand as the framework improves.

5. AI assistance with a narrow, useful role

RiskSmart’s AI capabilities focus on practical tasks: suggesting risks and controls, supporting drafting, improving wording and helping users create content more efficiently. The roadmap includes custom prompts, navigation support, suggested actions and further workflow assistance.

This is a sensible posture for ERM. The most valuable AI in risk management is often the AI that helps the professional work faster and with more consistency, while leaving judgement and accountability with the user.

“We’re building the risk manager on your shoulder, not a complete automation.” – Jamie Allan, Account Executive, RiskSmart

RiskSmart’s AI is positioned as a support layer for risk professionals, with accuracy and usability taking priority over expansive automation.

Parker & Lawrence’s View

RiskSmart is strongest in a familiar but underserved part of the market: firms that have outgrown spreadsheets but do not need a heavy enterprise GRC programme.

The product makes enterprise risk management more usable across the business. That matters because even deep functionality can fail if the first line does not use it. RiskSmart’s design choices are shaped by the need to make ownership clearer and engagement easier.

The product also fits the broader direction of the resilience market. Operational resilience, third-party risk, internal controls, AI governance and enterprise risk management are becoming harder to manage separately. Firms need to see how controls, incidents, obligations and actions connect. They need reporting that reflects the business as it operates.

RiskSmart has already shown the value of this approach. Comparitec, a FinTech constrained by limited internal resources and spreadsheet-based processes, used RiskSmart’s Risk & Control and Compliance modules to centralise risk activity, improve process consistency and automate key compliance workflows. The firm saved 25 hours per month and made it easier to evidence compliance to auditors.

The time saving is only part of the story. Risk teams that spend less time maintaining spreadsheets can spend more time understanding the business, challenging decisions, supporting first-line ownership and giving management a better view of risk.

Risk culture still needs leadership, clear ownership and a defined framework. Technology cannot create those conditions on its own. RiskSmart lowers the operational burden of getting there. It gives firms a practical route from fragmented risk administration toward connected, decision-useful risk management.