Conformance · live capability map
How RegAlign maps to the frameworks your auditor reads
Every row below points at the live product surface that satisfies the clause. No marketing fluff — each link opens the screen a reviewer would inspect. Print to A4 for procurement or board pack appendices.
ISO 31000International Organization for Standardization · 2018
Generic risk-management framework. Defines risk, treatment, and the principle that risk owners must be named and reviewed.
| Clause / principle | What it asks for | How RegAlign satisfies it | Open |
|---|---|---|---|
| §5.4 Leadership & commitment | Top management owns the risk-management framework and reviews it regularly. | Governance hub records the CRA approver, every board ratification is hash-chained, and review cadence is enforced via the framework's `next_review_at`. | |
| §6.4 Risk assessment | Identify, analyse and evaluate risks against criteria the board has set. | EWRA + Compliance Risk Assessment (CRA) score each domain inherent → control effectiveness → residual, against board-set thresholds. | |
| §6.5 Risk treatment | Decide and record how each risk is handled: accept, mitigate, transfer, or avoid — with rationale. | Every finding carries an explicit treatment choice (Accept / Mitigate / Transfer / Avoid) with rationale and review date, sealed into the audit chain. | |
| §6.6 Monitoring & review | Set a cadence to monitor whether controls are still doing their job. | Monitoring tests with sampling plans, scheduled cadence, evidence linkage, and a fail → finding → issue flow. | |
| §6.7 Recording & reporting | Keep a tamper-evident record of decisions and risk treatments. | Every state change is hash-chained. A public verifier endpoint (`/api/public/audit-trail/verify`) lets a regulator confirm the chain without an account. |
COSO ERMCommittee of Sponsoring Organizations of the Treadway Commission · 2017
Enterprise-risk-management framework: 5 components, 20 principles, oriented around strategy and performance.
| Clause / principle | What it asks for | How RegAlign satisfies it | Open |
|---|---|---|---|
| Component 1 — Governance & culture (P1-5) | Board exercises risk oversight; operating structures, culture, and integrity are defined. | Roles + responsibilities register (RACI), board ratification flow, attested policies, and a tamper-evident audit chain. | |
| Component 2 — Strategy & objective-setting (P6-9) | Risk appetite is defined, business context understood, alternatives evaluated. | Risk appetite statements per domain with thresholds, measurements, and a board-review date. | |
| Component 3 — Performance (P10-14) | Risks identified, assessed by severity, prioritised, treated, and portfolio-viewed. | CRA portfolio view, prioritisation engine, ISO 31000 treatment field, three-axis consequence breakdown. | |
| Component 4 — Review & revision (P15-17) | Substantial change assessed, performance reviewed, ERM improved. | Regulatory change pipeline with impact triage; framework review cadence enforced. | |
| Component 5 — Information, communication & reporting (P18-20) | Leverage information systems, communicate risk, report on risk, culture, and performance. | Board pack + regulator pack generated from the live snapshot; notifications surface SLA breaches and approval asks. |
ISO 37301International Organization for Standardization · 2021
Compliance management systems — requirements with guidance for use. The 'CMS' standard auditors use to certify a compliance function.
| Clause / principle | What it asks for | How RegAlign satisfies it | Open |
|---|---|---|---|
| Clause 4 — Context of the organisation | Understand internal/external issues, interested parties, compliance obligations. | Obligations register linked to verified regulator sources; entity profiles per licence type. | |
| Clause 5 — Leadership | Top-management commitment, compliance policy, roles and responsibilities. | Approved compliance policy register; responsibilities & roles module; board attestations. | |
| Clause 6 — Planning | Address risks and opportunities; set compliance objectives. | CRA produces residual scores per domain; monitoring plan converts objectives into scheduled tests. | |
| Clause 7 — Support | Resources, competence, awareness, communication, documented information. | Evidence store with retention + integrity hashes; notifications channel; policy attestation log. | |
| Clause 8 — Operation | Plan, implement and control processes that meet obligations; raise and remediate concerns. | Findings → Issues remediation flow; controls register; AI assistant drafts with human sign-off. | |
| Clause 9 — Performance evaluation | Monitor, measure, analyse and evaluate; internal audit; management review. | Monitoring tests with sampling; CRA board assessment; supervisory & advisory workspaces. | |
| Clause 10 — Improvement | Non-conformity and corrective action; continual improvement. | Issue register with root-cause, owner, target close date, escalation flag. |
BCBS Compliance PrinciplesBasel Committee on Banking Supervision · 2005
Defines compliance risk as the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer.
| Clause / principle | What it asks for | How RegAlign satisfies it | Open |
|---|---|---|---|
| Principle 1-3 — Board & senior management responsibility | Board approves and oversees compliance policy; senior management is responsible for effective management of compliance risk. | CRA board assessment requires board approval; ratification flow is mandatory for in-scope decisions. | |
| Principle 4 — Compliance function status | Compliance function has a formal status with explicit authority and independence. | Roles registry separates 1LoD / 2LoD / 3LoD (Three Lines Model, IIA 2020) with independence guardrails on override actions. | |
| Principle 5-7 — Resources, responsibilities, relationship with risk management | Adequate resources; clear responsibilities; effective interaction with risk management. | Responsibilities register, owner column on every object, CRA shared across risk + compliance views. | |
| Principle 8 — Cross-border | Compliance function structured to handle local regulatory expectations in each jurisdiction. | Per-entity licence model; multi-jurisdiction obligation tagging; per-licence applicability filter. | |
| Principle 9-10 — Outsourcing & monitoring | Compliance is not outsourced wholesale; risk-based monitoring programme is in place. | Monitoring plan + tests with sampling; results feed findings and the CRA. |
BCBS 239Basel Committee on Banking Supervision · 2013
Principles for effective risk-data aggregation and risk reporting. The benchmark for board-grade risk reports.
| Clause / principle | What it asks for | How RegAlign satisfies it | Open |
|---|---|---|---|
| Principle 2 — Data architecture & IT infrastructure | Single source of truth; integrated taxonomy across risk data. | One per-tenant Postgres with a shared object graph (obligation → control → evidence → finding → issue → decision). | |
| Principle 3 — Accuracy & integrity | Risk data is reconciled and accurate. | Every state change is hash-chained; evidence carries an integrity hash; public verifier endpoints prove the chain. | |
| Principle 6 — Adaptability | Risk reports adapt to ad-hoc requests. | Ask Data interface plus configurable board / regulator pack composition. | |
| Principle 7-11 — Risk reporting practices | Comprehensive, clear, useful, frequent, distributed risk reporting. | Board pack rendered from the live snapshot; A4 print-clean; regulator pack with server-verified chain. |
Three Lines ModelInstitute of Internal Auditors · 2020
Refresh of the historical 'Three Lines of Defence' model. Roles are framed by accountability, not by walls.
| Clause / principle | What it asks for | How RegAlign satisfies it | Open |
|---|---|---|---|
| First line — Management of risk | Operating management owns and manages risks day-to-day. | Every object (obligation, control, finding, issue, evidence) has a named owner from the first-line role set. | |
| Second line — Risk & compliance oversight | Compliance / risk function provides expertise, support, and challenge. | CCO / MLRO / Compliance Officer roles with override rights on severity, treatment, and finding state; challenge-note flow in the RCSA. | |
| Third line — Internal audit | Independent assurance over risk-management and governance processes. | Read-only audit role; public-verifier endpoints; auditor-pack export. |