| Area | Item | Status | Note |
|---|---|---|---|
| Compliance Risk Assessment | CRA with domain framework, board sign-off | Shipped | AML, CFT and CPF scored as three distinct compliance domains under Financial Crime. |
| Obligations | Layered obligation model (source / normalised / applicability / implementation / evidence / monitoring / governance) | Shipped | |
| Regulatory correspondence | Register, derivations, plain-English categories | Shipped | |
| BRA | Cycles, taxonomy, inherent/residual, approval | Shipped | |
| Risk Appetite | Board-approved thresholds, breach → finding wiring | Shipped | Promoted from Preview — JFSC expects measurable thresholds, not narrative. |
| Risk Activity | Residual heat by business line / activity | Shipped | Promoted from Preview — drives risk-based focus for the next quarter. |
| Advisory | AI advisory recommendations with certainty rating, decision and override trail | Shipped | Promoted from Preview — JFSC-defensible AI use. |
| JFSC Mapping Pack | Printable regulator pack: every JFSC obligation → controls, policies, owners | Shipped | Live at /governance/jfsc-mapping. |
| Tour narration | British male narrator (George) across all tour journeys | Shipped | ElevenLabs-backed, cached per step. |
| Route redirect regression guard | Audit script catches layout-route infinite-redirect loops | Shipped | scripts/audit-route-redirects.ts. |
| Compass | Per-scenario mode guidance, in-product mode pill | Building now | |
| Methodology | Shared 5×5 risk library across CRA / BRA / RCSA visuals | Building now | |
| Metrics | First-line and second-line oversight metrics | Next | |
| Task delivery | Email-delivered tasks with secure single-task links | Next | |
| BRA schema | Client segment, delivery channel, outsourcing dependency, evidence confidence, reassessment trigger fields | Next | |
| Findings ↔ CRA | Auto-trigger CRA reassessment from material findings | Next | |
| Attestation campaigns | Campaign entity grouping attestations under one window | Later | |
| Policy → procedure linkage | First-class procedure child of policy | Later | |
| Per-folder evidence ACL | HR-sensitive evidence scoped tighter than tenant-wide | Later | |
| Notification digest | Daily / weekly notification summary in place of one-event-per-email | Later | |
| CPD / Training register | Training records and CPD logging | Later | |
| SAR / MLRO restricted workspace | RLS-isolated restricted workspace with separate audit | Later | |
| Microsoft Teams integration | Real Teams task delivery (partner-registered) | Later | |
| EWRA | Enterprise-wide risk module inside RegAlign | Later | Acknowledged-and-deferred. Different buyer (CRO/COO), different cadence, different methodology. RegAlign stays focused on compliance risk; EWRA work belongs in your existing enterprise risk tooling until a separate module ships. See /risk/ewra for the scope statement. |
| RiskAlign | Adjacent enterprise risk product | Later | Revisit after three paid RegAlign pilots. |
| Enforcement-data feed | Live ingestion of regulator enforcement and thematic reviews | Won't do | Licensing-heavy and adjacent to product purpose. |
| Broader GRC drift | Generic GRC platform positioning | Won't do | Loses the compliance-first positioning. |
Dated honestly. Roadmap items are not commitments to any specific tenant.
RegAlign® supports compliance governance. It does not provide legal or regulatory advice. Decisions, approvals and overrides remain the responsibility of identified humans in the audit trail.