AIQ Suite translates ICT/cyber, operational, and ICT third-party provider risk into quantified financial outputs, P95 concentration exposure, and regulatory evidence — through one governed platform for financial-sector operational resilience.
Early access currently prioritised for banks, financial institutions, and regulated organisations.
AIQ Suite is open for controlled pilot validation with banks, financial institutions and regulated organisations. A pilot can cover selected ICT assets, cyber/ICT scenarios, operational scenarios, ICT third-party provider relationships, workflow testing, management reporting, and feedback on the preparation of regulator-ready evidence.
The goal of pilot validation is to confirm the platform's practical usability, report quality, the clarity of quantified outputs, and readiness for broader commercial deployment.
Each module can be deployed independently or together as AIQ Suite. All three share the same governance workflow, organisational data, AI infrastructure, reporting layer, audit trail, and capital-impact logic — giving banks one consistent view of ICT risk, operational risk, and third-party dependency risk.
Quantifies ICT and cyber risk through a quantitative Monte Carlo approach — event frequency, vulnerability, control effectiveness, and loss magnitude. Produces P50/P90/P95/P99 outputs, materiality against the capital base, and ICT risk reporting aligned with DORA and NIS2 reference expectations.
Quantifies operational risk through a proprietary scenario-based quantitative methodology — event frequency, vulnerability, and loss magnitude via Monte Carlo simulation — applied to business processes, Basel III Event Type categories, internal loss data, and process controls. Supports RCSA, ICAAP narrative, management reporting, and management materiality analysis for operational risk.
Manages data and evidence relevant to ICT third-party risk, including provider registry, contracts, critical or important functions, exit strategies, concentration, and Register of Information preparation, in line with the local framework and the EU reference structure.
Qualitative risk matrices, scattered vendor registers, and manual outsourcing spreadsheets are no longer defensible under DORA, NIS2, and Basel III. Banks need a single governed view of risk, capital impact, third-party dependency, and regulatory evidence.
Quantitative risk inputs processed through 10,000-run Monte Carlo simulation — for ICT scenarios (CyberRisk AIQ), Basel Event Type scenarios (OpRisk AIQ), and third-party provider exposure portfolios (TPPRisk AIQ). Multiplicative control reduction model ensures realistic compounding. Outputs include Expected Loss, P50/P90/P95 confidence intervals, Loss Exceedance Curve, and capital impact percentage.
Maps ICT providers to services, contracts, critical functions, internal assets, and quantified exposure. Identifies single-provider concentration, substitutability gaps, missing exit strategies, and group-level vendor dependencies. Generates a Register of Information for ICT arrangements aligned with the EU DORA/ITS reference structure (Commission Implementing Regulation 2024/2956).
AI assistance proposes analysis tailored to the sector, capital base, and jurisdiction, subject to human review, adjustment, and sign-off. A bank in Montenegro receives CBCG-framed guidance. A bank in Croatia receives DORA and HNB context. A public body in Germany receives NIS2 and BSI framing. 44 European jurisdictions mapped — regulatory references serve as context and benchmark, never a compliance checklist.
End-to-end accountability from analyst assessment to board escalation, across all three modules. 1LoD: Analyst + ICT Custodian / Risk Coordinator / Vendor Manager. 2LoD: CISO + OR Manager + CRO. Full audit trail, structured rework flow, Business Owner Decision Guidance, Tier 1 DORA escalation, signed RoI snapshots. One workflow engine across CR, OR, and TPP.
Two parallel governance flows — quantified risk for CR + OR scenarios, third-party risk for the provider lifecycle — converging in board-ready outputs and evidence prepared for internal review and regulatory submission, under applicable rules and institution approval.
For Cyber: selects ICT asset with risk intelligence tags, assigns threat scenario with editable description and threat actor, inputs quantification parameters. For OR: selects business process with asset dependencies, assigns Basel Event Type scenario. AI suggests calibrated ranges for both.
For Cyber: ICT Custodian rates existing controls from the proprietary control library on a 0–5 scale, with bulk multi-select and duplicate detection. For OR: Risk Coordinator rates process controls effectiveness. Platform calculates residual risk reduction.
For Cyber: CISO validates ICT risk methodology, reviews analyst's treatment recommendation and business risk narrative, and adds their own commentary. For OR: Operational Risk Manager performs the equivalent review. Both act as second-line quality gates before the business decision stage.
With AI analysis, analyst recommendation, and CISO/Operational Risk Manager commentary all visible, the risk owner accepts, mitigates, transfers, or avoids the risk. For OR: Process Owner holds formal accountability. Risks exceeding mandate trigger Board escalation.
Treatment decisions generate structured action plans. ICT Custodian adds controls from the framework library, AI suggestions, or custom entries — with improvement opportunities for existing under-performing controls. All tracked in a unified central view.
Entry into the provider portfolio with EBA ITS B_05.01-aligned data — provider identity, ICT services delivered (closed-list service types), contracts with CIF/non-CIF classification, and supply-chain links. Foundation of the Register of Information.
5-step CIF wizard (Critical or Important Function) — materiality, substitutability, geography, outsourcing depth, and testing — produces a defensible CIF determination per contract. Vendor Manager prepares; CISO/CRO governance reviews.
The platform surfaces concentration exposure: single-provider P95, UNION P95 across the portfolio, diversification benefit, and supply-chain dependencies (B_03.03) including intra-group ICT services (B_03.02). Concentration hot-spots become visible, not hidden in spreadsheets.
HIGH/MEDIUM/LOW data quality bands per provider, with actionable drill-down to specific gaps. Validation gates check Register of Information completeness against the EBA ITS template set before any submission can proceed.
CRO reviews concentration risk, approves the snapshot, and freezes it. The platform generates a structured ZIP package per Commission Implementing Regulation 2024/2956 — for internal review and preparation of regulatory submission under applicable competent-authority instructions. Full audit trail preserved.
From provider inventory to a Register of Information prepared for internal review and regulatory submission, under applicable rules and institution approval.
Prepares quantitative risk assessments end-to-end for both ICT and operational risk domains.
Provides technical input on control effectiveness and builds the action plan control set.
Second-line methodological review and quality gate — reviews analyst recommendation and narrative before BO decision.
Risk owner making the formal treatment decision with full AI and human context available.
Maintains the registry of organisational assets — ICT assets (Cyber) or business processes (OR) — including ownership assignment, tagging, and dependency mapping.
Maintains ICT provider, service, contract, and dependency records. Coordinates CIF assessments and data quality remediation across the provider portfolio.
Approves critical third-party risk outputs, concentration analysis, and frozen RoI snapshots before regulatory export. Methodological gate aligned with Group CRO mandate.
Platform configuration, module activation, and governance setup.
Group-level oversight across subsidiaries: consolidated CR + OR + TPP exposure, cross-entity provider concentration, group-level RoI readiness. Single accountability layer above per-entity governance.
Not generic advice. Every AI output is contextualised to your organisation's type, capital base, regulatory obligations, and jurisdiction — whether it's a DORA-scope bank in Croatia or a public authority in Montenegro.
Suggests annual scenario-frequency and loss-materialisation likelihood ranges calibrated to ICT asset criticality and threat actor profiles (Cyber), or to business process type and Basel Event Type category (OR). Confidence levels and value bands signal where human judgement is most needed.
44 European jurisdictions mapped. AI analysis references the frameworks actually applicable to your organisation — CBCG for Montenegrin banks, DORA and HNB for Croatian institutions, NBS for Serbian entities. Regulatory references provide context and benchmark, never a compliance checklist.
Deterministic treatment recommendation at temperature=0, anchored to your 4-tier capital impact framework. Tier thresholds configured per tenant. Tier 1 risks trigger Management Board escalation guidance aligned with DORA Article 5 requirements.
AI generates a structured analyst assessment using regulatory benchmarks and industry context — editable in a rich text editor. The analyst reviews, refines, and saves. What reaches the CISO and Board carries human accountability, not raw AI output.
Use Anthropic Claude (default), Azure OpenAI, or standard OpenAI. Provider configured per tenant in Admin Panel. Master AI switch enables full manual operation when AI is not required or available.
AI supports review, calibration, and narrative drafting. Regulatory accountability — for capital impact decisions, CIF status, RoI submission, and treatment outcomes — remains with the institution and its accountable persons.
Purpose-built for European regulated organisations — combining capabilities that are typically available only separately, at enterprise price points, or not at all. Now including group-level risk intelligence for multi-entity organisations.
Most quantification tools are calculators — they produce a number but leave coordination to email and spreadsheets. AIQ Suite embeds the complete governance workflow: analyst preparation, ICT/process control rating, CISO review, business owner decision, action plan, and approval — all in one platform, with full audit trail.
Cyber risk, operational risk, and third-party risk are typically managed in separate silos — separate teams, separate tools, separate evidence. AIQ Suite unifies them: same assets, same users, same governance workflow, same audit trail, same capital basis. A bank sees its ransomware exposure, its settlement error exposure, and its cloud-hosting concentration side-by-side — and surfaces where the same provider supports multiple critical processes automatically.
All major quantification platforms originate in North America. AIQ Suite is designed from the ground up for European regulatory requirements — DORA, NIS2, Basel III, EBA Guidelines, and 44 national jurisdictions including local regulators (CBCG, NBS, HNB, BaFin, FMA, FINMA). Not an afterthought — the architecture.
Every input, every control rating, every Monte Carlo output is visible and auditable. Quantification inputs, loss components, control reduction calculations, capital impact formula — all accessible for regulatory review. No black box. Designed to withstand supervisory scrutiny under DORA Article 6 and EBA internal model requirements.
Quantitative risk modeling typically requires specialist training or external consultants. AIQ Suite makes it accessible to any risk analyst through AI-assisted calibration, scenario context panels, industry benchmark guidance, and structured workflow. Expertise is embedded in the platform — not a prerequisite for using it.
See how your organisation's capital impact compares to sector peers. Benchmark data sourced from Verizon DBIR, ENISA Threat Landscape, IBM X-Force, and Ponemon Institute — by organisation type, sector, and company size. Gives CISO and board concrete context: are we above or below industry average for this risk?
Most DORA TPP tools stop at registers and templates. Most risk quantification tools stop at scenarios and loss curves. AIQ Suite connects both: ICT providers, contracts, critical functions, internal assets, and quantified P95 exposure — so third-party risk is not just documented, but financially understood and prepared for internal review and regulatory submission, under applicable rules and institution approval.
AIQ Suite doesn't treat third-party risk as a static vendor list. It maps providers to ICT services, critical functions, contracts, assets, and risk assessments — revealing where the institution is operationally dependent on a single provider, cloud region, subcontractor, or group-wide vendor relationship.
Most European risk platforms are SaaS-only — a hard constraint for banks under central bank requirements that restrict public cloud deployment of core risk data. AIQ Suite supports three deployment modes: full SaaS (EU data centres), on-premise (institution's own infrastructure), and operating holding (parent entity hosts subsidiaries). Tier-based RSA-signed JWT licensing works offline — no phone-home requirement. Banks meet regulatory data-residency expectations without compromising platform capability.
AIQ Suite helps institutions structure internal risk governance, evidence, and reporting in relation to relevant regulatory and audit requirements — through three purpose-built modules.
CyberRisk AIQ, OpRisk AIQ, TPPRisk AIQ, and the Enterprise Scale tier — along with multi-tenant, holding architecture, group risk intelligence, and the Register of Information for ICT arrangements — are in preparation.
Three modules. One defensible mathematical basis — Monte Carlo simulation for cyber, Quantitative RCSA + Monte Carlo for operational risk, quantitative concentration analytics for third-party risk.
See how MFA + EDR reduce capital impact
Automated Reconciliation (4/5) + Real-time Validation (4/5) reduce capital impact by 56% — investment justified by risk reduction ROI of 6.2:1
Multi-region split + secondary provider arrangement reduces Cloud Hosting P95 to €3.6M (−57%); UNION P95 drops to €12.8M; CIF without exit strategy resolved.
Investment justified — concentration risk reduction ROI 4.8:1; submission timeline preserved.
Request early access and we'll show you how AIQ Suite quantifies your Cyber and Operational Risk in terms your board and regulators can act on.