Welcome to The Demo Room – your front-row seat to the future of RegTech, RiskTech, and AI innovation.
In this series, Parker & Lawrence Research documents its research interviews with the most forward-thinking vendors tackling the industry’s biggest challenges. Each blog is built around a comprehensive product demo, providing clear insights into how these innovations address industry challenges.
On this occasion, the company spoke with Ryan Swann, Co-founder of RiskSmart, a connected enterprise risk management platform built for organisations that have outgrown spreadsheets, fragmented workflows and legacy GRC complexity.
Resilience has quietly become one of the most consequential themes in financial services risk and compliance. Firms are no longer dealing with isolated threats — they are navigating an interlocking web of technology dependencies, third-party exposures, regulatory obligations, internal control weaknesses and emerging AI governance requirements. A disruption in one area rarely stays contained. A supplier outage can rapidly escalate into a customer harm event. A control failure can trigger regulatory scrutiny. An unresolved gap in AI governance can simultaneously create data, conduct, resilience and accountability problems across the business.
High-profile failures have transformed these risks from theoretical to tangible, and regulators are taking note. Research shows that 79% of organisations feel ill-equipped to comply with new operational resilience rules, while only 20% of executives believe their firms are genuinely prepared to prevent or manage outages. The gap is particularly stark in Europe, where DORA, NIS2 and the CER Directive are already in force.
Paradoxically, Europe is both the most advanced region for RegTech adoption in IT security and the least mature when it comes to resilience. Firms have historically channelled investment into security — where threats are more clearly defined and outcomes are easier to measure. Resilience, being outcome-based and cross-functional, has proven far harder to implement and scale.
But regulation is only part of the picture. Risk and compliance functions are uniquely positioned within the business — they hold visibility across products, processes, controls, customers, suppliers, incidents, obligations and emerging threats. When supported by the right technology, that vantage point can transform the function from a gatekeeping exercise into genuine strategic counsel. RiskSmart co-founder Ryan Swann captured the underlying challenge plainly: “Risk is about decisions and data.”
The problem with fragmented enterprise risk management
Despite growing regulatory pressure, many firms are still running enterprise risk management (ERM) on a patchwork of manual processes. Around 80% of compliance teams still rely on some degree of manual working, while legacy-system expenditure is forecast to climb from $36.7bn in 2022 to $57.1bn by 2028. The operational cost is significant, but the strategic cost is arguably greater.
Resilience depends on connection. Risks need to be mapped to controls, actions, incidents, obligations, third parties and strategic objectives. When those relationships are scattered across spreadsheets, email threads and disconnected tools, risk teams lose the ability to understand how a single weakness might ripple through the wider organisation. The consequences compound quickly. Controls not linked to multiple risks generate duplicated assurance work. Obligations disconnected from controls and actions make compliance harder to evidence to auditors. First-line owners who cannot easily see what they are responsible for become disengaged — and risk management becomes trapped in the second line, visible only to specialists.
RiskSmart’s Swann put it plainly: “Most risk managers, most risk teams don’t want to be doing the admin, they don’t want to be doing the reporting. They want to be getting out there understanding the business.”
There is also a cultural dimension that technology alone cannot fix. Boards want stronger risk ownership. Risk teams want forward-looking insight. First-line teams need clearer accountability. Yet the tools most organisations use often make risk feel like a technical, siloed obligation — something reviewed periodically rather than embedded in everyday decision-making. Without a connected system, bridging that gap remains aspirational.
RiskSmart’s approach: connected risk in a single environment
RiskSmart’s platform links risks, controls, actions, indicators, obligations, policies and related records within one environment. It is designed with a clear target audience in mind: small and mid-market regulated organisations that have outgrown spreadsheet-based approaches but do not require — or want — the complexity and cost of a large enterprise GRC implementation.
At the core of the platform is a connected data model. Rather than isolated registers, risks can be linked to controls, actions, obligations, policies, indicators, strategic objectives, departments and themes. A single control can address several risks simultaneously. Tags allow users to build views across domains such as operational resilience, IT security, regulatory compliance or strategic priorities. This changes the questions a firm can ask — moving from whether a risk has been reviewed to which controls are underperforming across a theme, or which obligations sit alongside weak residual risk ratings.
The reporting layer is configurable and visual. Chief risk officers may want aggregate exposure and trend data. Heads of risk may focus on control effectiveness and overdue actions. First-line owners may only need to see what is assigned to them. Dashboards with drag-and-drop widgets can be tailored for each of those audiences — making risk data easier to interpret and, crucially, more likely to be used.
Workflow automation addresses one of the most significant time drains in risk management: the administrative burden of chasing business owners, tracking actions and maintaining assessment schedules. RiskSmart handles notifications, approvals, scheduled assessments and policy updates within the platform, reducing the reliance on parallel spreadsheets and email chains. The result is that risk teams can spend more time advising the business and less time managing the process.
The platform also accommodates different levels of maturity. Some firms still need manual scoring as they build out their risk and control environment. Others are ready to allow control performance to inform residual risk ratings more directly. RiskSmart supports both, allowing firms to advance along that maturity curve without requiring a multi-year transformation programme.
On artificial intelligence, RiskSmart has taken a deliberately focused approach. Current capabilities centre on practical assistance: suggesting risks and controls, supporting content drafting and helping users work more efficiently. The product roadmap includes custom prompts, navigation support and further workflow assistance. RiskSmart account executive Jamie Allan described the philosophy clearly: “We’re building the risk manager on your shoulder, not a complete automation.” Accuracy and usability take precedence over expansive automation — a sensible posture given that judgement and accountability must remain with the user in any risk management context.
What the market evidence suggests
Independent analysis from Parker & Lawrence positions RiskSmart as a strong fit in a consistently underserved segment: firms that have moved beyond what spreadsheets can support but are not yet ready — or willing — to commit to a heavyweight enterprise GRC deployment.
The case study of Comparitec, a FinTech operating with limited internal resources and spreadsheet-based risk processes, offers a useful illustration. By adopting RiskSmart’s Risk & Control and Compliance modules, the firm was able to centralise risk activity, improve process consistency and automate key compliance workflows — saving 25 hours of administrative time per month and making it significantly easier to evidence compliance to external auditors.
The hours saved matter, but they are a secondary benefit. Risk teams freed from administrative overhead can dedicate more capacity to understanding the business, challenging strategic decisions and giving management a sharper view of where risk actually sits.
Technology does not create risk culture on its own. That requires leadership, clear ownership and a defined framework. What RiskSmart offers is a practical route from fragmented risk administration toward connected, decision-useful ERM — lowering the operational burden of getting there for the firms that need it most.
Read the original post from Parker & Lawrence Research here.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
