Risk management
you can prove.
Most GRC platforms are configurable databases wearing a dashboard. Sceau Risk quantifies your risks in euros, forecasts threshold breaches before they happen, prescribes treatments ranked by return on investment — and seals every record on a tamper-evident chain your auditor can verify with one call.
/audit/verify answers true or false.The industry has been selling risk theatre.
Heat maps with no units. Compliance scores you declare to yourself. "AI-powered" predictions nobody can explain to a regulator. Audit logs that whoever owns the database can rewrite.
Self-declared coverage
Tick a box, turn the framework green. When the auditor arrives, the green means nothing. Sceau Risk derives coverage from the tested effectiveness of linked controls — you cannot declare it, you can only earn it.
Black-box scoring
A vendor "risk score of 73" that no one can decompose is marketing, not risk management. Every Sceau Risk number — pressure index, forecast, ROSI — itemises exactly which factors produced it.
Rewritable history
An audit trail in a normal table is a suggestion. Ours is a hash chain: approved assessments and policy versions are immutable at the database trigger level, and tampering breaks the chain visibly.
Everything the big suites do. Then the part they only market.
Sceau Risk covers the full checklist of the legacy leaders — register, assessments, controls, campaigns, policies, third parties, frameworks, issues, reporting — and then keeps going where they stop.
Multi-dimensional, then monetary
Score likelihood against financial, service, regulatory and reputational impact facets — then add three inputs (how often, typical cost, bad-year cost) and get a full Monte Carlo loss distribution stored inside the immutable assessment record.
Business cases, not wish lists
Every proposed control gets a persisted business case: ΔExpected Loss, ΔVaR 99, ROSI and payback in months. Boards approve investments, not adjectives.
Test, challenge, attest
Control testing with effectiveness lifecycles, RCSA campaigns with first-line/second-line challenge, and read-and-attest runs whose signatures land on the chain.
The published text is the approved text
Draft → review → approve → publish with segregation of duties enforced both ways. Publishing snapshots an immutable version; editing a live policy demotes it for re-approval. Exceptions are time-bound by construction — twelve months, hard cap.
Coverage you earn
ISO 27001, NIS2, DORA, GDPR, CIS 8, ISO 22301, ISO 45001, CSRD, EU AI Act and more, pre-loaded. Requirement status derives from linked control effectiveness. Gap discovery drafts the missing risks for you. One click exports an auditor-ready Statement of Applicability.
Collect once, satisfy many
Link one evidence artefact to controls and requirements across frameworks, with validity dates. Stale evidence is flagged automatically — and can trigger a workflow before the auditor finds it.
TPRM with a DORA spine
Vendor tiers, assessment portals, continuous signal ingest, concentration analytics — and the DORA Register of Information exported in the shape your regulator expects.
EU AI Act, answered
A classification wizard that cites the articles behind every determination, model lifecycle gates, dimension-scored AI risk profiles (bias, robustness, oversight, drift) whose score also inherits the live data-risk of linked training data, ISO/IEC 42001 in the framework library — and a register your DPO will actually enjoy opening.
Clocks you can defend to a regulator
Declare an incident with GDPR/NIS2/DORA flags and the notification clocks derive themselves — Art. 33, Art. 23, Art. 19 — each on a live countdown, honest about late filings. Playbooks instantiate SLA-offset task checklists, the timeline is append-only at the database level, a sweep alarm fires before a clock expires, closing requires a post-incident review, and MTTC/MTTR are computed, never claimed.
The third line, wired in
Plan engagements against risks and controls, run independent tests with evidence notes, and raise findings that mint tracked issues — owner, due date, overdue automation included. Opinions are gated to the reporting stage, closing requires one, and 12-month audit coverage of high/critical risks is derived, with the uncovered ones named.
Govern the data behind the risks
A register of data assets with owners and stewards, four-level classification and PII flags, DAMA data-quality rules whose failing measurements fire the automation engine, lineage between assets, links into the risk register — a derived data-risk score per asset that itemises every point, one-click drafting of that exposure into the risk register — and an auditor-ready catalog export.
The specialist modules, native
CSRD double materiality with ESRS datapoint readiness. Counterparty PD/LGD/EAD with limit monitoring that opens issues on breach. Workshop scenarios that run seeded, reproducible Monte Carlo.
Predict. Prescribe. Capture the outside world.
This is the layer the legacy suites put in brochures. We put it in the product — and every mechanism is explainable, because "the model said so" does not survive a supervisory visit.
Breach ETAs on every KRI
Holt trend forecasting on your indicator history, projected forward with an estimated time to amber and red. "Phishing reports → red in 1 period" is a sentence your CISO can act on. Level and trend are returned with every forecast — the maths is auditable.
The pressure index
A 0–100 leading-indicator score per domain — KRI health, event surges, overdue treatments, weak controls, appetite breaches — with every point itemised to a clickable factor. No composite mystery numbers, ever.
ROSI-ranked treatments
Ask the platform how to reduce a quantified risk and it prices the control library against your loss model — stated assumptions, ranked by return. One click applies the winner: control linked, action opened, business case saved. Atomically.
Regulatory horizon
Official EU and international feeds — EUR-Lex, EBA, ESMA, ENISA, EDPB, CISA — fetched, de-duplicated and classified into your domain atlas, with effective dates extracted onto a countdown. AMLR technical standards in 95 days is planning; a surprise is not.
Intelligence to register
Triage the feed per tenant. One click turns a relevant item into a draft risk in the right domain, source-linked and idempotent. The outside world flows into your register instead of past it.
Automation rules
When a critical residual is approved, notify the risk function and fire a webhook. When an exception nears expiry, open an issue. Nine triggers, inspectable conditions, four audited actions, template interpolation, deduplication — and a full execution log.
An AI copilot that shows its work — and an open door for yours.
Every answer cites the objects it used and lists the exact tools it called. Writes only ever produce drafts for human review. And the twist nobody else ships:
📌 Pin any answer as a live widget
Ask "which risks are trending up?" — get the answer — pin it. It becomes a board widget that keeps updating. Your CRO cockpit assembles itself from the questions you actually ask, with permissions enforced per widget at render time.
MCP: bring your own AI
The entire tool surface — 24 tools and growing — is exposed over the open Model Context Protocol. Point Claude, your internal assistant, or your data platform at Sceau Risk and it answers with your live risk posture, under your users' permissions. Scoped, revocable API keys make the first integration a copy-paste. No lock-in, no black box between you and your own data.
Three claims. Three ways to check us.
1 · The chain answers
Call GET /audit/verify on your tenant at any moment. It walks the hash chain across every audited record and returns {"intact": true} — or tells you exactly where history was touched. Ship the chain head in your board pack.
2 · The simulation repeats
Every Monte Carlo run stores its seed and parameters. Re-run it in five years, get the same distribution to the decimal. Model risk management applied to the risk platform itself.
3 · The score decomposes
Click any pressure score, any coverage percentage, any ROSI figure — and see the exact factors, links or formulas behind it. If we can't explain a number, we don't show it.
"Derived, never declared. Explainable, never oracular. Sealed, never editable." — the three design rules every Sceau Risk feature must pass.
How we sit against the field.
The honest version — the same map we use internally.
| Capability | Legacy suites¹ | Compliance natives² | Sceau Risk |
|---|---|---|---|
| Register, controls, campaigns, policies, TPRM | ✔ | partial | ✔ |
| Framework coverage derived from control effectiveness | self-declared | self-declared | ✚ earned only |
| Per-risk Monte Carlo in the assessment record | add-on | — | ✚ native, reproducible |
| ROSI-ranked, one-click treatment recommendations | — | — | ✚ |
| Explainable KRI breach forecasts & pressure index | brochure | — | ✚ itemised |
| Regulatory horizon from official feeds → draft risks | paid feeds | partial | ✔ built in |
| No-code automation rules with execution log | ✔ (their moat) | partial | ✔ |
| Pin an AI answer as a live dashboard widget | — | — | ✚ |
| Open MCP tool surface for any AI client | — | — | ✚ |
| Tamper-evident hash-chain audit trail | logs | logs | ✚ verifiable |
| EU-sovereign hosting, EU legal entity, no US cloud | rare | rare | ✔ always |
| Interface in EN · NL · FR · DE | ✔ | EN mostly | ✔ |
¹ Archer, ServiceNow IRM, MetricStream, Diligent, AuditBoard, LogicGate and peers. ² Vanta, Drata, Hyperproof, Sprinto and peers. Comparison reflects publicly documented capabilities, July 2026; "brochure" means marketed without inspectable mechanics.
Your risk register is a map of your weaknesses.
It should never leave Europe.
EU by construction
- Operated by Galactic Automation BV, Belgium — an EU legal entity, full stop.
- All production data resides in Belgium — Google Cloud’s EU region (europe-west1, St-Ghislain) with EU data-residency controls. Need EU-owned infrastructure end-to-end? A sovereign single-tenant deployment on Hetzner is available on Enterprise.
- No third-party trackers, no analytics beacons, no external fonts — this very website makes zero external requests.
- GDPR processor terms and a signed DPA as standard, not an enterprise upsell.
Defence in depth
- Tenant isolation enforced in the database: PostgreSQL row-level security, fail-closed on every table.
- Role-based access with segregation of duties baked into workflows — owners cannot approve their own work.
- Immutability where it matters: approved assessments and published policy versions reject modification at trigger level.
- Single-tenant sovereign deployment available on Enterprise — your instance, your keys, our upkeep.
See your own risks quantified — in one afternoon.
Bring three risks and thirty minutes. We'll load them live, quantify one in euros, forecast one KRI, and let your auditor call /audit/verify themselves. If it doesn't change how your next risk committee sounds, we part as friends.