Integrated risk management · Made in Belgium · EU-sovereign

Risk management
you can prove.

Most GRC platforms are configurable databases wearing a dashboard. Sceau Risk quantifies your risks in euros, forecasts threshold breaches before they happen, prescribes treatments ranked by return on investment — and seals every record on a tamper-evident chain your auditor can verify with one call.

19 domainsOne atlas from cyber and credit to ESG, AI and fraud — enable what fits, adopt a starter pack in one click.
€ not coloursMonte Carlo loss models from three business-language inputs. Expected loss, VaR 99, ES 95 — seeded and reproducible.
Red in 1 periodKRI trend forecasting with an ETA to every threshold breach. You see amber coming before it arrives.
SHA-256 sealedEvery assessment, approval, signature and rule firing on a per-tenant hash chain. /audit/verify answers true or false.

The industry has been selling risk theatre.

Heat maps with no units. Compliance scores you declare to yourself. "AI-powered" predictions nobody can explain to a regulator. Audit logs that whoever owns the database can rewrite.

Self-declared coverage

Tick a box, turn the framework green. When the auditor arrives, the green means nothing. Sceau Risk derives coverage from the tested effectiveness of linked controls — you cannot declare it, you can only earn it.

Black-box scoring

A vendor "risk score of 73" that no one can decompose is marketing, not risk management. Every Sceau Risk number — pressure index, forecast, ROSI — itemises exactly which factors produced it.

Rewritable history

An audit trail in a normal table is a suggestion. Ours is a hash chain: approved assessments and policy versions are immutable at the database trigger level, and tampering breaks the chain visibly.

The platform

Everything the big suites do. Then the part they only market.

Sceau Risk covers the full checklist of the legacy leaders — register, assessments, controls, campaigns, policies, third parties, frameworks, issues, reporting — and then keeps going where they stop.

Register & assessments

Multi-dimensional, then monetary

Score likelihood against financial, service, regulatory and reputational impact facets — then add three inputs (how often, typical cost, bad-year cost) and get a full Monte Carlo loss distribution stored inside the immutable assessment record.

Treatments

Business cases, not wish lists

Every proposed control gets a persisted business case: ΔExpected Loss, ΔVaR 99, ROSI and payback in months. Boards approve investments, not adjectives.

Controls & campaigns

Test, challenge, attest

Control testing with effectiveness lifecycles, RCSA campaigns with first-line/second-line challenge, and read-and-attest runs whose signatures land on the chain.

Policies

The published text is the approved text

Draft → review → approve → publish with segregation of duties enforced both ways. Publishing snapshots an immutable version; editing a live policy demotes it for re-approval. Exceptions are time-bound by construction — twelve months, hard cap.

Frameworks

Coverage you earn

ISO 27001, NIS2, DORA, GDPR, CIS 8, ISO 22301, ISO 45001, CSRD, EU AI Act and more, pre-loaded. Requirement status derives from linked control effectiveness. Gap discovery drafts the missing risks for you. One click exports an auditor-ready Statement of Applicability.

Evidence

Collect once, satisfy many

Link one evidence artefact to controls and requirements across frameworks, with validity dates. Stale evidence is flagged automatically — and can trigger a workflow before the auditor finds it.

Third parties

TPRM with a DORA spine

Vendor tiers, assessment portals, continuous signal ingest, concentration analytics — and the DORA Register of Information exported in the shape your regulator expects.

Models & AI

EU AI Act, answered

A classification wizard that cites the articles behind every determination, model lifecycle gates, dimension-scored AI risk profiles (bias, robustness, oversight, drift) whose score also inherits the live data-risk of linked training data, ISO/IEC 42001 in the framework library — and a register your DPO will actually enjoy opening.

Incident response

Clocks you can defend to a regulator

Declare an incident with GDPR/NIS2/DORA flags and the notification clocks derive themselves — Art. 33, Art. 23, Art. 19 — each on a live countdown, honest about late filings. Playbooks instantiate SLA-offset task checklists, the timeline is append-only at the database level, a sweep alarm fires before a clock expires, closing requires a post-incident review, and MTTC/MTTR are computed, never claimed.

Internal audit

The third line, wired in

Plan engagements against risks and controls, run independent tests with evidence notes, and raise findings that mint tracked issues — owner, due date, overdue automation included. Opinions are gated to the reporting stage, closing requires one, and 12-month audit coverage of high/critical risks is derived, with the uncovered ones named.

Data governance

Govern the data behind the risks

A register of data assets with owners and stewards, four-level classification and PII flags, DAMA data-quality rules whose failing measurements fire the automation engine, lineage between assets, links into the risk register — a derived data-risk score per asset that itemises every point, one-click drafting of that exposure into the risk register — and an auditor-ready catalog export.

ESG · Credit · Scenarios

The specialist modules, native

CSRD double materiality with ESRS datapoint readiness. Counterparty PD/LGD/EAD with limit monitoring that opens issues on breach. Workshop scenarios that run seeded, reproducible Monte Carlo.

Foresight

Predict. Prescribe. Capture the outside world.

This is the layer the legacy suites put in brochures. We put it in the product — and every mechanism is explainable, because "the model said so" does not survive a supervisory visit.

Breach ETAs on every KRI

Holt trend forecasting on your indicator history, projected forward with an estimated time to amber and red. "Phishing reports → red in 1 period" is a sentence your CISO can act on. Level and trend are returned with every forecast — the maths is auditable.

The pressure index

A 0–100 leading-indicator score per domain — KRI health, event surges, overdue treatments, weak controls, appetite breaches — with every point itemised to a clickable factor. No composite mystery numbers, ever.

ROSI-ranked treatments

Ask the platform how to reduce a quantified risk and it prices the control library against your loss model — stated assumptions, ranked by return. One click applies the winner: control linked, action opened, business case saved. Atomically.

Regulatory horizon

Official EU and international feeds — EUR-Lex, EBA, ESMA, ENISA, EDPB, CISA — fetched, de-duplicated and classified into your domain atlas, with effective dates extracted onto a countdown. AMLR technical standards in 95 days is planning; a surprise is not.

Intelligence to register

Triage the feed per tenant. One click turns a relevant item into a draft risk in the right domain, source-linked and idempotent. The outside world flows into your register instead of past it.

Automation rules

When a critical residual is approved, notify the risk function and fire a webhook. When an exception nears expiry, open an issue. Nine triggers, inspectable conditions, four audited actions, template interpolation, deduplication — and a full execution log.

Ask Sceau

An AI copilot that shows its work — and an open door for yours.

Every answer cites the objects it used and lists the exact tools it called. Writes only ever produce drafts for human review. And the twist nobody else ships:

📌 Pin any answer as a live widget

Ask "which risks are trending up?" — get the answer — pin it. It becomes a board widget that keeps updating. Your CRO cockpit assembles itself from the questions you actually ask, with permissions enforced per widget at render time.

MCP: bring your own AI

The entire tool surface — 24 tools and growing — is exposed over the open Model Context Protocol. Point Claude, your internal assistant, or your data platform at Sceau Risk and it answers with your live risk posture, under your users' permissions. Scoped, revocable API keys make the first integration a copy-paste. No lock-in, no black box between you and your own data.

# Any MCP client, your permissions, live answers > What is our aggregate expected loss, and which regulations land next quarter? ✓ get_quantified_register · ✓ get_intel_digest Aggregate EL €217,029/yr across quantified risks. Horizon: AMLR CDD RTS (95 days), ESG fund-naming rules (132 days), CSRD assurance standards (173 days).
Proof over promises

Three claims. Three ways to check us.

1 · The chain answers

Call GET /audit/verify on your tenant at any moment. It walks the hash chain across every audited record and returns {"intact": true} — or tells you exactly where history was touched. Ship the chain head in your board pack.

2 · The simulation repeats

Every Monte Carlo run stores its seed and parameters. Re-run it in five years, get the same distribution to the decimal. Model risk management applied to the risk platform itself.

3 · The score decomposes

Click any pressure score, any coverage percentage, any ROSI figure — and see the exact factors, links or formulas behind it. If we can't explain a number, we don't show it.

"Derived, never declared. Explainable, never oracular. Sealed, never editable." — the three design rules every Sceau Risk feature must pass.

How we sit against the field.

The honest version — the same map we use internally.

CapabilityLegacy suites¹Compliance natives²Sceau Risk
Register, controls, campaigns, policies, TPRMpartial
Framework coverage derived from control effectivenessself-declaredself-declared✚ earned only
Per-risk Monte Carlo in the assessment recordadd-on✚ native, reproducible
ROSI-ranked, one-click treatment recommendations
Explainable KRI breach forecasts & pressure indexbrochure✚ itemised
Regulatory horizon from official feeds → draft riskspaid feedspartial✔ built in
No-code automation rules with execution log✔ (their moat)partial
Pin an AI answer as a live dashboard widget
Open MCP tool surface for any AI client
Tamper-evident hash-chain audit traillogslogs✚ verifiable
EU-sovereign hosting, EU legal entity, no US cloudrarerare✔ always
Interface in EN · NL · FR · DEEN mostly

¹ Archer, ServiceNow IRM, MetricStream, Diligent, AuditBoard, LogicGate and peers. ² Vanta, Drata, Hyperproof, Sprinto and peers. Comparison reflects publicly documented capabilities, July 2026; "brochure" means marketed without inspectable mechanics.

Sovereignty & security

Your risk register is a map of your weaknesses.
It should never leave Europe.

EU by construction

  • Operated by Galactic Automation BV, Belgium — an EU legal entity, full stop.
  • All production data resides in Belgium — Google Cloud’s EU region (europe-west1, St-Ghislain) with EU data-residency controls. Need EU-owned infrastructure end-to-end? A sovereign single-tenant deployment on Hetzner is available on Enterprise.
  • No third-party trackers, no analytics beacons, no external fonts — this very website makes zero external requests.
  • GDPR processor terms and a signed DPA as standard, not an enterprise upsell.

Defence in depth

  • Tenant isolation enforced in the database: PostgreSQL row-level security, fail-closed on every table.
  • Role-based access with segregation of duties baked into workflows — owners cannot approve their own work.
  • Immutability where it matters: approved assessments and published policy versions reject modification at trigger level.
  • Single-tenant sovereign deployment available on Enterprise — your instance, your keys, our upkeep.

See your own risks quantified — in one afternoon.

Bring three risks and thirty minutes. We'll load them live, quantify one in euros, forecast one KRI, and let your auditor call /audit/verify themselves. If it doesn't change how your next risk committee sounds, we part as friends.