Version 2.0 — New BCM and TPRM Modules

Intelligent
ICT risk
management.

GRC platform for comprehensive ICT risk management — from risk identification and assessment, through control registers and treatment plans, to regulatory reporting. On-premises. Full data control.

Request free demo Explore the platform
WA
BK
FI

Trusted by financial
sector institutions

Why RISKBOW

Quantitative risk scoring,
not just a 5×5 matrix

Beyond the classic heat map, RISKBOW offers a unique quantitative approach — automatically analyzing dependencies between ICT assets and calculating risk scores that account for threat propagation. Result: precise KRI instead of subjective estimates.

Quantitative Risk Scoring

5-stage algorithm calculating risk score per ICT asset accounting for dependencies and threat propagation. AI prediction.

Quantitative Risk Scoring

Regulatory Compliance

Built-in support for DORA, KNF (SPRPF-18/20/26/27), ISO 27001, NIS2. Multi-entity and reporting.

DORA KNF ISO NIS2

On-premises / Private Cloud

Full data control. Deployment on your infrastructure: Kubernetes, VMware, bare metal. No vendor lock-in.

Your servers, your data

Continuous Risk Monitoring

KRI automatically updated on every data change. Real-time alerting and escalation — not nightly batch.

KRI updated in <30 seconds
System Preview

See RISKBOW
in action

Interface designed for risk analysts, CISOs, and compliance officers. Responsive dashboards, interactive graphs.

Dashboard

Last update: 22.04.2026 14:32 · Company A

ICT Assets
2,847
+127 vs prev
Average KRI
78.4
+3.2 pts
Critical
23
-4 vs prev
Active Events
1,294
+89
Asset Risk Score Distribution N=2847
0-20
20-40
40-60
60-80
80-100
Security Attributes
Confidentiality92%
Availability78%
Integrity85%
Authenticity89%
Recent Risk Events View all →
Asset Score Status
srv-prod-db-01 34.2 Critical
app-payment-gw 61.5 Warning
net-fw-core-02 91.7 OK
cloud-s3-backup 72.0 Warning
87AD Server 76Core Banking 58Payment GW 92WAF 81DNS 34DB Prod 41App Server 88LB 67CDN 83SMTP 72S3
DB Prod (Score: 34.2)
Typ: PostgreSQL
Events: 3 critical
Betweenness: 0.847
SCC: Cluster #2

Risk Register

Company A · 2026 Q2
Status: All Critical: 8 High: 23 Medium: 47 Low: 112
ID Risk Level Status
R-2026-001 Payment system business continuity loss Critical In Progress
R-2026-014 Unauthorized access to personal data Critical Accepted
R-2026-027 Cloud supplier concentration risk High New
R-2026-033 Missing current BCPs for critical processes High In Progress
R-2026-041 CIS Benchmark configuration non-compliance Medium New

Risk reporting

SPRPF-18
Contract Registry ICT
XLSX Generated: 15.04.2026
IS Risk Report
Information Security
PDF XLSX 22.04.2026
BIA Report
Business Continuity Q2
PDF 20.04.2026
Supplier Assessment
Concentration Risk
XLSX 18.04.2026
SPRPF-20
ICT Functions
XLSX 15.04.2026
Report Builder

Contract Registry ICT

SPRPF-18 ready
Contract No. Supplier Validity
ICT/2025/0142 Dostawca A 31.12.2027
ICT/2024/0089 Dostawca B 30.06.2027
ICT/2025/0201 Dostawca C 31.03.2026
ICT/2025/0178 Dostawca D 31.12.2026

Interactive interface preview · Request demo to see the system live

01

Risk Event Aggregation

Collecting data from 7 sources: vulnerabilities, incidents, regulatory issues, CIS audits, missing support and more

Rtotal = Σ risk × impact
02

Normalization with Risk Tolerance

Converting raw risk to normalized risk score (0–100) accounting for risk tolerance per asset

Score = σ(R/T) × 100
03

Dependency Propagation

Automatic risk spreading through the network of ICT asset dependencies

G(Score, β·linked)
04

Critical Path Identification

Detecting the most critical failure points — assets whose risk affects the entire organization

min(Scoredeps)
05

Final Risk Score (KRI)

Resulting KRI indicator per ICT asset — accounting for all risk sources and dependencies

α·base + (1-α)·min
Quantitative Risk Engine

Quantitative risk scoring,
not guesswork

The RISKBOW risk assessment engine automatically calculates KRI (Key Risk Indicators) per ICT asset, considering the entire dependency network. It propagates threats, identifies single points of failure, and predicts trends using AI.

5
Calculation Stages
From raw data to final KRI
7
Risk Sources
Vulnerabilities, incidents, audits, compliance...
AI
Risk Prediction
Machine learning + auto-training
<30s
KRI Update
Continuous monitoring, not nightly batch
Engine technical details
Platform Modules

Everything you need
in one system

ICT Risk Assessment

Quantitative and qualitative risk assessment with automatic propagation through dependency graphs. Heat map + quantitative risk score. Risk appetite and risk tolerance definition per entity.

Risk Scoring Heat mapa Risk Appetite

Risk Register

Central risk register with inherent and residual risk breakdown. Risk self-assessment, approval workflow, multi-entity support. Cyber threat and scenario database.

Risk Register Self-assessment Workflow

Control Management

Security control library mapped to risks and regulatory requirements. Control effectiveness testing, gaps, and remediation plans.

Control Library Effectiveness Gap Analysis

ICT Incident Management

Registration, classification and handling of ICT incidents per DORA Art. 17–23. Regulator notification, root cause analysis, lessons learned.

DORA Art. 17–23 Root Cause Klasyfikacja

Business Continuity (BCM)

BIA (MTPD/RTO/RPO) with automatic propagation. BCP and DRP builder, continuity testing, MAC per critical process.

BIA PCD / DRP MTPD / RTO

Supplier Assessment (TPRM)

Third-Party Risk Management — due diligence, audit surveys, concentration risk algorithm. SLA monitoring and exit plans.

TPRM Due Diligence Concentration

Contract Registry ICT

Contractual provisions register with automatic SPRPF-18/20 report generation and SPRPF-26/27 filters required by KNF.

SPRPF-18 SPRPF-20 KNF

Reporting i dashboardy

Report builder, PDF/XLSX/CSV export. Role-based dashboards with real-time KRI. Reports for 1st, 2nd, and 3rd Line of Defense.

KRI Dashboard 3 Lines of Defense Real-time
How It Works

From source data
to risk decisions

1

Integrate

Connect source systems — CMDB, vulnerability scanners, asset registries. Import XML/XLSX/CSV, SOAP/REST, ETL.

  • File and API connectors
  • SCD1/SCD2 historization
  • Asset relation graphs
2

Analyze

The engine automatically calculates KRI per ICT asset with propagation through dependency graphs. AI predicts risk trends.

  • 5-stage risk score calculation
  • Dependency analysis and single points of failure
  • AI-powered risk prediction
3

Act

Make risk decisions, monitor remediation plans, report to regulators. Full process accountability.

  • Treatment plans
  • Escalation and notifications
  • PDF/XLSX reports + SPRPF
Technologia

Enterprise-grade stack.
No vendor lock-in.

Built on proven enterprise technologies. Compatible with financial institution infrastructure. Open architecture — parameterizable algorithms, rules, and dictionaries.

Java / Spring Boot
Backend, REST API, Security
🐍
Python / Flask
Impact Calculator, ML Pipeline
🅰️
Angular
Frontend, D3.js, Tailwind
🐘
PostgreSQL
SCD1/SCD2, historyzacja
☸️
Kubernetes / OKD
Containerization, scaling
🔐
IAM + OAuth2 / OIDC
SSO, ADFS, CAS, LDAP
RISKBOW-api — architecture
// RISKBOW Architecture
+-----------------------------+
| Angular 19 (Frontend)       |
| D3.js · Vis.js · Tailwind   |
+--------------+--------------+
               | REST / SSE
+--------------+--------------+
| Spring Boot 3.4 (Backend)   |
| Java 21 · Security · Camel  |
+--------+-----------+--------+
         | STOMP     | JDBC
+--------+---+  +----+--------+
| ICS Python |  | PostgreSQL  |
| Flask · ML |  | SCD1 · SCD2 |
+------------+  +-------------+
On-premises   K8s/OKD   HA
Stack 100% enterprise-ready
Regulatory Compliance

Supported frameworks
and standards

RISKBOW supports key risk management and information security standards — ready-made mappings, report templates, and compliance controls.

DORA

EU Regulation 2022/2554

Full support for Digital Operational Resilience Act requirements — ICT risk management, incidents, testing, critical suppliers.

Art. 5–16 Risk Art. 17–23 Incidents Art. 28–30 TPRM

ISO 27001:2022

+ ISO 27005 Risk Management

Annex A control mapping, ISO 27005-compliant risk assessment, Statement of Applicability (SoA), and risk treatment plan.

Annex A Controls SoA Risk Treatment

NIS2

EU Directive 2022/2555

Support for NIS2 cybersecurity requirements — risk management, incident reporting, supply chain security.

Art. 21 Risk Art. 23 Reporting Supply Chain

KNF SPRPF

ICT Contract Information Register

Automatic generation of SPRPF-18, SPRPF-20 registers and SPRPF-26/27 filters required by KNF for the financial sector.

SPRPF-18 SPRPF-20 SPRPF-26/27

COSO ERM

Enterprise Risk Management

Process structure aligned with COSO ERM — from governance and risk culture, through strategy, to monitoring and continuous improvement.

Governance Strategy Performance

ISO 31000

Risk Management Guidelines

The risk management process in RISKBOW follows the ISO 31000 cycle — identification, analysis, evaluation, treatment, monitoring, and review.

Identify Assess Treat & Monitor
Industries

Designed for
the regulated sector

RISKBOW supports financial, insurance, and other regulated entities in ICT risk management, compliance, and operational resilience.

Insurance

Life and non-life insurance, reinsurance. Multi-entity, SPRPF-18/20/26/27, ICT contract register, KNF and EIOPA reporting.

  • Multi-entity structure (Insurance / Pension / Fund)
  • KNF SPRPF report generators
  • EIOPA guideline compliance
  • Supplier concentration risk

Banking

Commercial and cooperative banks, payment institutions. Full DORA support, EBA guidelines, core banking system integration.

  • DORA RTS/ITS compliance
  • ICT incident register (EBA)
  • Digital resilience stress tests
  • SSO integration (ADFS / CAS)

Leasing & Asset Management

Investment funds, leasing companies, brokerage houses. Supplier risk management, critical process BIA, ICT dependency mapping.

  • Supplier risk assessment (TPRM)
  • Business process BIA
  • Contract Registry outsourcingowych
  • KRI dashboard per portfolio

Other Regulated Sectors

Energy, telecommunications, critical infrastructure. NIS2 compliance, ISO 27001, operational risk and business continuity management.

  • NIS2 / ISO 27001 compliance
  • Business continuity management
  • ICT asset register (CMDB)
  • On-premises deployment

Who in the organization?

CISO
Full ICT risk overview, risk appetite dashboards, board reporting
CRO / Risk Manager
Risk Register, KRI, heat mapa, 3 Lines of Defense, risk tolerance monitoring
Compliance Officer
DORA/NIS2 compliance, gap analysis, KNF report generators, audit trail
CTO / IT Director
Dependency Graph ICT, on-premises deployment, CMDB integration, K8s architecture
Pricing

Tailored to
your needs

No hidden costs. Per named user license + annual support subscription.

Core

Basic ICT risk management

Custom
Get a quote
  • Risk engine (basic)
  • Risk Register + heat map
  • Basic reporting
  • Control management
  • SSO (LDAP)
  • BIA / BCM
  • TPRM / Incidents
  • AI Pipeline
Most Popular

Professional

Full regulatory compliance + BCM

Custom
Get a quote
  • Risk engine (advanced)
  • Risk Register + self-assessment
  • Controls + gap analysis
  • ICT incident management
  • BIA / BCM (BCP, DRP)
  • TPRM (supplier assessment)
  • Contract Registry + SPRPF
  • SSO (ADFS/CAS)

Enterprise

Full platform + ML + customization

Custom
Talk to an expert
  • Everything from Professional
  • AI Pipeline (KRI prediction)
  • 3 Lines of Defense dashboards
  • Multi-entity (unlimited)
  • Dedicated account manager (SLA 4h)
  • Custom development
  • Managed deployment

Ready to manage ICT
risk intelligently?

Schedule a free demo and see how RISKBOW propagates threats through your ICT asset dependency graph.

Request free demo Talk to an expert