Banking / FinServ

Model risk + operational resilience, in one platform

Model Risk Management (SR 11-7 / OCC 2011-12), DORA operational resilience, SOX 404 IT controls, PCI DSS, FFIEC, AML/BSA, NIST AI RMF, and prudential reporting for banks, insurers, and regulated FinServ.

Start with Banking / FinServ Talk to Sales

8 lifecycle phases

41 auto-seeded gate criteria

26 SysML stencil blocks

18 program templates

Methodology-backed bySR 11-7 / DORANASA SE HandbookINCOSE SE v5ISO/IEC/IEEE 15288

Methodology

SR 11-7 · DORA · SOX · PCI · AML · NIST AI RMF

Every model and every critical ICT asset runs through the same 8-stage lifecycle — Concept, Development, Independent Validation, Implementation, Deployment, Monitoring, Annual Review, Retirement. 40+ gate criteria cover SR 11-7 / OCC 2011-12, DORA Articles 5-28, SOX 404 ITGCs, PCI DSS v4, FFIEC BSA/AML, NIST AI RMF 1.0, and BCBS 239. Purpose-built for banks, insurers, and regulated FinServ.

Concept

Concept & Business Case

Development

Development / Build

Validation

Independent Validation

Implementation

Implementation & UAT

Deployment

Deployment / Go-Live

Monitoring

Ongoing Monitoring

Annual Review

Retirement

Decommissioning

What's Included

Everything programs in your industry actually need

📋

Review Gates Out-of-the-box

41 readiness criteria auto-seeded on every new program. No blank-page starts.

🧱

Native MBSE Stencils

SysML palette with 26 blocks specific to your domain — drop and go.

🎯

Program-type Templates

18 archetypes pre-configured so you start from the right place.

🤖

AI-assisted, Domain-aware

Our AI advisor knows SR 11-7 / DORA — not generic SE. Prompts, references, and deliverables frame themselves correctly.

Built for

Program archetypes we support

📊

Credit Risk Model

PD / LGD / EAD or scorecard under SR 11-7

🤖

AI / ML Model

LLM or ML system under NIST AI RMF + SR 11-7

🏦

CCAR / DFAST Submission

Annual stress test submission — capital & stress models

💳

Payment Platform

Card, ACH, RTP / FedNow, SWIFT, or wallet platform

🔗

Third-Party Onboarding

Critical ICT vendor — DORA / FFIEC / OCC 2013-29

🧾

SOX 404 Scoping

Annual SOX ITGC scoping + walkthrough cycle

Inside the pack

Every tool your program needs, shipping today

Every obligation gets a dedicated page — model inventory, validation workbench, DORA third-party register, SOX ITGC tracker, PCI ROC, AML program. Full doc generation, evidence attachment, delete-safe cross-references. No more shared-drive Word docs or GRC-tool data prisons.

Model Risk SR 11-7 / OCC 2011-12 model lifecycle

Inventory → development → independent validation → monitoring → annual review. One model, one traceable story from business case to retirement.

📚

Model Inventory

Tiered inventory (Tier 1 / 2 / 3) with owner, developer, validator, last review, next review, and intended-use scope.

SR 11-7 / OCC 2011-12

🧪

Validation Workbench

Conceptual soundness, outcomes analysis, challenger benchmarking, ongoing monitoring adequacy — each with findings attached and rated.

SR 11-7

📈

Backtesting & PSI Monitor

Performance vs thresholds, input drift (PSI), population stability — run on declared cadence with escalation triggers.

SR 11-7 OM principles

📝

Findings & Remediation

Finding rating, routing, due dates, and closure evidence — tied to models, not lost in a GRC black box.

SR 11-7 / internal audit

Operational Resilience DORA · FFIEC · TLPT

The EU DORA operational-resilience obligations — and the US FFIEC equivalents — mapped to one register, one incident path, one testing cycle.

🧱

DORA ICT Risk Register

Critical and important ICT assets with ownership, dependencies, and review cadence per DORA Article 8.

DORA Art. 5–16

🔗

Third-Party Register

Every ICT provider with subcontracting, concentration risk, exit plan, and tested fallback — DORA Art. 28.

DORA Art. 28–30

🚨

ICT Incident Reporter

Initial (4h) / intermediate (72h) / final (1 month) notification with auto-timeline and authority routing.

DORA Art. 19

🎯

TLPT Planner

Threat-Led Penetration Testing plan per TIBER-EU — 3-year cycle with scope, red/blue, and purple-team debrief.

DORA Art. 26 / TIBER-EU

IT Controls & Compliance SOX ITGC · PCI DSS · FFIEC CAT · NIST AI RMF

The control cycles that never stop — walked, evidenced, and auditor-ready without copy-pasting from spreadsheets.

🧾

SOX ITGC Tracker

Change management, logical access, operations controls per in-scope system. Walkthrough memo, sample testing, deficiency rating.

SOX 404 / COSO / PCAOB AS 2201

🪪

PCI DSS ROC / SAQ

CDE scope, segmentation tests, crypto inventory, and evidence per Req 1-12 with compensating-control logs.

PCI DSS v4.0

🛡️

FFIEC CAT Assessment

Cybersecurity Assessment Tool inherent-risk + maturity with heat map and gap-closure tracking.

FFIEC CAT

🤖

NIST AI RMF Profile

Govern / Map / Measure / Manage profile for each AI/ML system with evidence and risk treatment.

NIST AI RMF 1.0

AML / BSA / Fair Lending AML program · Sanctions · ECOA

The financial-crime stack — tuning cycles, list coverage, and fair-lending testing — traced like any other model.

🕵️

AML / BSA Program

Transaction monitoring scenarios with ATL/BTL tuning, threshold history, and model-governance sign-off.

FFIEC BSA/AML Exam Manual

🚫

Sanctions Screening

OFAC / UN / EU / HMT coverage, fuzzy-match calibration, false-positive rate tracking.

OFAC / FFIEC / EU

⚖️

Fair Lending / ECOA

Disparate-impact testing, adverse-action reason codes, and steering-test evidence for credit models.

ECOA / Reg B / CFPB

Data & Prudential BCBS 239 · KRIs · CCAR / DFAST · LCR / NSFR

Risk data aggregation and prudential reporting — with real lineage, not a lineage diagram in PowerPoint.

🧵

BCBS 239 Data Lineage

Golden source → report lineage with transformations, DQ checks, and GL reconciliation attached.

BCBS 239

📊

KRI / KCI Dashboard

Green / amber / red thresholds with owner, breach log, and escalation to Risk Committee.

ORX / ORM best practice

📉

CCAR / DFAST Stress Test

Submission tracker covering PPNR / credit / market / operational stress models with scenario narratives.

SR 15-18 / Dodd-Frank 165(i)

💧

LCR / NSFR Tracker

Daily LCR and quarterly NSFR assembly with HQLA composition and outflow categorization.

Basel III / 12 CFR 249

📑

FFIEC Call Report

Call Report 031/041 schedule preparation with GL tie-out and variance commentary.

FFIEC 031 / 041

Depth 22 starter requirements · 27 SysML blocks · 5 doc templates

The pack ships deep. Starter requirements cover model governance, AI, DORA, SOX, PCI, AML, data, and security. SysML blocks for models, rails, controls, CDE zones. Doc-gen for MDD, Validation Report, DORA Incident, SOX Walkthrough, NIST AI RMF Profile.

📐

Starter Requirements

22 starter requirements across MRM, AI governance, DORA, SOX, PCI, AML, BCBS 239, and security baselines.

SR 11-7 / DORA / SOX / PCI / FFIEC

🧱

Banking SysML Palette

27 pre-configured blocks — Risk Model, AI System, Payment Rail, Core Banking, ICT Asset, SOX ITGC, PCI Zone, IAM, HSM, and more.

OMG SysML

📄

Doc-gen Templates

Model Development Document · Independent Validation Report · DORA Incident Report · SOX ITGC Walkthrough · NIST AI RMF Profile — real content, not stubs.

Regulatory boilerplate

🎯

Program Archetypes

17 templates — Credit / Market / AML / AI models, CCAR, Core Banking, Payments, Trading, Treasury, Risk Data Platform, Third-Party Onboarding, Resolution, SOX scoping, PCI scope, and more.

—

✔30-day pilot. No credit card required.

✔Your data in, your data out. Standard formats only.

✔Self-hosted option for classified programs.

Your first industry pack is free.

Every subscription includes one vertical pack at no extra cost. Add Banking / FinServ today — $0 for your first pack, forever.

Get Started — Banking / FinServ Free See All Plans