FokusRM

Documentation and white papers

Back to App
Operational guide for modern risk teams

Build a risk program that can sense change, route work, and defend decisions.

FokusRM combines risks, controls, evidence, findings, and human-approved agent workflows in one operating layer. Use this page to shape your rollout, define your cadence, and understand where agentic risk management and agentic audits fit safely into production.

Read the White PaperJump to Agentic Risk

10

core sections

Rollout, workflows, audits, reporting, and quantification in one hub.

HITL

approval model

Agents draft and route work. Humans approve material decisions.

Board-ready

outputs

Turn operating data into packs, exports, and defensible narratives.

What this hub is designed to help you do

  • Move from implementation to a repeatable weekly and monthly operating rhythm.
  • Understand where agents should prepare work and where humans should stay accountable.
  • Package risk operations into leadership-ready and audit-ready outputs.

Platform orientation

Introduction

FokusRM is built for teams that run cyber, technology, and third-party risk as a live operating discipline.

The platform connects risks, controls, evidence, findings, and reporting so operators can move from raw signal to accountable action without stitching context together by hand.

That same structure makes agent support useful instead of noisy: agents can gather, interpret, and draft, while humans stay responsible for approval, policy, and exceptions.

1 system

shared operating picture

Risks, controls, evidence, and findings stay in one traceable workspace.

Provider + tenant

structured collaboration

Managed-service teams and tenant teams can work together without collapsing boundaries.

Immutable

decision trace

Approvals, rationale, and change history remain attached to material actions.

Use this page for

Rollout, operating design, and audit preparation

Treat the docs hub as a working playbook, not a brochure.

  • Define ownership and approval points
  • Stand up repeatable governance routines
  • Add agent support where review paths are already clear

What healthy operations look like

A program that moves when conditions change

Good risk operations are visible in the data and visible in the decisions.

  • Scores move when evidence changes
  • Control health reflects findings and freshness
  • Decisions can be explained later without reconstruction

Launch sequence

Getting Started

A clean rollout comes from sequencing governance before automation.

Start by locking down tenant boundaries, role design, and approval expectations. Only then seed the register, map controls, and define what evidence must exist for controls to be considered healthy.

Agent support should enter once the manual path is already disciplined. Automation works best when it amplifies a good operating model instead of compensating for a vague one.

1

Establish tenant and approval boundaries

Confirm who can propose, review, approve, and publish material changes.

2

Seed the register and scoring language

Import or create risks with clear ownership, categories, and calibrated score definitions.

3

Map controls and expected evidence

Define how each important scenario is reduced and how that reduction will be proven.

4

Create the operating cadence

Set weekly review points, monthly packs, and routines for stale evidence or overdue findings.

5

Introduce agent assistance carefully

Begin with triage, summarization, and draft preparation before orchestration.

First week

What to finish early

Complete the structural work that every later workflow depends on.

  • Role matrix
  • Baseline risk register
  • Initial control-to-risk map

First month

What good progress looks like

By month one, reporting and review flows should already feel routine.

  • A monthly decision pack
  • A repeatable evidence refresh process
  • A shortlist of agent-assisted tasks

Operational cadence

Daily Risk Workflow

Risk operations work best as a loop of review, update, escalation, and reporting.

Use the dashboard, register, findings queue, and evidence views as one continuous working surface. The goal is not to observe change passively; it is to route the right work before risk drift turns into governance drift.

Strong daily operations shorten monthly reporting cycles because the context is already maintained while the work is happening.

1

Morning signal review

Check score movement, stale evidence, blocked approvals, and overdue actions first.

2

Treatment and control triage

Update treatment posture, control links, and remediation priorities where exposure shifted.

3

Weekly governance checkpoint

Review appetite breaches, escalations, and progress on material findings.

4

Monthly leadership pack

Package trend movement, evidence posture, and required decisions for stakeholders.

Daily checks

Signals worth acting on now

Operators should know which movements create downstream audit or reporting risk.

  • Residual score movement
  • Controls with stale evidence
  • Pending approvals blocking treatment

Escalate when

Human attention is required

Do not let important risk movement hide in routine queues.

  • Appetite breaches
  • Unsupported control claims
  • Recommendations that change formal reporting

Security assurance

Trust Center

FokusRM is designed and operated with privacy, security hardening, and accountable governance as first-order requirements.

Our Trust Center explains how we approach GDPR alignment, platform security, and operational resilience in practice. We build the service for regulated and security-conscious environments, so privacy obligations, tenant boundaries, and reviewable control operation are treated as engineering requirements rather than afterthoughts.

We are a team of security practitioners and operators, and that background shapes how the platform is built. We use established control frameworks, disciplined change management, hardened infrastructure baselines, and layered technical safeguards so customers can evaluate not only product features, but the operating model behind them.

GDPR-aligned

privacy posture

Data handling, access control, retention thinking, and processor responsibilities are designed to support GDPR obligations.

CIS-based

hardening baseline

Systems are configured and reviewed against CIS-style security controls and hardening practices.

Defence in depth

technical model

Application, identity, infrastructure, and monitoring controls work together instead of relying on a single barrier.

Privacy

How we support GDPR requirements

We structure the service to support core GDPR principles including lawfulness, purpose limitation, data minimization, integrity, confidentiality, and accountability.

  • Tenant-scoped data segregation and access enforcement reduce the risk of unauthorized disclosure.
  • Role-based access and backend permission checks help ensure personal data is only available to authorized users.
  • Audit records, review trails, and immutable change history support accountability and defensible governance processes.
  • Data handling processes are designed to support subject-rights workflows, retention reviews, and processor oversight.

Standards

Security standards and control frameworks

Our operating model is informed by widely used security frameworks and practical implementation standards rather than ad hoc controls.

  • CIS Controls and system hardening guidance inform baseline configuration and secure operational practices.
  • Risk, access, logging, vulnerability management, and incident handling are managed through documented internal processes.
  • Control selection is aligned to the needs of multi-tenant SaaS, regulated workflows, and audit-ready evidence collection.
  • Management oversight is built around repeatable review cycles, ownership, exception handling, and documented remediation.

People

Security expertise in design and operations

The platform is designed and operated by a team with deep security experience, and we apply that experience to both architecture and day-to-day service management.

  • Security is embedded in design decisions, not isolated as a final review step.
  • Operational controls are implemented to a high standard with a focus on traceability, least privilege, and resilience.
  • We favor reviewable, measurable controls over vague policy statements.
  • Security, privacy, and governance decisions are documented so they can be inspected and improved over time.
  • Data access is restricted by tenant scope, user type, role, and backend-enforced authorization paths.
  • Administrative and privileged operations are controlled, logged, and reviewed with immutable audit history for material events.
  • Systems are hardened using CIS-informed baselines, secure configuration standards, and controlled change processes.
  • Encryption is applied in transit and at rest, with secrets handled through managed controls and restricted operational access.
  • Monitoring, alerting, vulnerability management, backup, and recovery planning support service resilience and incident response readiness.
  • Technical and organizational measures are maintained as part of an ongoing management system, not a one-time setup exercise.
The Trust Center describes our security and privacy posture, technical safeguards, and operating discipline. Where customers need formal assurance artifacts, we can support due diligence discussions with the appropriate scope and documentation.

Agent-assisted operations

Agentic Risk Management

Agentic risk management turns the platform into a supervised system of action rather than a passive system of record.

The job of an agent is not to make governance disappear. The job is to reduce the time spent collecting, reconciling, and packaging information so humans can spend more time on judgment.

The safest pattern is explicit: agents observe change, explain why it matters, prepare draft actions, and route work through the right approval path with source context attached.

Observe

signal collection

Watch assessments, findings, controls, and evidence across modules.

Draft

recommended action

Prepare treatment updates, summaries, and ownership changes with rationale.

Route

human review

Send proposed changes to the correct approver before any write happens.

Pattern 1

Signal triage agents

Turn raw movement into an operator-ready queue with cited context.

  • Group related changes
  • Flag contradictions
  • Attach source links back to the record

Pattern 2

Control and evidence agents

Suggest missing control links, stale attestations, and evidence gaps before they become surprises.

  • Recommend control coverage
  • Surface missing evidence
  • Suggest refresh owners and timelines

Pattern 3

Treatment drafting agents

Prepare decision-ready treatment options and score narratives for human review.

  • Draft tradeoffs
  • Explain why exposure changed
  • Package leadership-ready context
  • Agents recommend; humans approve score changes, treatment changes, and published outputs.
  • Every mutating step still needs tenant context and backend permission checks.
  • Store citations, rationale, and timestamps for each recommendation.
  • Start narrow and repetitive before moving into multi-step orchestration.
Best first use cases: backlog triage, evidence summarization, assessment response review, and draft reporting support.

Assurance workflows

Agentic Audits

Agentic audits compress the work between evidence collection and audit-ready reporting without removing human judgment.

Audit teams lose time when evidence is scattered, claims are inconsistent, and workpapers have to be assembled from scratch. Agents can eliminate much of that mechanical work if the control model is already structured.

The value is not unattended auditing. The value is faster evidence assembly, clearer provenance, and better prepared reviewers.

1

Plan the scope

Define the framework, control set, evidence expectations, and materiality thresholds.

2

Gather and normalize evidence

Collect artifacts, extract metadata, and flag gaps against the target scope.

3

Compare evidence to expected outcomes

Turn control claims, evidence, and findings into test-ready workpapers.

4

Draft findings and report sections

Assemble issue language, request lists, and report blocks for reviewer sign-off.

Where agents help

Collection, comparison, and assembly

Use agents for the repetitive parts of audit preparation.

  • Evidence maps
  • Missing artifact requests
  • Cross-references between controls, findings, and documents

Where humans stay in control

Materiality and final opinion

Auditors still decide what is sufficient, material, and reportable.

  • Approve severity
  • Confirm exceptions
  • Sign off on external outputs

Outputs

Audit-ready packages

The target is a reviewable package with provenance, not an opaque summary.

  • Evidence indexes
  • Draft findings
  • Reusable report sections
The goal is faster assurance with stronger provenance, not unattended audits.

Module guide

Feature Reference

Each module should produce a specific operating outcome inside the same risk system.

Use the platform as a connected operating model rather than a collection of isolated pages. Each module should strengthen the others by preserving links between risk, control, evidence, and remediation work.

The descriptions below focus on the job each module should do in a healthy program.

System of record

Risk Register

Track ownership, scoring, treatment posture, and rationale over time.

  • Inherent, residual, and target scores
  • Category and domain ownership
  • Reviewable treatment history

Control layer

Controls

Track whether controls are designed, operating, and reducing exposure.

  • Control-to-risk linkage
  • Effectiveness signals
  • Health driven by evidence and findings

Execution layer

Assessments

Run internal and third-party questionnaires with reviewable provenance.

  • Structured response collection
  • Vendor workflows
  • Approval checkpoints

Remediation layer

Findings

Move issues from intake to closure with owners and due dates attached.

  • Lifecycle tracking
  • Ownership
  • Links back to risks and controls

Evidence layer

Evidence

Maintain defensible documentation that supports control operation and audits.

  • Versioning
  • Freshness awareness
  • Direct control mapping

Acceleration layer

Risk Catalogues

Seed new registers quickly without losing review discipline.

  • Library imports
  • Mapping during import
  • Duplicate handling

Control plane

Security & Access

Agent support only works if the control plane is stronger than the automation.

Every workflow on this page assumes tenant isolation, backend-enforced permissions, and immutable event history for material changes.

That matters even more in agentic workflows because the system must preserve who proposed a change, who approved it, and what records were used to justify it.

Boundary 1

Tenant isolation

Reads, writes, and evidence references must stay inside tenant context.

  • Tenant-aware repositories
  • No client cross-tenant access
  • Scoped provider assignments

Boundary 2

Permission enforcement

Authorization belongs in the backend so UI convenience never becomes an admin bypass.

  • Permission-checked writes
  • Proposal versus approval rights
  • Controlled export and publication rights

Boundary 3

Audit chaining

Material changes should preserve a reviewable chain of cause, approval, and resulting state.

  • Change records
  • Rationale
  • Actor and timestamp history
  • Use least-privilege defaults for tenant and provider users.
  • Review operator-to-tenant assignments on a fixed cadence.
  • Require approvals for score changes, treatment changes, and report publication.
  • Treat background jobs and agent credentials like privileged system actors.
Review provider/operator access and publication rights regularly, especially after onboarding new teams.

Decision outputs

Reporting & Exports

Reporting should translate operational movement into decisions, not simply repeat the register.

Build a standard package for weekly operations, monthly leadership review, and audit preparation. Consistency matters because leadership should not have to relearn the structure every cycle.

Well-designed reporting shows direction of travel, blocked actions, and pending approvals before the reporting window closes.

Operational

Working views for operators

Use list filters and dashboards to manage movement, backlog, and stale evidence.

  • Trend views
  • Queue monitoring
  • Evidence freshness

Executive

Leadership packs

Summarize exposure shifts, treatment progress, and decisions that need direction.

  • Top risks
  • Overdue actions
  • Decision requests

Audit

Traceable exports

Prepare exports that preserve provenance, ownership, and status.

  • Evidence indexes
  • Finding summaries
  • Time-stamped exports
  • Standardize your monthly package so leadership sees the same signal structure each cycle.
  • Show trend direction, not only a current-state snapshot.
  • Separate pending approvals from accepted decisions.

Financial decision support

Financial Quantification (Open FAIR)

Open FAIR helps teams compare treatment choices in financial terms without losing the scenario narrative.

Quantification is most useful when leadership must choose between competing treatment options or justify new investment. It is not a replacement for risk reasoning; it is an extension of it.

The strongest outputs come from scenarios that are already grounded in current controls, current evidence, and a clearly defined loss story.

Input quality

Frequency calibration

Model how often a scenario may occur using reviewable assumptions.

  • Use ranges
  • Tie assumptions to the scenario
  • Revisit values when posture changes

Loss modeling

Magnitude assumptions

Capture likely and tail loss ranges without pretending to be more precise than the data allows.

  • Low, likely, and high inputs
  • Primary and secondary loss
  • Documented assumptions

Decision support

Treatment comparison

Use simulation output to compare mitigation, transfer, acceptance, and further data gathering.

  • ALE
  • Value at Risk
  • Loss distribution tradeoffs
  • Keep the scenario narrative and the financial model together.
  • Share assumptions with approvers so they can challenge the model, not only the output.
  • Tie quantification back to current controls and evidence, not generic scenario labels.

Issue handling

Support & Escalation

Fast support depends on precise context and clear impact statements.

Support moves faster when requests arrive with enough detail to reproduce the issue and judge impact quickly.

That matters even more when the issue touches audit dates, leadership reporting windows, or blocked approvals.

1

Include module, tenant, and impact

State which workflow is affected and whether operations, reporting, or audits are blocked.

2

Attach timestamps and reproduction steps

Provide exact times, user actions, and the expected versus actual outcome.

3

Flag governance deadlines

Mention committee meetings, audit dates, or executive pack windows at risk.

4

Request coordinated escalation when needed

Use live coordination when the issue spans multiple operators or teams.

Always include

Context that speeds triage

Precise incident packets reduce back-and-forth and shorten time to action.

  • Affected page or workflow
  • User email, role, and tenant
  • Error text and impacted output

Escalate immediately

Issues that should not wait

Some failures create governance risk if they sit in a queue.

  • Blocked material approvals
  • Broken audit or board exports
  • Access failures during incident response

FokusRM

Ready to operationalize agent-assisted risk management?

Use FokusRM as the control center for risk governance, treatment, evidence, and audit-ready workflows.

Start NowView Pricing