Templates for Risk Management
The Provenix-Insight templates provide structured frameworks for identifying, assessing and managing risks across projects, operations and governance-driven environments.
Each template is aligned with established risk management practices and regulatory expectations, while remaining fully configurable within the Provenix platform. Templates can be adapted to internal risk methodologies, assessment models and reporting requirements.
Different template variants are available to reflect:
the size and risk profile of the organisation
specific risk categories, scoring models and thresholds
integrations with internal data sources or notification channels such as e-mail
These variants can be selected and managed directly within the Profile section of the Provenix software, enabling users to apply risk management structures that best fit their organisational context.
Templates provide a structured foundation and can be further extended using configurable workflows, calculation logic, automation tools and the internal scripting capabilities of Provenix-Insight.
| Template Code | Description | Regulatory / Legal Frameworks – USA | Regulatory / Legal Frameworks – UK | Regulatory / Legal Frameworks – EU |
|---|---|---|---|---|
| CONFLI | Conflict-of-interest declaration, assessment and mitigation workflow (including registers, approvals and periodic attestations) | Sarbanes-Oxley (SOX) (listed issuers); SEC disclosure expectations; FCPA (where relevant); state ethics rules where applicable | Companies Act 2006; UK Corporate Governance Code; FCA / PRA expectations (where applicable); Bribery Act 2010 | EU Corporate Sustainability Due Diligence (proposed/where applicable); national corporate governance codes; anti-corruption frameworks; sector rules where applicable |
| ETHICS | Ethics and conduct management: codes of conduct, training, attestations, breaches and escalation handling | Sarbanes-Oxley (SOX) (listed issuers); SEC disclosure expectations; FCPA; industry codes where applicable | Companies Act 2006; UK Corporate Governance Code; Bribery Act 2010; FCA/PRA conduct expectations (where applicable) | EU Corporate Sustainability Due Diligence (proposed/where applicable); national ethics/compliance frameworks; sector rules where applicable |
| POLICY | Policy governance: creation, ownership, versioning, review cycles, approvals and dissemination tracking | Sarbanes-Oxley (SOX) (listed issuers); SEC recordkeeping expectations; industry-specific policy requirements | Companies Act 2006; FCA / PRA governance expectations (where applicable); recordkeeping expectations | EU GDPR (where policies cover data); sectoral governance requirements; national corporate governance codes |
| AUDITR | Internal audit planning and delivery: audit universe, risk-based plan, fieldwork, findings, remediation and reporting | IIA Standards; PCAOB/SEC expectations (public issuers); SOX internal control environment | UK Internal Audit Standards / IIA UK guidance; FCA/PRA expectations (where applicable) | ISO 19011 (guidance); national internal audit/financial supervision expectations; EBA/ESMA guidance (where applicable) |
| GOVSTR | Governance structure risk review: decision rights, committee structures, delegations and governance gaps | SOX governance expectations (public issuers); SEC governance disclosures; industry rules where applicable | UK Corporate Governance Code; Companies Act 2006; FCA/PRA governance requirements (where applicable) | National corporate governance codes; sector governance requirements; EBA governance guidelines (where applicable) |
| COMPLN | Compliance monitoring programme: obligations register, monitoring plans, testing, issue management and reporting | SEC/FINRA (where applicable); SOX; industry obligations; state/federal compliance regimes | FCA Handbook / PRA Rulebook (where applicable); UK Corporate Governance Code; relevant sector obligations | EU sector obligations (e.g. MiFID II, PSD2, AMLD where applicable); national supervisory expectations |
| AMLCTF | AML/CTF risk framework: risk assessment, controls mapping, monitoring, suspicious activity workflows and reporting | BSA/AML; FinCEN regulations; OFAC sanctions; FATF guidance (implemented locally) | Money Laundering Regulations; Proceeds of Crime Act; OFSI sanctions; FCA expectations (where applicable) | EU AML Directives (AMLD); national AML laws; EU sanctions regimes; EBA AML guidelines |
| SANCTR | Sanctions compliance: screening governance, escalation, case handling, audit trail and reporting | OFAC sanctions; US export controls (where applicable); FinCEN/industry expectations | OFSI sanctions; UK export controls (where applicable); FCA expectations (where applicable) | EU sanctions regimes; national enforcement rules; sector guidance where applicable |
| PRIVCY | Privacy and data protection risk management: DPIAs, RoPA alignment, incident workflows and controls mapping | State privacy laws (e.g. CCPA/CPRA); sector privacy regimes (HIPAA/GLBA where applicable) | UK GDPR; Data Protection Act 2018; ICO guidance | EU GDPR; EDPB guidance; national supervisory authority guidance |
| CYSCR | Cybersecurity risk framework: controls mapping, risk assessment, treatment plans, monitoring and reporting | NIST CSF; SEC cyber disclosure rules (public issuers); sector rules where applicable | NCSC guidance; FCA/PRA cyber expectations (where applicable); UK cyber regulations where applicable | NIS2 Directive (where applicable); ENISA guidance; sector requirements |
| THIRDP | Third-party / vendor risk management: due diligence, onboarding, monitoring, contract controls and exit management | OCC/FDIC/FRB guidance (financial sector); SEC/FINRA expectations (where applicable); industry best practice | FCA/PRA outsourcing rules (where applicable); UK operational resilience expectations | EBA outsourcing guidelines (financial sector); DORA (where applicable); national supervisory expectations |
| OPRESL | Operational resilience programme: important business services, impact tolerances, mapping, testing and reporting | FFIEC guidance (financial sector); industry resilience guidance; state/federal expectations where applicable | FCA/PRA operational resilience policy; UK requirements for important business services | DORA (where applicable); EBA/ESMA resilience expectations; national supervisory guidance |
| BCPDR | Business continuity and disaster recovery: BIA, plan development, testing, lessons learned and governance reporting | FFIEC BCP guidance; industry BCP expectations; sector regulators where applicable | UK operational resilience expectations; industry BCP guidance; FCA/PRA where applicable | DORA (where applicable); national BCP expectations; ISO 22301 alignment (best practice) |
| FRAUDR | Fraud risk management: fraud risk assessment, controls, case management, reporting and remediation | SOX internal controls; SEC expectations; industry fraud frameworks; state/federal statutes | Fraud Act 2006; Bribery Act 2010 (related); FCA expectations where applicable | EU anti-fraud frameworks; sector obligations; national criminal law provisions |
| WHISTL | Whistleblowing programme: intake, triage, investigations, protection measures and reporting | Dodd-Frank whistleblower provisions (where applicable); SOX reporting channels; industry regimes | Public Interest Disclosure Act; FCA whistleblowing rules (where applicable) | EU Whistleblower Protection Directive; national implementation laws |
| INVEST | Investigation management: case intake, evidence tracking, actions, conclusions and governance reporting | SOX/SEC recordkeeping expectations; employment laws; sector rules where applicable | Employment law; FCA/PRA expectations where applicable; recordkeeping standards | National employment and compliance regimes; GDPR constraints where applicable |
| RISREG | Enterprise risk register: taxonomy, ownership, scoring models, controls, action plans and reporting pack | COSO ERM (best practice); SEC risk disclosures; SOX control environment | UK Corporate Governance Code; FCA/PRA risk governance expectations (where applicable) | EBA governance/risk guidelines (where applicable); national corporate governance codes |
| PRJRIS | Project risk management: project risk register, assessments, mitigations, escalations and reporting | PMI/industry best practice; contractual/project governance expectations | UK project governance standards; sector expectations where applicable | EU project governance norms; sector requirements where applicable |
| MODEL | Model risk management: inventory, validation, monitoring, issues and governance reporting | SR 11-7 (Fed); OCC 2011-12; regulatory expectations (financial sector) | PRA/FCA model risk expectations (where applicable); industry guidance | EBA model risk expectations; ECB guidance where applicable; national supervisory guidance |
| ITGC | IT general controls (ITGC) framework: control library, testing, issues and remediation tracking | SOX ITGC expectations; PCAOB guidance; SEC expectations | UK SOX-style expectations (where applicable); audit standards; sector regulators | EU audit expectations; national supervisory requirements; ISO 27001 alignment (best practice) |
| ACCESS | Access management risk framework: identity governance, role reviews, approvals and evidence collection | SOX; NIST; industry security standards; sector rules where applicable | NCSC guidance; FCA/PRA expectations (where applicable) | NIS2 (where applicable); ISO 27001 alignment; GDPR security principle |
| CHGCTL | Change management controls: change governance, testing requirements, approvals, deployment and audit trail | SOX control environment; audit standards; IT governance expectations | Audit and governance expectations; FCA/PRA where applicable | EU audit expectations; ISO 27001/ITIL alignment (best practice) |
| INCID | Incident management and reporting: classification, containment, communications and lessons learned workflow | SEC cyber reporting (public issuers); state breach notification laws; sector rules | UK GDPR breach reporting; ICO guidance; NCSC guidance | EU GDPR breach reporting; NIS2 incident reporting (where applicable); national authority guidance |
| SOCREP | SOC/assurance reporting support: evidence collection, control mapping, issue tracking and reporting pack | AICPA SOC 1/2; SOX; audit standards | ISAE 3402; assurance standards; audit expectations | ISAE standards; national assurance frameworks; sector expectations |
| ESGREP | ESG risk and reporting: data collection, controls, disclosures, governance and audit trail | SEC climate disclosure expectations (where applicable); state regimes; voluntary standards | UK TCFD-aligned reporting expectations (where applicable); FCA guidance | CSRD/ESRS (where applicable); EU taxonomy; national implementations |
| HSE | Health, safety and environment (HSE) risk framework: incident reporting, controls, actions and compliance tracking | OSHA requirements; EPA rules where applicable; sector obligations | HSE regulations; industry obligations; reporting requirements | EU OSH directives; national implementations; sector rules |
| FINRPT | Financial reporting risk controls: close process governance, controls testing, issues and remediation | SOX; SEC reporting rules; PCAOB expectations | Companies Act 2006; audit standards; FCA rules where applicable | EU audit expectations; national financial reporting rules; sector supervisors where applicable |
| TAXRISK | Tax risk management: risk identification, controls mapping, reporting and governance sign-off | IRS compliance regimes; state/federal tax obligations; governance expectations | UK tax governance and compliance expectations; HMRC guidance where applicable | EU tax compliance regimes; national tax governance expectations |
| REGCHA | Regulatory change management: horizon scanning, impact assessment, implementation tracking and reporting | Regulatory obligations management; SEC/FINRA updates where applicable; sector rules | FCA/PRA regulatory change expectations (where applicable); UK obligations | EU regulatory updates (e.g. EBA/ESMA/EIOPA where applicable); national implementations |
| DORA | Digital operational resilience (DORA) readiness: ICT risk management, incident reporting, testing and third-party oversight | Sector resilience expectations; FFIEC guidance; industry regimes | UK operational resilience requirements; FCA/PRA expectations | DORA (where applicable); EBA/ESMA guidance; national supervisor expectations |
| OUTSRC | Outsourcing and cloud risk: due diligence, contract controls, ongoing monitoring and exit planning | OCC/FDIC/FRB outsourcing guidance (where applicable); sector expectations | FCA/PRA outsourcing requirements (where applicable); UK operational resilience | EBA outsourcing guidelines; DORA (where applicable); national supervisory rules |
| TRADE | Market / trading conduct risk framework: surveillance governance, incidents, investigations and reporting | SEC/FINRA rules; CFTC where applicable; market conduct expectations | FCA market conduct rules; MAR (UK); PRA where applicable | MAR (EU); MiFID II conduct obligations (where applicable); national supervision |
| CONSUM | Consumer protection / fair treatment risk: policies, monitoring, complaints and remediation workflow | CFPB expectations; state consumer protection laws; sector rules | Consumer Duty (FCA); complaints handling rules; sector obligations | EU consumer protection directives; sector rules; national regulators |
| COMPLA | Complaints management: intake, classification, resolution, root cause analysis and reporting | CFPB/industry complaint handling expectations; sector rules | FCA DISP rules; Financial Ombudsman processes; sector rules | EU ADR/ODR frameworks; sector complaint rules; national requirements |
| KYC | KYC / onboarding risk controls: customer due diligence, approvals, screening and periodic review workflow | BSA/AML; FinCEN CDD Rule; OFAC screening expectations | Money Laundering Regulations; FCA expectations (where applicable); OFSI screening | EU AMLD; national CDD rules; sanctions regimes |
| CREDIT | Credit risk governance: risk appetite, monitoring, exceptions, approvals and reporting | Basel-aligned expectations (where applicable); OCC/FRB guidance; internal governance | PRA/FCA credit risk expectations (where applicable); internal governance | CRR/CRD (where applicable); EBA guidelines; national supervisor expectations |
| LIQUID | Liquidity risk governance: monitoring, stress testing workflow, controls and reporting | Basel-aligned expectations; FRB/OCC guidance; internal governance | PRA/FCA liquidity requirements (where applicable) | CRR/CRD liquidity requirements; EBA guidelines; national supervision |
| CAPITAL | Capital adequacy governance: ICAAP/ILAAP workflows, evidence collection and reporting packs | Basel/US capital rules; FRB/OCC expectations where applicable | PRA ICAAP/ILAAP expectations; FCA where applicable | CRR/CRD; ICAAP/ILAAP expectations; EBA guidelines |
| OPRISK | Operational risk framework: RCSA, KRIs, event management, actions and reporting | Basel-aligned operational risk expectations; OCC/FRB guidance; industry practice | PRA/FCA operational risk expectations (where applicable) | EBA operational risk expectations; national supervisor requirements |
| RCSA | Risk and Control Self-Assessment (RCSA): methodology, scoring, evidence, action tracking and reporting | Industry practice; internal control expectations; sector supervisors where applicable | Industry practice; FCA/PRA expectations where applicable | Industry practice; EBA/ESMA guidance where applicable |
| KRI | Key Risk Indicators (KRI) framework: KRI catalogue, thresholds, monitoring workflows and escalations | Industry practice; sector rules where applicable | Industry practice; sector rules where applicable | Industry practice; sector rules where applicable |
| LOSS | Loss event management: event capture, classification, root cause, actions and reporting | Basel-aligned operational risk practice; sector supervisor expectations | Operational risk practice; PRA/FCA where applicable | Operational risk practice; EBA guidance where applicable |
| CTRLIB | Controls library management: control catalogue, mappings, ownership, testing cycles and evidence | SOX control environment; COSO; audit expectations | Audit expectations; UK governance requirements | Audit expectations; ISO alignments (best practice); sector guidance |
| ISSUE | Issue and remediation management: findings, actions, owners, due dates, approvals and reporting | SOX remediation expectations; audit standards; sector requirements | Audit remediation expectations; FCA/PRA where applicable | Audit remediation expectations; sector supervisors where applicable |
| TRAIN | Compliance training and attestations: curricula, completion tracking, reminders and reporting | SOX ethics programme expectations; industry compliance expectations | FCA conduct expectations (where applicable); UK governance guidance | EU sector compliance expectations; national supervisory guidance |
| DISCPL | Disciplinary and HR compliance cases: case management, approvals, documentation and reporting | Employment law; compliance programme expectations; recordkeeping norms | UK employment law; governance expectations; recordkeeping norms | EU labour law frameworks (varies by member state); GDPR constraints where applicable |