Enterprise risk & compliance · 4 frameworks · 6 business units

Know exactly where your risk lives.

CITADEL maps every risk, control and compliance obligation in one place, so residual exposure and control gaps read as a heat-map you can act on, not a spreadsheet you dread.

Open the risk register Bowtie & controls Compliance frameworks Findings & treatment Exposure

GRC at a glance

Is our exposure under control?

Eight vitals for the programme, each against its 12-month trend. Filter or click any mark below to focus the whole page.

01 · Risk posture

Where the risk concentrates, before and after controls

The shape of the register: the inherent-vs-residual heat map, how open risk has trended, which categories carry it, how controls move inherent exposure to residual, and where residual sits against appetite.

Risk heat map: inherent vs residual

Likelihood × impact; bubble area = exposure. Toggle inherent / residual.

Signature

5×5 matrix · click a bubble to cross-filter risk level

Open risk over time

Monthly open risks, stacked by residual level

Stacked area · Low / Medium / High / Critical

Risk by category

Count & exposure, sorted

Sorted bars · click to cross-filter category

From inherent to residual risk

Mitigation contributed by each control type

Waterfall · exposure $ · running connectors

Residual risk vs appetite

Per category, against the appetite threshold

Bullet bars · exposure $ vs appetite marker

02 · Bowtie & controls

How a top risk is actually controlled

The bowtie for a chosen top risk — threats, preventive barriers, the top event, mitigating barriers and consequences — plus how effective controls are by type and framework, whether risks are truly covered, and the overall control status.

Bowtie: how a top risk is controlled

Threats → preventive barriers → top event → mitigating barriers → consequences

Signature

Hand-rolled bowtie · barriers coloured by control effectiveness · pick a risk in-panel

Control effectiveness

Mean effectiveness by control type × framework

Heatmap · value-in-cell · sequential scale

Are risks actually covered?

Risks by effective / partial / uncovered control

Stacked bars · per risk category

Control status

Share by status; centre = effectiveness %

Donut (≤4) · centre KPI

03 · Compliance frameworks

Are we compliant against our frameworks?

Posture across ISO 27001, SOC 2, NIST CSF and GDPR — the radial composition of every domain by status, framework-level implementation, the improving trend, where the gaps cluster, and NIST CSF maturity against target.

Compliance by framework

Each framework's domains, coloured by status; inner ring = overall %

Signature

Radial / sunburst · framework → domain → status

Framework implementation

Implemented / partial / gap, sorted by score

100% stacked bars · direct-labelled %

Compliance is improving

Monthly weighted compliance score, per framework

Multi-line · direct-labelled endpoints

Where the gaps are

Framework × domain; gaps highlighted

Heatmap · status by domain

NIST CSF maturity

Current maturity vs target, per function

Radar · Govern / Identify / Protect / Detect / Respond / Recover

04 · Findings & treatment

What's open, and is remediation keeping pace?

The findings register with aging and severity, how findings flow in by severity over time, the treatment pipeline from identified to complete, whether open treatments are burning down to plan, and who is carrying overdue work.

Findings register

Source, severity, framework, owner, age and status — sortable; overdue tinted

First-class table · click a row to cross-filter

Findings by severity

Monthly findings opened, stacked by severity

Stacked bars over time · severity 1–5

Treatment pipeline

Identified → planned → in-progress → complete

Funnel · counts + conversion

Open treatments burndown

Open treatment count vs an ideal burndown

Line vs ideal · open actions/week

Overdue treatments by owner

Overdue remediation count, sorted

Sorted bars · click to cross-filter owner

05 · Exposure

Where the dollars at risk are

Residual likelihood against impact with the top exposures named, exposure by business unit and category, the largest individual risks, the rhythm of control testing, and the programme's vitals as small multiples.

Likelihood vs impact

Residual L × I; bubble area = exposure; quadrants labelled

Scatter + quadrant lines · top exposures named

Exposure by business unit

Exposure $ by BU, then category, sized to share

Treemap · exposure $

Top risks by exposure

Title, category, L × I, exposure, treatment, owner

First-class table · top 12 by residual exposure · trend spark

Control testing cadence

Controls tested per week across the window

Calendar heatmap · tests/day · gaps visible

GRC vitals

Small-multiple trends across the programme

Small-multiple sparklines