# Riskflow

> Riskflow is a modern Governance, Risk, and Compliance (GRC) platform designed for power users. It connects assets, risk analyses, and controls in one place with automatic tag inheritance through hierarchies.

Riskflow is a Europe-based GRC solution built to meet rigorous regulatory standards (GDPR, DORA, BSI-GS). Founded by Robin Verton (IT-Security) and Pascal Verton (UX-Design), the platform focuses on simplifying complex compliance workflows through intelligent automation and clear visualization.

## Core Concepts

### Objects
Objects are the building blocks of Riskflow. They represent assets, applications, processes, data categories, or projects. Each object has:
- A unique identifier and descriptive name
- An object type (Asset, Process, Application, Server, Database, etc.)
- Tags for classification and filtering
- Optional metadata and URLs

Riskflow is not a CMDB - your existing inventory remains the system of record. Riskflow references and enriches objects for governance, risk, and compliance purposes.

### Hierarchies
Hierarchies make relationships between objects visible and manageable through parent-child links. Objects can have multiple parents (e.g., a project serving several processes). The hierarchy view displays:
- The focused object as a card
- Parents above and children below
- CC badges indicating attached Control Cards
- Tags on each object

### Tags
Tags are a fundamental component for labeling objects with keywords (e.g., `cloud:aws`, `GDPR`, `ISMS`). There are three types:

- **Normal tags**: Solid gray tags that classify/label objects for filtering
- **Inherited tags**: Tags marked as inheritable automatically flow to all children in the hierarchy (shown with a downward arrow)
- **Exclude tags**: Block specific tag inheritance within the hierarchy (shown in green with strikethrough)

Tags can be organized into tag groups with optional ranking. When ranking is enabled, the highest-ranked tag in a group takes precedence.

### Analyses
Analyses are structured assessments attached to objects based on predefined questionnaires (Analysis Forms). They provide:
- Protection needs analysis (SBA)
- Business Impact Analysis (BIA) with MTPD/RTO calculations
- CIA classification (Confidentiality, Integrity, Availability)

Each analysis has versioning (e.g., SBA 1.0, SBA 2.0) for traceability. Analyses can generate tags that automatically attach to objects.

### Analysis Forms
Customizable questionnaires with:
- Question types: Text, Number, Yes/No, Multiple Choice, Business Impact
- Versioning and change tracking
- Output configuration using Lua scripting for conditional tag assignment
- Template import from marketplace

### Control Catalogs
Structured collections of controls for compliance assessments. Support for:
- Custom catalogs or imports (CSV)
- Pre-built templates for BSI-GS, DORA, DSGVO, etc.
- Versioning with unique title+version combinations
- Control status: fulfilled, not fulfilled, or challenged

### Control Cards
Control Cards group mapped controls so you can respond once to controls that apply across multiple objects. Three attachment methods:

- **Option A - Auto-assign**: Create on parent, automatically attach to all children
- **Option B - Manual assign**: Create on object, manually select which objects receive it
- **Option C - Choose existing**: Assign object to existing Control Card

Control Cards can be shared with collaborators for delegation.

## Key Features

- **Tagging System**: Smart inheritance mechanism where tags flow through hierarchies
- **Tree View**: Visual hierarchy navigation showing dependencies and relationships
- **Form Editor**: Intuitive questionnaire builder with Lua scripting support
- **Control Assessment Hub**: Centralized evidence management and control evaluation
- **Template Library**: Pre-built analyses and control catalogs (BSI-GS, DORA, DSGVO)
- **Recertification**: Automatic reopening of controls/analyses for lifecycle management
- **Insights Dashboard**: Real-time compliance status and pending task visibility
- **ServiceNow Integration**: Bidirectional sync - import assets, push back enriched attributes
- **CSV Import**: Bulk import for objects and control catalogs
- **Collaborator Management**: Share Control Cards with time-limited access

## Design Principles (DNA)

1. **Europe-first compliance**: Built for GDPR, DORA, and strict EU regulations
2. **Minimal overhead, maximum impact**: Essential GRC modules without feature bloat
3. **Integrate, don't replace**: Sync with existing systems via CSV or API
4. **End-to-end workflow**: From asset identification to control mapping
5. **Automate early and continuously**: Minimize manual input through inheritance
6. **Explicit over implicit**: Clear visualization of data flow and tag origins
7. **Embrace flexibility**: Multiple views (graph, list, matrix), customizable rules
8. **Convention over configuration**: Sensible defaults with override options

## Deployment Options

- Cloud hosted
- On-premises
- Own cloud

## Documentation

- [Riskflow Docs](https://sulfuric-veil-b8b.notion.site/Riskflow-Docs-1b991d3138fc8015bbf8f1f923ea596a)
- [Hierarchies in Riskflow](https://sulfuric-veil-b8b.notion.site/Hierarchies-in-Riskflow-1c391d3138fc800c9669f6d02d2b29b8)
- [Tags](https://sulfuric-veil-b8b.notion.site/Tags-1c391d3138fc8001ba11f9765e532b33)
- [Objects](https://sulfuric-veil-b8b.notion.site/Objects-1c391d3138fc80099492e19dc5b1b69b)
- [Controls and Control Cards](https://sulfuric-veil-b8b.notion.site/Controls-and-Control-Cards-1c391d3138fc80b89f37da5246dffb48)
- [Analyses](https://sulfuric-veil-b8b.notion.site/Analyses-1c391d3138fc806ea507f6512721f660)
- [Analyse Forms](https://sulfuric-veil-b8b.notion.site/Analyse-Forms-1b991d3138fc812392b7f97c2285bfd6)
- [Control Catalogs](https://sulfuric-veil-b8b.notion.site/Control-Catalogs-1c391d3138fc80bab5fbcd408fde3406)
- [Collaborators](https://sulfuric-veil-b8b.notion.site/How-to-invite-and-manage-collaborators-1c391d3138fc80519901fd70f7ba259c)

## Links

- Website: https://riskflow.app
- Application: https://use.riskflow.app
- DNA/Principles: https://riskflow.app/dna/
- Contact: https://riskflow.app/contact/
- Email: info@riskflow.app

## Supported Frameworks

- BSI-Grundschutz (BSI-GS)
- DORA (Digital Operational Resilience Act)
- DSGVO/GDPR
- ISMS (Information Security Management System)
- Custom control catalogs

## Workflow Overview

1. **Synchronize assets**: Import from CMDB/ServiceNow or CSV
2. **Arrange and tag**: Build hierarchies, assign tags with inheritance
3. **Carry out analyses**: Attach analysis forms, generate protection tags
4. **Evaluate control impact**: Map controls to assets based on tags
5. **See the full picture**: Dashboard visualization for management decisions

## FAQs

**What makes Riskflow unique?**
All-in-one GRC approach integrating asset management, risk assessment, and control mapping in a single platform with automatic inheritance.

**Is it suitable for small businesses or enterprises?**
Scalable for organizations of any size - works with hundreds or hundreds of thousands of objects.

**How secure is my data?**
Europe-based with strict data protection compliance. Supports cloud, on-prem, or own-cloud deployment.

**What integrations are available?**
ServiceNow integration with bidirectional sync. CSV import/export for all data types.