For risk & compliance practitioners
Your next risk program starts here.
Excel frameworks grounded in SR 11-7, FFIEC, NIST AI RMF, and 20+ regulatory standards. Buy once, tailor to your program, deploy in days.
20+
Ready-to-deploy templates
$49–$79
Individual templates
20+
Regulatory standards covered
500+
Downloads
What makes these different
Grounded in regulatory guidance
Not someone's old employer's templates with the logo swapped out. Built on SR 11-7, FFIEC, OCC bulletins, and NIST AI RMF.
Deploy in days, not months
Fully editable Excel templates with pre-populated risk taxonomies, scoring models, and dashboards. Populate in an afternoon.
Price of a team lunch
Individual templates from $49. Bundles from $199. No subscriptions, no license restrictions. Buy once, use forever.
The 2025–2026 Risk & Compliance Landscape
Free Resources
Start here — frameworks and guides to get you going, no email required.
AI Risk Assessment Guide (Free)
A free introductory guide to AI risk assessment for financial services teams.
Issues Management Guide (Free)
A free introductory guide to building an effective issues management process.
Risk Register — Fintech Edition (Free)
141 pre-populated fintech risks across 21 categories. ISO 31000 structure. Ready to use in a week.
Threat Modeling for Agentic Payments (Free)
A 20,000-word whitepaper on threat modeling for AI-powered autonomous payment systems in financial services.
Need the full framework?
Templates & Toolkits
Reading about an enforcement action is step one. Having the right framework in place before the next exam is what actually matters.
Individual Templates
AI Risk Assessment Template & Guide
Comprehensive AI model governance and risk assessment templates for financial services teams.
Issues Management Tracker & Template
End-to-end issues tracking and remediation management for risk and compliance teams.
KRI Library (132 Key Risk Indicators)
132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.
New Product Risk Assessment
Structured risk review process for new products, services, and business initiatives.
Financial Risk Management Kit
Credit risk, liquidity, concentration, and capital adequacy templates built for fintechs.
Loss Monitoring & Event Tracking Kit
Basel-aligned operational loss event tracking and root cause analysis for financial services.
RCSA (Risk & Control Self-Assessment)
141 pre-populated fintech risks with control assessments, questionnaire framework, and testing calendar.
Data Privacy Compliance Kit
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
Incident Response & Breach Notification Kit
Step-by-step incident response playbooks and breach notification templates for all 50 states.
Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
Enterprise Risk Management Framework (ERMF)
Complete ERM documentation: risk appetite, 3 Lines of Defense, committee charter, and board reporting.
SOC 2 Compliance Checklist
151 controls mapped to AICPA Trust Services Criteria with evidence collection guidance.
Business Continuity & Disaster Recovery (BCP/DR) Kit
BCP and DR templates with BIA, recovery procedures, and a standalone tabletop exercise kit.
Bundles
GRC Starter Kit
Everything a new compliance hire needs to build their first risk program — 6 products at 46% off.
Compliance Essentials
Multi-domain compliance coverage: data privacy, incident response, BCP/DR, and SOC 2 — 43% off.
Operational Risk Program
Build a complete ORM program: ERM framework, RCSA, loss monitoring, financial risk, and KRIs — 37% off.
Complete GRC Library
Every template in the library — all 14 products at 58% off individual prices.
What We're Tracking
SEC enforcement, DOJ settlements, AI regulation, and the frameworks that matter — updated daily.
College Student Stole $7M from Investors. The SEC's Case Against Krish Kumar Has Lessons for Every Investment Adviser.
SEC charged Tulsa college student Krish Kumar with misappropriating nearly $7M from two investment funds. Here's what compliance officers at investment advisers need to know.
Mar 28, 2026
Regulatory ComplianceDOJ Hits Atlanta Urology Practice With $14 Million False Claims Act Settlement — What Compliance Teams Should Learn
Advanced Urology and Dr. Jitesh Patel will pay $14M to settle DOJ allegations of fraudulent billing and unnecessary procedures. Key compliance takeaways inside.
Apr 2, 2026
Regulatory ComplianceA.G. Morgan Financial Advisors Fraud: Vincent Camarda Pleads Guilty to $160M Investment Adviser Scheme
Vincent Camarda of A.G. Morgan Financial Advisors pleads guilty to defrauding 400+ clients of $160M. What compliance professionals need to know about this investment adviser fraud case.
Apr 2, 2026
Regulatory ComplianceSEC Charges Jon Fullenkamp and Scott Sand in $2.6 Million Penny Stock Fraud Scheme
The SEC filed fraud charges against Jon Fullenkamp and Scott Sand for misappropriating millions through sham agreements and fraudulent preferred share issuances at two penny stock companies.
Mar 31, 2026
Regulatory ComplianceState AI Laws Tracker 2026: Every US AI Regulation You Need to Know
45 states have introduced 1,561 AI bills in 2026 — already surpassing 2024's full-year total. Colorado, Texas, and California are the three to watch. Every enacted state AI law, organized by what your compliance team actually needs to do.
Apr 2, 2026
AI RiskAI Model Inventory Management: What Examiners Ask For First (And What Banks Can't Find)
The first question your examiner will ask isn't about bias or governance — it's 'show me your model inventory.' Most banks can't. Here's the SR 11-7 fields examiners expect, how to find shadow AI, and the vendor tracking gap that gets flagged every time.
Mar 26, 2026
Operational RiskCOSO ERM Framework Explained: The 5 Components and 20 Principles
COSO ERM 2017 framework explained: 5 components, all 20 principles, and how to implement it in your organization without creating a shelf document.
Apr 26, 2026
Regulatory ComplianceSEC Bars "Dr. Cash" After $5M Ponzi Scheme — And What It Signals for Adviser Compliance in 2026
Terrence Chalk, aka Dr. Cash, ran a Ponzi scheme targeting retirees for three years before the SEC and FBI caught up. Here's what compliance teams need to know.
Apr 26, 2026
Compliance StrategyWhat Is SOC 2 Compliance? A Practitioner's Guide for First-Timers
SOC 2 compliance explained for practitioners: Trust Service Criteria, Type 1 vs Type 2, common audit findings, and how to get started.
Apr 26, 2026
Regulatory ComplianceDOJ Scam Center Strike Force Seizes $702M in Crypto: What Pig-Butchering Means for Your AML Program
The DOJ restrained $702M in crypto from pig-butchering scams and OFAC sanctioned 29 Cambodian entities including a bank. Here's what US compliance teams must do now.
Apr 25, 2026
Operational RiskEarly Warning Indicators for Liquidity Stress: What to Monitor & How to Set Triggers
Discover how to implement and monitor Early Warning Indicators (EWIs) for liquidity stress, referencing key regulatory guidance from the OCC, Federal Reserve, and BCBS. Learn to set effective triggers to protect your institution from financial instability.
Apr 25, 2026
AI RiskGenAI Supply Chain Risk: Third-Party Model Dependencies and NIST AI 600-1 Controls
Most financial institutions using GenAI APIs don't fully own their AI supply chain. NIST AI 600-1 says that's your problem. Here's what you need to control.
Apr 25, 2026
Regulatory ComplianceThe $50 Million Cookie Jar: SEC Charges PE Firm Founder Jay Lucas with Investment Adviser Fraud
SEC filed a civil complaint against Jay Lucas and Lucas Brand Equity LLC on April 24, 2026, alleging he raised $50M from investors and spent it on his wife's skincare company, alimony, and luxury expenses.
Apr 24, 2026
Regulatory Compliance$5 Million Final Judgment: SEC's Forex Ponzi Case Against John Fernandez Shows How Unregistered Offerings Collapse
A federal court entered a $5 million final judgment against John Fernandez, Avail Progression LLC, and Elite Generators LLC for running unregistered forex Ponzi schemes targeting 100+ investors.
Apr 24, 2026
Regulatory ComplianceFINRA Fines JPMorgan Securities $3.25M for Ignoring 10,000 Supervisory Alerts
FINRA's JPMorgan Securities action shows Rule 3110 compliance requires actual review — not just alert generation. Here's what compliance teams must fix now.
Apr 23, 2026
Regulatory ComplianceSripetch v. SEC: The Supreme Court Case That Could Reshape Every SEC Enforcement Settlement
SCOTUS heard oral argument April 20 in Sripetch v. SEC. The ruling will determine if the SEC must prove investor losses before seeking disgorgement — $6B+ per year at stake.
Apr 23, 2026
AI RiskDeveloper vs. Deployer vs. Operator: Role-Specific Obligations Under NIST AI 600-1
NIST AI 600-1 assigns different GenAI risk obligations to developers, deployers, and operators. Here's what each role actually owns—and where the gaps live.
Apr 25, 2026
AI RiskGenerative AI Incident Disclosure and Content Provenance: NIST AI 600-1 Requirements
What NIST AI 600-1 requires when your GenAI system fails: incident disclosure obligations, after-action review requirements, and content provenance tracking.
Apr 24, 2026
AI RiskTEVV for Generative AI: Pre-Deployment Testing Requirements Under NIST AI 600-1
What NIST AI 600-1 requires before you deploy any GenAI system: the full TEVV testing protocol across all 12 risk categories, red-team requirements, and go/no-go gates.
Apr 24, 2026
AI RiskConfabulation and Hallucination Risk: What NIST AI 600-1 Says and How to Test for It
NIST AI 600-1 names confabulation as one of 12 GenAI risk categories. Here's what the framework actually requires — and how to build a testing program that satisfies it.
Apr 23, 2026
AI RiskNIST AI RMF for Financial Services: Crosswalk to SR 26-02, OCC 2026-13, and FS AI RMF
Three AI risk frameworks now apply to financial services. Here's how NIST AI RMF, SR 26-02, and the Treasury FS AI RMF fit together — and which one covers what.
Apr 23, 2026
Business ContinuityOperational Resilience vs. BIA: The Regulatory Shift from RTOs to Impact Tolerances
Traditional BIA produces RTOs. Operational resilience requires impact tolerances. They're different questions with different methodology — here's how to update your BIA process.
Apr 17, 2026
Business ContinuityThird-Party Dependencies in BIA: How Deep Should You Go?
When mapping third-party dependencies in your BIA, one tier isn't enough for critical functions. Here's how to scope the analysis — and where going deeper actually matters.
Apr 15, 2026
Business ContinuityBIA for Fintech and SaaS: Mapping Cloud and API Dependencies
Most fintech BIAs skip the part that matters most: the cloud platforms and third-party APIs your entire business runs on. Here's how to map those dependencies correctly — and what your bank partners will ask about them.
Apr 14, 2026
Business ContinuityBusiness Impact Analysis for Banks: FFIEC Requirements Explained
What the FFIEC BCM booklet actually requires in your BIA — critical function identification, interdependency analysis, recovery objectives, and what Appendix A examiners test at your next IT exam.
Apr 14, 2026
Business ContinuityBIA Data Collection: Surveys vs. Interviews vs. Workshops
The method you choose for BIA data collection determines whether your RTOs reflect operational reality or wishful thinking. A practitioner's guide to surveys, interviews, and workshops — when each method works, where each fails, and how to combine them.
Apr 13, 2026
Business ContinuityHow to Present BIA Findings to the Board: Executive Summary and Business Case
A 47-page BIA full of RTOs and dependency tables won't get board buy-in for BCP investment. Here's how to translate BIA findings into an executive summary that drives decisions and satisfies FFIEC board reporting requirements.
Apr 13, 2026
Why this exists
Every risk and compliance professional has done it: you join a new team, get asked to build a program from scratch, and end up calling a friend at your old company for their templates. Or a consultant brings in frameworks recycled from another client. The result? Documents that don't quite fit and no confidence they'll hold up under regulatory scrutiny.
So I started publishing the analysis I wish I'd had — enforcement breakdowns, regulatory deep dives, practical frameworks — and building the templates on actual regulatory guidance. The intelligence keeps you informed. The templates let you act on it.
Immaterial Findings ✉️
Weekly newsletter
Sharp risk & compliance insights practitioners actually read. Enforcement actions, regulatory shifts, and practical frameworks — no fluff, no filler.
Join practitioners from banks, fintechs, and asset managers. Delivered weekly.