RiskXchange
For compliance teams

Audit-ready, not audit-scrambled.

DORA, NIS2, ISO 27001 — every framework has its deadline and your team has all of them. The Agency composes regulator-formatted output from live data, so you stop assembling audit packs by hand.

The reality

The numbers your team already knows.

Regulatory load goes up every year. Compliance headcount stays the same. The gap between "we are compliant" and "we can prove it" keeps widening.

9+
Frameworks the average compliance team covers
Industry average
1 quarter
Time historically spent assembling a DORA reporting cycle
Pre-Agency norm
~55%
Of compliance time spent on report assembly, not strategy
Industry estimate
The shift

From audit fire drills to audit-always-ready.

Compliance assessment shouldn't be a quarterly archaeology project. With continuous assessment plus live-data reporting, the evidence is always composed — the audit is just a download.

Before The Agency
Compliance as a quarterly project
  • Framework controls checked box-by-box, once per quarter
  • Audit prep is a fire drill — chasing evidence across teams
  • Reports composed by hand from screenshots and spreadsheets
  • Vendor obligations slip without a tracking system
  • Multi-jurisdiction reporting means re-collecting the same evidence
With The Agency
Compliance as a continuous service
  • Continuous assessment against DORA, NIS2, ISO 27001 and more
  • VANCE composes audit-ready output from live evidence
  • Auditor receives evidence-linked reports — nothing assembled by hand
  • Compliance Tracking watches every cert renewal and obligation deadline
  • One evidence base produces every jurisdiction's report
The agents that matter most for you

TARA, VANCE, ARIA — your audit-ready stack.

Three of The Agency's leads cover the full compliance lifecycle: continuous gap analysis, regulator-formatted reporting, and the evidence layer that makes both possible.

TARA avatar
TARA
Tiering & Remediation

Continuous gap analysis, not annual scrambles. TARA assesses every vendor's posture against the frameworks you've assigned to them — DORA, NIS2, ISO 27001, APRA, ADHICS — on a rolling basis.

What you get
  • Continuous regulatory gap analysis (not annual)
  • DORA, NIS2, ISO 27001, APRA CPS 230, ADHICS coverage
  • Treatment plans with deadlines and SLA tracking
VANCE avatar
VANCE
Audit & Compliance Reporting

Audit-ready output, generated from live data. VANCE composes regulator-formatted reports — DORA Article 28 packs, NIS2 incident reports, board-pack summaries — from current evidence, not last quarter's.

What you get
  • Regulator-formatted reports, evidence linked
  • Tamper-evident audit trail per output
  • Cross-portfolio issue patterns surfaced for the board
ARIA avatar
ARIA
Evidence & Document Intelligence

Every piece of evidence, structured against the 157 Universal Controls. ARIA parses every vendor document and turns it into evidence VANCE can compose with and TARA can analyse.

What you get
  • Documents structured against 157 Universal Controls
  • Trust-centre data ingested and mapped automatically
  • Contract clause extraction — including data residency and sub-processor lists
How it runs

Continuous compliance in five steps.

From framework selection to audit delivery — here's how The Agency runs compliance as a continuous loop rather than a quarterly project.

  1. 01
    TARA
    Framework loaded

    DORA, NIS2, ISO 27001, GDPR or custom framework — controls mapped onto the 157 Universal Controls.

  2. 02
    TARA
    Continuous assessment

    Vendor evidence checked against framework controls on a rolling cadence — not once a quarter.

  3. 03
    TARA
    Gaps flagged

    Control gaps surface immediately; Treatment & SLA Agent assigns remediation actions with deadlines.

  4. 04
    VANCE
    Reports composed

    Regulator-aligned reports drafted from live evidence — DORA Article 28, ISO Annex A, NIS2 register.

  5. 05
    VANCE
    Audit pack delivered

    Auditors receive evidence-linked output. Every control reference traces back to its source document.

Sits alongside your stack

Works with the GRC tools you already operate.

The Agency feeds enriched vendor evidence into your existing GRC platform — or runs standalone if your team prefers. Either way, the audit trail is intact.

GRC platforms
  • ServiceNow GRC
  • Archer
  • MetricStream
  • LogicGate
  • Diligent
  • Hyperproof
Document & evidence
  • SharePoint
  • Confluence
  • Box
  • OneDrive
  • Google Drive
Audit & reporting
  • Workiva
  • AuditBoard
  • TeamMate+
  • Power BI
  • Tableau
Identity & SSO
  • Okta
  • Microsoft Entra ID
  • Ping Identity
  • OneLogin
What changes for your team

Four shifts you'll feel at the next reporting cycle.

The cycle that used to consume a quarter of your team's calendar becomes a continuous background process. Your time goes from assembly to oversight.

Reports compose from live data

VANCE produces DORA / NIS2 / ISO output from current evidence. No hand-assembly, no last-quarter snapshots.

Gap analysis runs continuously

TARA flags posture drift the moment it happens. No quarterly catch-up to find out what changed.

Evidence trails already linked

Auditors get a structured evidence package per finding. They need less time, you need less hand-holding.

Multi-framework coverage in parallel

DORA, NIS2, ISO 27001, APRA, ADHICS — covered concurrently, not one cycle at a time.

DORA reporting that used to take a quarter now takes a morning. VANCE produced our first board pack in under an hour.

DK
Operational Risk Director
European Asset Manager
Common questions

What compliance teams ask us first.

Quick answers to the questions that come up with heads of compliance, audit and operational risk.

Which frameworks does The Agency cover out of the box?
DORA, NIS2, ISO 27001, NIST CSF, PCI DSS, APRA CPS 230, ADHICS and GDPR — with a growing list. Each framework's controls map onto the 157 Universal Controls, so a single evidence base satisfies multiple regimes.
Can The Agency assess custom or industry-specific frameworks?
Yes. Custom controls map into the Universal Controls and TARA runs the same continuous assessment cadence against them. Internal policies, sector codes and regulator-specific frameworks all plug in.
Is the audit trail immutable?
Every evidence reference is hash-anchored to the source document and timestamped at ingest. Auditors can verify the chain back to upload — and VANCE's Audit Insights surfaces any gaps before they get there.
Does The Agency replace our existing GRC tool?
Not necessarily. The Agency can sit alongside Archer, ServiceNow GRC or MetricStream and feed enriched vendor data in — or run standalone for teams that haven't standardised on a GRC platform yet. Both deployments are common.
How does multi-jurisdiction reporting work?
One evidence base, many reports. A single vendor produces a DORA report for an EU regulator, an APRA CPS 230 report for an Australian one, and an SEC filing component for a US one — without re-collecting evidence.

See it on your vendors.

Book a 30-minute call and we'll have NOVA, ARIA and REX produce a complete posture report on one of your live vendors inside 24 hours.