ComplianceCore is an annual subscription with quarterly attestations. The initial engagement scopes the full Framework; subsequent attestations verify that policies and processes continue to operate as designed.

Quarterly attestations. Full refresh annually or on material regulatory change, organisational change of scale, or material risk register change.

What kicks off the engagement?

The risk register produced by RiskLens. ComplianceCore starts after RiskLens because compliance scope is calibrated on what RiskLens identified.

Practice 2 — Compliance

The translation between obligation and operation.

ComplianceCore produces the ComplianceCore Framework — the policy architecture, roles map, operating processes, and pre-staged incident response plan that make your posture defensible and ready to execute.

Request a briefing Active AI incident

The role

What ComplianceCore does, in one sentence

Without the translation from obligation to operation, governance lives in PDFs and agents act on their own logic.

ComplianceCore takes legal, regulatory, and corporate policy — what the organisation is required or has decided to do — and converts it into operating constraints that govern how agents and the people responsible for them are allowed to act. It is the connective tissue between strategy and operation, and between calm-state governance and crisis-state response.

What is in the Framework

Six components of the ComplianceCore Framework

Each component is derived from the RiskLens risk register and structured for operational execution.

Policy architecture

Derived from the RiskLens risk register. Not a PDF — the specification that the technical and operational teams must encode.

Roles, responsibilities, and decision-rights map

Who decides an agent may act? Who reviews? Who signs off? Who responds when something goes wrong? The full mapping.

Process design and review cadences

How often are policies verified? How does evolving risk trigger an update?

Quarterly process attestation

Our verification that what is documented matches what is happening.

Pre-staged incident response plan

Keyed to the top scenarios in the RiskLens risk register. Scenario library, playbooks per class, decision trees for the first hour, coordination paths to insurer, counsel, communications, IT, and regulators, plus asset inventory in IR-ready format.

Ongoing regulatory intelligence

Loi 25, C-27, OSFI, AMF, sector-specific guidance, and material international developments.

The boundary with Agentica IR

The incident plan lives here. Execution lives in Agentica IR.

The risk register produced by RiskLens already identifies the most likely failure scenarios. The roles map produced inside ComplianceCore already identifies who responds. Building the pre-staged response plan on top of that work is incremental, not a new engagement — and it means that when an incident occurs, IR activates against an existing plan instead of from a cold call.

The boundary is explicit: ComplianceCore produces the plan. Agentica IR is contracted separately to execute it. This separation matters for reliance — the insurer must be able to verify that the plan was followed, which requires a clean line between authoring and execution.

What the plan enables

Contain an incident in the first minutes
Trigger escalation at the right threshold
Activate Agentica IR with the right context
Document every step for post-incident audit

Engagement format

How the engagement works

ComplianceCore starts after RiskLens.

The RiskLens risk register is the direct input to the Framework. We can scope both engagements from a single call.

Request a briefing Active AI incident

Confidential Response within one business day No commitment