Financial institutions today operate in an environment where regulation changes constantly. New frameworks like DORA, NIS2, the EU AI Act, and evolving guidance from regulators such as the EBA, ECB, and national supervisory authorities continue to reshape how organizations manage governance, risk, and compliance.
Yet many organizations still manage regulatory change through disconnected processes, spreadsheets, emails, and manual assessments. That approach is no longer sustainable.
At CERRIX, we believe the future of Governance, Risk & Compliance (GRC) lies in connecting regulatory change management directly to risks, controls, incidents, actions, and assurance activities in one integrated platform. That vision is exactly why CERRIX acquired Ruler.
In this short video, CERRIX CEO, Niels van Weereld explains the vision behind the acquisition of Ruler and why connecting regulatory change management with risk and controls is critical for the future of GRC.
The problem with traditional GRC software
Most GRC platforms today still function primarily as registration systems.
Risks are documented.
Controls are logged.
Incidents are tracked.
Audit findings are stored.
But the processes surrounding those activities often remain highly manual.
Compliance teams monitor regulatory websites separately.
Risk teams assess impacts in another process.
Control owners update frameworks later.
Internal audit validates everything afterwards.
The result:
- fragmented governance processes,
- duplicated work,
- delayed implementation,
- compliance gaps,
- and limited real-time visibility.
As Niels van Weereld explains: “Most GRC tools today are, at their core, spreadsheets on steroids. A fancy interface to register things.”
This creates a major challenge for financial institutions trying to stay continuously compliant in a rapidly changing regulatory landscape.
Why regulatory change management matters
Regulatory change management has become one of the most critical capabilities for financial institutions. New regulations increasingly affect:
- operational resilience,
- cybersecurity,
- AI governance,
- outsourcing,
- third-party risk,
- internal controls,
- and reporting obligations.
Take DORA as an example. A single regulatory update may require organizations to:
- reassess operational risks,
- update policies,
- implement additional controls,
- adjust incident management procedures,
- collect new evidence,
- and demonstrate compliance to supervisors.
When these activities happen in disconnected systems, organizations struggle to maintain oversight and traceability. This is why regulatory intelligence can no longer operate separately from the GRC process itself.
From static GRC to an Intelligent Operating System for Risk & Compliance
CERRIX’s vision is to become the Intelligent Operating System for Risk & Compliance. That means moving beyond static compliance administration toward a connected platform where:
- regulatory developments,
- risks,
- controls,
- incidents,
- measures of improvement,
- and assurance activities
all work together as part of one continuous governance process.
Instead of manually translating regulations into operational actions, organizations need a system that helps connect the entire chain automatically.
According to Niels van Weereld: “Risk and compliance professionals should be strategic levers for their organization, not data entry clerks.” The goal is not simply to document governance activities. The goal is to help organizations make faster, smarter, and more proactive decisions about risk and compliance.
Why CERRIX acquired Ruler
Ruler is a regulatory change management platform specialized in monitoring regulatory developments for financial institutions. The platform continuously monitors regulatory sources, identifies new or changing requirements, and helps compliance teams assess the impact on their organization. This makes Ruler a natural extension of the CERRIX platform.
CERRIX helps organizations manage:
- risks,
- controls,
- incidents,
- audits,
- and assurance activities across the entire GRC process.
Ruler helps organizations understand:
- what regulations are changing,
- what obligations are affected,
- and where action is required.
Together, they create a complete regulatory-to-control chain. As Niels describes it: “CERRIX tells you where you stand. Ruler tells you what’s coming.”
By combining regulatory intelligence with operational GRC processes, organizations can move from reactive compliance toward continuous governance.
The benefits of an integrated GRC and regulatory change platform
Connecting regulatory change management directly to governance, risk, and compliance processes creates several important advantages for financial institutions.
Faster impact assessments
When new regulations emerge, organizations can immediately understand:
- which risks are affected,
- which controls require updates,
- and which business processes need attention.
Reduced manual work
Instead of relying on spreadsheets, emails, and fragmented workflows, teams can centralize governance activities in one integrated platform.
Improved audit readiness
By connecting regulations directly to controls and evidence, organizations strengthen traceability and demonstrate compliance more efficiently during audits and supervisory reviews.
Stronger operational resilience
Continuous visibility into regulatory obligations helps organizations respond faster to regulatory change and reduce compliance gaps.
Better collaboration across the three lines of defense
Risk, compliance, internal audit, and operational teams can work from the same source of truth instead of maintaining separate interpretations and tracking files.
Building the intelligent operating system for risk and compliance
The GRC market is evolving rapidly. Organizations no longer need static systems that only document governance activities after the fact. They need intelligent platforms that help them anticipate change, coordinate action, and maintain continuous oversight.
That means:
- connecting regulatory intelligence with operational execution,
- automating governance workflows,
- reducing manual compliance work,
- and embedding risk and compliance into daily operations.
This is the direction CERRIX is building toward: an Intelligent Operating System for Risk & Compliance.
By combining regulatory change management, risk management, controls, incidents, audits, and assurance activities in one connected platform, organizations gain a continuous view of both their current compliance position and the regulatory changes ahead.
The acquisition of Ruler is an important step in that journey.
A step toward a future where:
- regulatory change automatically flows into governance processes,
- risks and controls continuously evolve alongside new obligations,
- and risk and compliance professionals can focus less on administration and more on strategic decision-making.
Or as Niels van Weereld summarizes it:
“Together, regulatory change flows directly into your risk and compliance framework. No more spreadsheets, no more gaps, no more surprises.”
FAQ
What is regulatory change management?
Regulatory change management is the process of monitoring new or changing regulations, assessing their impact on the organization, and implementing the required governance, risk, and compliance updates.
Why is regulatory change management important for financial institutions?
Financial institutions operate in highly regulated environments where frameworks such as DORA, NIS2, GDPR, and the EU AI Act continuously evolve. Effective regulatory change management helps organizations remain compliant, reduce operational risk, and improve audit readiness.
What is an integrated GRC platform?
An integrated GRC platform connects governance, risk management, compliance, controls, incidents, audits, and regulatory obligations in one centralized environment.
How does regulatory intelligence improve compliance?
Regulatory intelligence helps organizations identify new or changing regulatory requirements early, assess their impact faster, and connect them directly to operational risk and compliance processes.
Why did CERRIX acquire Ruler?
CERRIX acquired Ruler to connect regulatory change management directly with risk and control management, helping financial institutions create a complete end-to-end GRC process in one platform.
Accessible popup
Welcome to Finsweet's accessible modal component for Webflow Libraries. This modal uses custom code to open and close. It is accessible through custom attributes and custom JavaScript added in the embed block of the component. If you're interested in how this is built, check out the Attributes documentation page for this modal component.
The Complete GRC Chain: Connecting Regulatory Change Management, Risk, and Controls in One Platform
The future of Governance, Risk & Compliance (GRC) lies in connecting regulatory change management directly to risks, controls, incidents, actions, and assurance activities in one integrated platform.
Embedding automation into your risk operating model: Where AI fits and how to make It work
This second part focuses on what makes that automated model intelligent. Where AI fits. What it means for risk professionals in practice.
From checkbox to continuous: How to embed automation into your risk operating model
What it means to truly embed automation into the risk operating model: what changes, what stays the same, and what it takes to make it work in practice.
.jpg)
Why CERRIX acquired Ruler, and what it means for the future of GRC
CERRIX acquires Ruler to connect regulatory change with risk management.
%20(1).png)
Why Data Quality Is the Foundation of AI and Automation in GRC
A strategic look at why structured data in a GRC tool is imperative for automation, AI enabled workflows, and real time risk insights.
.jpg)
Internal Control Framework Challenges: Why COSO and ISO 31000 Implementations Struggle in Practice
Why do internal control framework implementations (COSO, ISO 31000) struggle? Explore common challenges in process design, ownership, tooling, and governance
%20(3).jpg)
Control Assurance Explained: How Organizations Move from Control Testing to Continuous Monitoring
Discover how modern control assurance moves beyond periodic testing to continuous monitoring, with clear ownership, automation, and expert opinion.
Incident Management under DORA: What Risk and Compliance Leaders Need to Rethink
Incident Management under DORA: What Risk and Compliance Leaders Need to Rethink
.jpg)
Hoe u ISO 31000 Risicobehandeling in de Praktijk Toepast: Inzichten voor Risk- en Complianceleiders
A practical recap of CERRIX ISO 31000 risk treatment webinar
%20(1).jpg)
Hoe Wij CERRIX GRC Gebruiken voor het Beheren van Ons ISMS. ISO 27001 in de Praktijk
Wij gebruiken onze eigen CERRIX GRC-software om het ISMS van CERRIX te beheren. Zo maken we van compliance een continu proces en laten we zien hoe ISO 27001 onderdeel wordt van de dagelijkse praktijk.
%20(1).jpg)
Hoe bereken je risicokans en -impact?
Leer hoe je risicokans en -impact berekent volgens ISO 31000. Ontdek hoe gestructureerde risicobeoordeling, scoringsmodellen en risicomatrices bijdragen aan effectief risicomanagement met CERRIX.
.jpg)
Why the Three Lines of Defense Model Is Outdated? What Every Board Should Know About the Three Lines Model
Three Lines Model Explained: Why Boards Must Move Beyond 3LOD
.jpg)
What Is ISO 31000 and How Does It Work?
Discover what ISO 31000 is, how it works, and why it’s essential for risk management in 2025. Learn the principles, framework, and how tools like CERRIX help organizations turn ISO 31000 into practice.
.jpg)
How to Write an Incident Report That Stands Up to Audits
Learn how to write incident reports that are clear, evidence-backed, and audit-ready. Includes a template, best practices, and compliance alignment for risk professionals.
.jpg)
How to Implement ISO 31000: Real-Time Risk Decisions with AI‑Enabled Tools
Discover how to move beyond compliance and operationalize ISO 31000 using AI, real-time dashboards, and structured risk assessments. Learn from webinar insights and best practices tailored for financial services and regulated industries.
%20(1).jpg)
What’s Blocking Your ISMS Rollout? 7 Fixable Challenges for Financial Institutions
Discover the 7 biggest blockers in ISMS rollout for financial institutions—and how to solve them. Learn practical strategies to secure buy-in, define scope, streamline controls, and prepare for ISO 27001 certification.
.jpg)
Trends Driving ISMS Adoption in 2025: What Risk & Compliance Leaders Need to Know
Discover the top trends pushing organizations toward ISMS adoption in 2025—from regulatory changes and remote work to threat evolution and AI. Learn what to prioritize to stay ahead in risk and compliance.
What Is an ISMS? A Practical Guide for Risk & Compliance Leaders in 2025
An Information Security Management System (ISMS) is more than policy—it’s your organization’s shield against evolving threats, regulation, and reputation risk. Discover what ISMS means, how to implement it, and why it matters in 2025.
.jpg)
The Intelligent Future of GRC: How AI is Reshaping Governance, Risk & Compliance in 2025
Explore how AI is transforming GRC in 2025—from predictive insights and automation to ethical oversight. Learn what features matter, what risks to manage.
.jpg)
How Do You Implement an ISMS in Financial Services Without Slowing Down Innovation?
Implementing an ISMS in financial services? Explore a practical, risk-aligned roadmap tailored for banks, fintechs, and insurers to meet ISO 27001, GDPR, and DORA compliance—without compromising agility.
How Do You Build a Robust ISMS Framework Based on ISO 27001?
Learn how to build a robust ISMS framework aligned with ISO 27001. Discover the key components—people, policies, processes, and controls—to strengthen security and achieve compliance.
.jpg)
When to Conduct Risk Assessments: 6 Enterprise-Critical Moments
Learn when to conduct risk assessments—annual, quarterly, after incidents or change—and how CERRIX ensures continuous compliance.
.jpg)
How do you build a system of quality management that works under ISQM 1?
Learn how to build a system of quality management under ISQM 1. Move beyond compliance to an operational model that proves audit quality.
Top GRC Platforms Compared: Risk Assessment Tools for 2025
Discover the top GRC platforms for 2025 with a focus on risk assessment tools.
What Are Risk Scoring Methods for Financial Institutions? [2025 Guide]
From Risk Assessment to Risk Management: Moving Beyond Checklists in 2025
Understand the evolution from risk assessment to strategic risk management in 2025. Learn why leading organizations are embedding risk into decision-making—and how GRC platforms like CERRIX support this shift.
What is risk management? A strategic guide for leaders in 2025
How Audit Firms Embed ISQM into Daily Practice
In our second ISQM webinar, experts from RSM, Grant Thornton, and CERRIX shared practical insights on how audit firms can embed ISQM into the heart of their operations.
Embedding ISQM 1 into the DNA of Your Audit Firm: A Risk-Based Approach to Quality Management
Discover how to implement ISQM 1 with a risk-based approach. Learn how audit firms can embed quality management into daily operations and governance.
%20(1).avif)
CERRIX User Conference 2025
Op 12 maart 2025 kwamen marktleiders, verzekeringsexperts en CERRIX-klanten samen voor de CERRIX User Conference 2025, een dag van kennisuitwisseling, inzichtelijke discussies en samenwerking over de toekomst van risicobeheer, compliance en AI-gestuurde GRC-oplossingen.
Van spreadsheets tot GRC-software: waarom pensioenfondsen een moderne benadering van risicobeheer nodig hebben
CERRIX en BR1GHT versterken langdurige samenwerking om oplossingen voor bestuur, risico, compliance en audit te verbeteren
DORA implementeren: van compliance tot veerkracht op lange termijn
