NSW Department of Industry
90%+ time savings with governed data platform
ViewHow RISKflo Delivered Enterprise GRC for 1,100+ Active Daily Users at a Major Global Bank
Event-sourced architecture achieving 99%+ uptime over 24 months, 30x better support metrics than industry average, and 47-73% cost advantage versus ServiceNow and Archer.
The Challenge
HSBC required an enterprise-grade Governance, Risk, and Compliance (GRC) platform to replace legacy systems. The challenge: deliver superior performance, cost efficiency, and user experience while maintaining regulatory compliance in one of the world's most heavily regulated industries.
Existing solutions in the market—ServiceNow, Archer, Appian—came with significant limitations. Enterprise pricing models that escalated with user count. Implementation timelines measured in years, not months. Legacy architectures that couldn't provide the audit trail precision financial regulators demand.
The technical requirements were demanding: complete audit trail for every action, sub-second response times for daily operations, multi-jurisdictional compliance across APAC, and integration with existing enterprise security infrastructure (SSO, identity management).
And the commercial requirements were equally stringent: demonstrate cost efficiency versus incumbent vendors, prove scalability without proportional cost increases, and maintain the stability that a global bank requires for operations-critical systems.
- Replace legacy GRC systems at major global bank
- Compete with ServiceNow, Archer, Appian on enterprise requirements
- Complete audit trail with regulatory-grade precision
- Cost efficiency with scalability
- 24/7 stability requirements
The Solution
RISKflo was built on event sourcing architecture—a fundamentally different approach from traditional CRUD-based GRC systems. Every action in the system generates an immutable event, permanently recorded and queryable. This isn't logging bolted on after the fact; it's the core data model.
The architectural choice had profound implications for audit compliance. When regulators ask 'what happened to this risk assessment on March 15th at 2:47pm?', the answer isn't reconstructed from logs—it's the actual system state at that moment, reproducible and verifiable.
Technical architecture: Java/Scala microservices on the Lagom framework for the backend, React/TypeScript for the frontend. Polyglot persistence with MySQL for projections and Cassandra for the event store. AWS cloud-native deployment with Terraform infrastructure-as-code. OAuth2/JWT for authentication, GuardDuty for threat detection, CloudTrail for infrastructure logging.
The Results
After 24+ months of continuous production operation at HSBC, the metrics tell the story of enterprise-grade platform delivery.
Scale & Stability
1,100+ active daily users
HSBC APAC region
36,000 events/day processed
13.14M events/year
99%+ system uptime
24+ months continuous
Zero major infrastructure failures
Production stability
Support Quality
0.017 support cases/user/year
Industry average: 0.5-1.0
72% support reduction over 24 months
72 cases (2022) → 20 cases (2024)
Only 12% of cases were platform bugs
80% were training or external issues
26% of cases were user training
Normal adoption support, not platform issues
Audit & Compliance
100% submission correlation accuracy
Unique transaction ID tracking
Complete audit trail
Every action permanently recorded
Point-in-time reconstruction
Any historical state reproducible
ISO 27001:2022 certified
Automated evidence generation
Key Lessons
Event sourcing creates audit capabilities competitors can't replicate
When every action is an immutable event, audit trails aren't a feature—they're the architecture. 99% correlation accuracy isn't achieved by better logging; it's achieved by making the event the source of truth.
Cost efficiency at scale is an architecture decision
Achieving 27-53% of industry standard cost isn't about cutting corners—it's achieved by efficient infrastructure, microservices that scale horizontally, and avoiding vendor lock-in. Predictable costs (17.6% monthly variance) enable business planning.
Support quality reflects platform quality
0.017 cases/user/year doesn't happen by accident. When 80% of support cases aren't platform bugs, and feature request acceptance is 5.9% (meaning existing functionality meets needs), the platform is mature.
Enterprise stability requires engineering discipline
24+ months at 99%+ uptime with zero major failures isn't luck—it's architecture, testing, monitoring, and the deployment discipline that comes from governed SDLC practices.
"A rare blend of creative problem solving capability, integrating deep analytical thinking with creativity. Then the unique skill to communicate new ideas to the target audience in a simple and compelling story."
Martin Kelly
Founder
RISKflo
Ready to Build Enterprise-Grade Platforms with Governance?
If you need platform engineering that satisfies auditors and delights users, let's talk about what event-sourced, policy-as-code architecture can do for your organization.