Home
arrow_forward_ios
Blog
Governance, Risk & Compliance

CRI Profile 2.0 Deep Dive: What’s New & Why It Matters

Jon Darbyshire
CEO SmartSuite
January 20, 2026
9 mins
read
This is some text inside of a div block.
Back to top

Introduction: A Turning Point for FS Cyber Governance

When the Cyber Risk Institute (CRI) first released its Profile, it gave financial institutions something they’d lacked for decades: a single, harmonized structure for evaluating cyber and resilience maturity across regulatory expectations. It unified frameworks, aligned teams, and created a diagnostic model that CISOs, risk managers, auditors, resilience leaders, boards, and regulators could all interpret consistently.

But frameworks cannot remain static.

As technology evolves, threats accelerate, and regulatory expectations expand, institutions need diagnostic models that reflect the world they operate in today, not the world they operated in a decade ago.

CRI Profile 2.0 represents that next evolution.

Through collaborative work across banks, regulators, industry associations, and cybersecurity leaders, CRI has modernized its diagnostic structure to reflect:

  • Cloud-native operating models.
  • Continuous monitoring and assurance expectations.
  • Third-party ecosystem expansion.
  • Operational resilience mandates.
  • Convergence of cyber + technology + operational risk.
  • New regulatory guidance across global jurisdictions.

CRI 2.0 is not a minor revision. It is a structural upgrade, one that strengthens the Profile’s position as the most influential diagnostic model in financial services.

Why a 2.0 Version Was Necessary

Across my work with FS institutions of all sizes, four patterns consistently emerged that signaled the need for a refreshed CRI Profile.

1. Cloud fundamentally changed the control landscape

Legacy frameworks were built for data centers, not distributed architectures.

2. Continuous monitoring became the norm

Institutions needed diagnostics that supported real-time signals — not periodic checks.

3. Resilience and cybersecurity fully converged

Boards and regulators increasingly treat cyber events as resilience failures.

4. Vendor ecosystems exploded

Third-party risk became one of the largest systemic risks across institutions.

CRI Profile 2.0 responds with a diagnostic structure built for these realities, not for the world that existed when many cyber frameworks were originally authored.

What’s New in CRI Profile 2.0

CRI 2.0 introduces enhancements across five major dimensions.

Below is an overview written to be clear, narrative, and accessible, while still conveying deep insight for practitioners.

1. Stronger Alignment With Global Regulatory Expectations

The financial-services community is experiencing a wave of regulatory activity across:

  • U.S. federal regulators.
  • UK PRA/BoE requirements.
  • EU DORA mandates.
  • APAC supervisory expectations.
  • Emerging global cyber-resilience rules.

CRI 2.0 updates diagnostic statements to more explicitly harmonize these global requirements, ensuring that:

  • Evaluations are cross-regulator compatible.
  • Institutions avoid duplicative oversight structures.
  • Diagnostic maturity maps cleanly to global exam expectations.
  • Supervisors can rely on CRI outputs without translation.

This is one of the most important upgrades in CRI 2.0, it positions the Profile as the “translation layer” regulators increasingly want.

2. Expanded Diagnostic Coverage for Cloud & Modern Architectures

Cloud adoption is universal in financial services, and diagnostic models must reflect this shift.

CRI 2.0 introduces enhancements around:

  • Cloud governance.
  • Configuration and posture management.
  • Identity and privilege in hybrid environments.
  • Cloud-resilience readiness.
  • Distributed logging and monitoring.
  • API governance.
  • Container security.
  • Multi-cloud complexity management.

Legacy cyber frameworks struggled to capture these nuances. CRI 2.0 does not.

These diagnostics now connect directly to real-world operating models across global banks and cloud-native fintechs.

3. Integration of Operational Resilience as a First-Class Diagnostic Theme

Regulators, especially the UK PRA and EU DORA, have made clear that resilience cannot be treated as a separate discipline.

CRI 2.0 reflects this shift with expanded diagnostics around:

  • Impact tolerance.
  • Disruption scenarios.
  • Continuity dependencies.
  • Critical business services.
  • Recovery governance.
  • Mapping technology to operational outcomes.

This creates alignment across cyber, tech-risk, and resilience functions, something I have seen institutions struggle with for years.

CRI 2.0 brings these worlds together intentionally.

4. Clearer Expectations for Third-Party Risk

Third-party ecosystems are now the source of significant operational and cyber risk.
CRI 2.0 enhances diagnostics around:

  • Vendor oversight.
  • Supplier resilience.
  • Off-boarding and concentration risk.
  • Fourth-party dependencies.
  • Cloud service provider alignment.
  • Continuous vendor monitoring signals.

These upgrades make CRI one of the strongest frameworks available for governing third-party ecosystems, a critical need in the modern FS landscape.

5. Structural Improvements for Continuous Assurance

One of the most notable evolutions in CRI 2.0 is its readiness for continuous assurance.

Diagnostics now more naturally support:

  • Real-time monitoring tools.
  • Identity governance systems.
  • Cloud drift detection.
  • Continuous evidence collection.
  • Unified issue lifecycle workflows.
  • Dynamic maturity scoring.
  • Automated assurance triggers.

This aligns CRI 2.0 with the pace of modern risk, and with the architectural direction regulators and boards are moving toward.

Why CRI 2.0 Matters for Institutions

Beyond feature updates, CRI 2.0 introduces deeper and more consequential capabilities.

It improves clarity

Diagnostics are now cleaner, more interpretable, and more action-oriented.

It improves alignment

Teams across cyber, compliance, audit, and resilience share a stronger, more unified structure.

It improves governance

Boards can read a CRI 2.0 maturity narrative without needing translation.

It improves comparability

Peer benchmarking becomes more credible and meaningful.

It improves operationalization

Diagnostic structure aligns more naturally with workflows, automation, and evidence collection.

It improves regulatory conversations

Supervisors increasingly recognize CRI as a mature, harmonized interpretation model.

CRI 2.0 strengthens everything the Profile was already doing well, and corrects areas where the original model began to show its age.

CRI 2.0 and SmartSuite: Operationalization Meets Intelligence

CRI 2.0 defines the structure of connected governance. SmartSuite provides the workflow architecture that brings that structure to life.

Inside SmartSuite:

  • CRI 2.0 diagnostics become workflow triggers.
  • Evidence anchors directly to diagnostic requirements.
  • Remediation follows a unified lifecycle.
  • Maturity updates dynamically with signals.
  • Vendor insights map cleanly to diagnostic expectations.
  • Dashboards reflect real-time posture.
  • Assurance becomes continuous rather than periodic.

CRI 2.0 provides clarity. SmartSuite provides motion.

This combination positions institutions to operate with a level of consistency, transparency, and confidence that was extremely difficult, if not impossible, under legacy GRC models.

Conclusion: CRI 2.0 Is Not Just an Update, It’s an Inflection Point

The CRI Profile has been the most significant harmonization effort in financial-services cybersecurity and resilience. CRI 2.0 strengthens that foundation and positions it for the next decade.

It answers the needs of modern FS institutions:

  • Cloud-native architectures.
  • Continuous assurance.
  • Integrated resilience.
  • Vendor ecosystems.
  • Global supervisory alignment.

It also answers the needs of boards:

  • Clarity.
  • Consistency.
  • Comparability.
  • Confidence.

CRI 2.0 marks the moment when harmonized governance shifts from helpful to essential.

This is more than a framework update.

It is the blueprint for the next era of cyber governance, one that finally matches the pace, complexity, and interconnected nature of risk.

Table of Contents
What are the best policy management platforms on the market ?
#1: What policy lifecycle scope do you need to manage ?
Start using SmartSuite Today

Run your entire business on a single platform and stop paying for dozens of apps

  • Manage Your Workflows on a Single Platform
  • Empower Team Collaboration
  • Trusted by 5,000+ Businesses Worldwide
Start Free Trial

Featured writers

You’re Subscribed !
And never miss a single update !
Oops! Something went wrong while submitting the form.

Discover SmartSuite

-
Redefining Risk Transparency: What Boards Really Want
What's New in SmartSuite: October 2025
ServiceNow vs. BMC Helix vs. SmartSuite: Which One Is Better?
ServiceNow vs. Freshservice vs. SmartSuite: Which One Is Better?
What's New in SmartSuite: August 2025
What's New in SmartSuite: July 2025
Automate Task Creation with Looping Automations
SmartSuite Announces Integration with X-Analytics to Empower CISOs with Financially-Driven Cyber Risk Management Success
Structuring your Project Management System
Dependencies In Project Management: Definitions & Types
Project Resource Management: Definition, Process, and Software
Creative Project Management: Everything You Need To Know
How To Log Interactions In a SmartSuite CRM
11 Agile Project Management Examples To Get Your Team Started
The 10-Step Project Management Checklist To Get Started
Workstreams In Project Management: Definitions, Benefits & Examples
Visual Project Management: Definitions & 10 Examples
How To Tailor Templates to Your Workflow
7 Project Management Examples To Help Your Team Get Started
What's New in SmartSuite: June 2025
What's New in SmartSuite: May 2025
What's New in SmartSuite: April 2025
How To Start Tracking Time in SmartSuite
Streamlining Your Onboarding With A Learning Dashboard
Honoring Tara Darbyshire: A Trailblazer in GRC and a True Leader
How To Track Lead Sources Automatically With Forms
Elevate Your SmartSuite Dashboards with the Image Library
Empowering Our Customers: What Our Series A Means for You
What's New in SmartSuite: March 2025
What's New in SmartSuite: February 2025
How to Add Images via URL to the Document Designer in SmartSuite
Getting Started With Prefilled Forms
How To Automatically Organize Records by Quarter
What's New in SmartSuite: January 2025
Simplifying Change Requests With Pre-Filled Forms
10 Best Project Management Tools For Consultants In 2026
Skyvia Launches SmartSuite Connector to Enable Seamless Data Integration and Enhance Workflow Management
How To Link Records To Form Submissions With ID Matching
What's New in SmartSuite: The Best New Features in 2024
Tracking Status Changes Over Time
Creating Reports Across Records Using Fixed Date Ranges
How to Create Smarter Dashboards
How a Venture Capital and Private Equity Principal Automated and Streamlined Lead and Investor Management with SmartSuite
A Deep Dive into SmartSuite's New Dashboard Features
Simplify Construction Project Management with SmartSuite
Rapidly Produce Invoices with Document Designer
How to Separate the Details of a Record In A Dashboard
¿Qué es Smartsuite? ¿Cuánto cuesta? Ventajas y desventajas
How to Optimize Linked Records in a Form
Organize Sales Processes in One Dashboard
Project Manager vs. Program Manager: Understanding the Key Differences
Task Management: Everything You Need to Know in 2024
Filter, Select & Obtain Record Details Easily in Dashboards
What's New in SmartSuite: September 2024
A Beginner’s Guide to Dashboards in SmartSuite (With 15 Use Case Examples)
How to Auto-adjust a Project Timeline Based on Task Records
Table of Dashboards Strategy
Guide to SmartSuite Whiteboards with 10 Use Case Examples
How to Link Records After a Form Submission
How to Dynamically Filter Linked Records in a Form
Permissions at Every Level
SmartSuite Named Global SaaS Product of the Year by StartUp Grind at 2024 Global Conference
How to Use a Form for Project Updates
How to Import Files into SmartSuite
How to Automate Document Creation Based on Record Data
How to Use a Pivot Table In a Dashboard View
The Different Ways to Represent Subtasks in SmartSuite
How to use SmartSuite for Strategic Planning (Goals & Objectives)
What's New in SmartSuite: July 2024
How Lookup Fields Eliminate Duplicative Datapoints
3 Practical Ways to Improve the Relationship Between Product and Engineering
Optimizing Record Format in Dashboard Widgets
5 Secrets to Enabling Cross-Functional Marketing
Filtering Dynamically and Statically in Linked Records
Workflow Automation Strategies for Enhanced Productivity
Backwards Scheduling Vs. Auto-Scheduling in Gantt View
Grouping by Two Levels in Your Hierarchy
How to Identify Errors in Your Automations
SmartSuite: Announcing GDPR Compliance
SmartSuite: Announcing HIPAA Compliance
How to Relate Expense Submissions to Projects
SmartSuite Showcase | Onboarding New Hires & Inviting Users to SmartSuite
7 Ways to Boost Creativity at Work
7 Practical Tips to Beat Zoom Fatigue and Stay Productive at Work
5 Practical Ways to Boost Your Efficiency at Work
5 Effective Strategies to Improve Group Communication in the Workplace
Top 5 Workflow Improvement Ideas to Boost Productivity
5 Tips on Becoming an Excellent Player-Coach
How to Create a Folder and Deliver Its Permissions
What's New in SmartSuite: April 2024
How to Create Task Templates for Large Projects
5 Meeting Agenda Templates for Efficient and Effective Gatherings
The No-Code Revolution: Empowering B2B Companies in 2024
SmartSuite Solution Standards for 2024
What's New in SmartSuite: March 2024
How to Hide a Table
5 Best Practices for Marketing Campaign Planning
Revolutionizing Contract Management and Invoice Generation with SmartSuite
Earliest Value From a Linked Record Set
7 Best Gmail Integrations to Increase Your Email Productivity in 2024