Home
arrow_forward_ios
Blog
Governance, Risk & Compliance

The CRI Profile: Everything You Should Know About It [2026]

Jon Darbyshire
CEO SmartSuite
June 19, 2026
12 mins
read
This is some text inside of a div block.
Back to top

This article walks through what the CRI Profile is, who needs it, how to roll it out, and where the framework fits among the other cyber standards your bank already juggles.

TL;DR

  • The CRI Profile is a cybersecurity and operational resilience framework built by and for the financial sector, extending the NIST Cybersecurity Framework.
  • It folds thousands of overlapping regulatory expectations into roughly 318 diagnostic statements, so you answer one set of questions and stop re-answering the same thing for every regulator.
  • The FFIEC retired its Cybersecurity Assessment Tool on August 31, 2025, and the CRI Profile is one of the frameworks banks moved toward as a replacement.
  • Who uses it: Banks, credit unions, insurers, investment firms, and the vendors that serve them. It scales by "impact tier," so a community bank and a global systemically important bank don't do the same amount of work.
  • SmartSuite is a CRI Innovator that turns the Profile's diagnostic statements into trackable, assignable workflows with evidence attached and live reporting over the whole program.

What is the CRI Profile?

The CRI Profile is a cybersecurity risk management framework made for financial institutions.

It was built by the Cyber Risk Institute, a non-profit consortium of banks, trade groups, consulting firms, and technology vendors, with input from regulators who got tired of every supervisor speaking a slightly different dialect of risk.

The Profile builds on the NIST Cybersecurity Framework, then extends it with the controls, governance expectations, and third-party requirements that financial regulators actually care about.

What sets it apart from a generic security checklist is the consolidation.

The CRI Profile takes more than 2,500 regulatory expectations scattered across federal, state, and international rulebooks and compresses them into a single structured set of control objectives called diagnostic statements.

You answer the diagnostic statements once.

The framework's mapping then translates those answers into evidence aligned to whichever regulation is asking, whether that's a federal banking regulator, NYDFS, or the EU's DORA mandate.

Banks, insurers, and investment firms typically use it to run self-assessments, find control gaps, and prep for examinations.

It's a good way to stop reinventing the same assessment for every regulator who walks through the door.

How does the CRI Profile actually work?

Everything is based on your impact tier, and the first thing you'll do is run a short questionnaire to find it.

The Profile defines four tiers based on how much your institution matters to the broader financial system.

  • A small community bank lands in a lower tier and answers fewer diagnostic statements.
  • A bank that clears a meaningful slice of national transaction volume lands higher and answers more.

I've watched plenty of frameworks ignore this, and it's the part people tend to appreciate most.

You implement controls proportional to your actual risk, so a credit union isn't held to the same operational bar as a globally systemic institution.

Once you know your tier, the work settles into a fairly predictable loop.

  • You assess current controls against the diagnostic statements that apply to you.
  • You flag the gaps. You rank them by impact and likelihood.
  • Then you remediate, document, and reassess on a regular cadence.

For each diagnostic statement, you're recording where you stand and why, plus what you plan to do about any shortfall.

The Profile also maps cleanly to NIST CSF 2.0 and to a growing catalog of other standards, such as ISO 27001, NIST 800-53, the FFIEC handbooks, and CIS Controls.

Why is the CRI Profile important?

More than anything, it gives the financial sector a shared language for cyber risk.

For a long time, every regulator, region, and business line described risk a little differently.

  • A control that satisfied one examiner needed rewording for the next.
  • Boards saw maturity reports they couldn't compare year over year.
  • Vendors sent questionnaires that no two banks scored the same way.

The CRI Profile cuts through that.

When a CISO, an auditor, a board member, and a regulator are all reading the same diagnostic statements, the debate stops being about which framework to standardize on and turns into a working conversation about which gaps to close first.

There's a real efficiency story underneath the harmonization, too.

Institutions that consolidate their assessments around the Profile report meaningful reductions in regulatory overlap, because they stop running duplicative audits across frameworks that were mostly asking the same thing in different words.

It also scales down, which matters more than it sounds. A lot of cyber frameworks were written with the biggest banks in mind.

The impact-tier model means a small institution can adopt the Profile without drowning in controls built for a trillion-dollar balance sheet.

Who actually needs the CRI Profile?

If you're a U.S. bank or credit union under federal or state supervision, this one is probably already on your radar.

The clearest case is any institution that was using the FFIEC Cybersecurity Assessment Tool and now needs a replacement.

The CAT was sunset on August 31, 2025, and the CRI Profile is one of the frameworks the industry moved toward.

But the audience is wider than domestic banks. Insurers, investment firms, asset managers, and fintechs all fall inside the Profile's intended scope, especially the ones operating across multiple jurisdictions.

Then there are the vendors.

If you sell technology or services into financial institutions, your clients increasingly expect you to speak CRI. Aligning your own assessments to the Profile's diagnostic statements cuts down the back-and-forth on due-diligence questionnaires and speeds up onboarding.

One nuance worth being clear about: the Profile is voluntary, and it isn't a certification.

No central body audits you against it or stamps your forehead with a passing grade.

What happens instead is that supervisors look at how you've adopted and used it during their reviews.

So the value isn't a certificate on the wall. It's a defensible, organized story you can tell an examiner on short notice.

How to Implement the CRI Profile?

Rolling out the Profile isn't a weekend project, but it follows a sequence that's easier to manage when you know the shape of it up front.

Step 1: Scope and tier

Before anything else, you want to run the tiering questionnaire to figure out which of the four impact tiers you fall into.

This decides how many diagnostic statements apply to you, so it sets the size of the whole effort.

Get this wrong and you either over-build controls you don't need or under-prepare for an exam.

You need to pull in your risk and compliance leads here, since the inputs touch transaction volumes, data footprints, and systemic role.

Step 2: Run the gap assessment

Now you compare your existing controls against the diagnostic statements in scope.

For each statement, you're capturing your current state, the reasoning behind it, and any evidence that backs it up. Some statements you'll satisfy outright. Others you'll meet through a compensating control.

A few you'll have no answer for yet, and those become your gap list.

Step 3: Prioritize and remediate

You won't fix everything at once, so rank the gaps.

Most teams sort by a mix of impact, likelihood, and the investment required to close each one. Start with the high-risk, high-likelihood items, document your prioritization logic so it's repeatable, then work down the list.

You want to give every gap an owner and a deadline, and track the remediation work the way you'd track any other project, because that's all it really is.

Step 4: Document, monitor, reassess

The Profile rewards continuous readiness over once-a-year scrambles.

Supervisory reviews can show up at awkward times, especially if you're expanding into new markets, onboarding a large client, or working through an incident. So the goal is to stay exam-ready year-round.

You maintain evidence as controls operate, watch for drift, and reassess on a regular cadence, which keeps the whole thing from going stale between audits.

How does SmartSuite support the CRI Profile?

A framework tells you what to measure.

However, it doesn't move the work along, route a failed control to the right owner, or assemble evidence when an examiner asks.

That gap between the structure and the daily execution is where most teams either buy a dedicated platform or rely on spreadsheets.

SmartSuite offers an AI-native work management platform that handles governance, risk, and compliance while keeping those workflows connected to the rest of the business.

Our platform is also a recognized CRI Innovator, working directly with the Cyber Risk Institute to embed the Profile's content and logic into its risk management solution.

In practice, that means the diagnostic statements you'd otherwise track in a spreadsheet become live, assignable records inside the platform.

SmartSuite is a better fit if you want your CRI work tied into the rest of your risk, audit, and operational programs in one governed system.

Here’s more about how SmartSuite works for CRI compliance:

And, if you’re a financial institution, you can check out our webinar on how we’re future-proofing cyber risk management for financial institutions:

You’ll discover how our no-code GRC platform lets organizations integrate risk, compliance, and control processes directly into the business without retrofitting legacy or over-architected systems, while using the Cyber Risk Institute Profile for managing compliance.

I’ll have to be honest here and say that it's going to be less of a fit if you only need lightweight certification automation for a single framework like SOC 2 and nothing more.

Getting started with the CRI Profile

The CRI Profile gives the financial sector something it spent years without: one structured way to answer the same questions every regulator keeps asking, scaled to the size of your institution.

Adopting it is the strategic decision. Running it day to day is the operational one, and that second part is where most programs either hum along or quietly fall behind.

If you want to see what the diagnostic statements look like as live, assignable work and not another spreadsheet you dread updating, you can spin up SmartSuite and try it on your own controls.

You can start a free trial with no credit card required to map out a few diagnostic statements before committing.

Alternatively, you can book a demo with us to see how your CRI Profile work looks when it's connected to the rest of your risk program.

Table of Contents
What are the best policy management platforms on the market ?
#1: What policy lifecycle scope do you need to manage ?
SmartSuite Solutions

SmartSuite provides work platform for standardizing workflows in the following areas:

  • Governance, Risk & Compliance
  • IT & Service Ops
  • Project / Portfolio Management
  • Business Operations
Explore Solutions

Featured writers

You’re Subscribed !
And never miss a single update !
Oops! Something went wrong while submitting the form.

Discover SmartSuite

-
Cyber Risk Management: What Is It & How To Manage [2026]
The CRI Profile: Everything You Should Know About It [2026]
Regulatory Change Management: What Is It & Why You Should Care [2026]
Vulnerability Management: What Is It & How To Manage in 2026
Automated Evidence Collection: What Is It & Why You Should Care [2026]
SOC 2 Compliance: What Is It & How To Manage With Confidence [2026]
Enterprise Risk Management: What Is It & Why You Should Care [2026]
SOX Compliance: What Is It & How To Manage With Confidence [2026]
ESG Management: What Is It & Why You Should Care [2026]
Privacy Management: What Is It & Why You Should Care [2026]
Compliance Management: What Is It & Why You Should Care [2026]
Internal Audit Management: What Is It & Why You Should Care [2026]
Vendor Compliance: What Is It & Why You Should Care [2026]
AI Risk Management: Definitions & Frameworks [2026]
Financial Risk Management: Definitions & Best Practices [2026]
Compliance Risk: What Is It & Why You Should Care [2026]
Third-Party Risk Management: What Is It & How It Works? [2026]
What's New in SmartSuite: April 2026
How To Choose a Risk Management Platform In 2026 (+ Vendors)
Risk Management: What It Is and Why It Matters [2026]
GRC Audit: What It Is and How to Conduct One [2026]
What is GRC (Governance, Risk, and Compliance)? [2026]
How To Choose a GRC Tool In 2026: Factors To Evaluate and Vendors
Scytale Pricing: Is It Worth It in 2026
10 Best Apptega Alternatives & Competitors In 2026
Scrut Automation Pricing: Is It Worth It In 2026?
ClickUp Pricing: Is It Worth It in 2026?
Top 10 ServiceNow Alternatives and Competitors [2026]
10 Best Scytale Alternatives & Competitors In 2026
10 Best Scrut Automation Alternatives & Competitors In 2026
HaloITSM Pricing: Is It Worth It In 2026?
10 Best HaloITSM Alternatives & Competitors In 2026
Thoropass Pricing: Is It Worth It In 2026?
10 Best Thoropass Alternatives & Competitors In 2026
What's New in SmartSuite: March 2026
Smartsheet vs. TeamGantt vs. SmartSuite: Which Tool to Pick? [2026]
Sprinto Pricing: Is It Worth It In 2026?
GRC 2030: Your Vision for the Future of Risk & Resilience
CRI’s Role in the Next Decade of FS Supervision
Smartsheet vs. GanttPRO vs. SmartSuite: Which Tool to Pick? [2026]
Smartsheet vs. ServiceNow vs. SmartSuite: Which Tool to Pick? [2026]
Maturity Models Are Dead: Move to Dynamic Risk States
CRI + AI: Why Standardization Gives AI Something to Reason Over
Smartsheet vs. Confluence vs. SmartSuite: Which Tool to Pick? [2026]
How No-Code Platforms Are Redefining Risk Operations
Smartsheet vs. Microsoft Planner vs. SmartSuite: Which Tool to Pick? [2026]
10 Best Sprinto Alternatives & Competitors In 2026
CRI as the Bridge Between Cyber, Risk & Business Continuity
The Future of Evidence: Continuous, Automated, Connected
10 Best InvGate Alternatives & Competitors In 2026
InvGate Pricing: Is It Worth It In 2026?
Why CRI Matters to Product Vendors and Ecosystem Partners
What's New in SmartSuite: February 2026
Smartsheet vs. Clarizen vs. SmartSuite: Which Tool to Pick? [2026]
10 Best NinjaOne Alternatives & Competitors In 2026
The Workflow Layer Will Win: Why Architecture Matters
NinjaOne Pricing: Is It Worth It In 2026?
CRI & DORA: How FS Frameworks Are Converging Globally
Smartsheet vs. Aha! vs. SmartSuite: Which Tool to Pick? [2026]
The Era of Connected Assurance
Smartsheet vs. Anaplan vs. SmartSuite: Which Tool to Pick? [2026]
Smartsheet vs. AppSheet vs. SmartSuite: Which Tool to Pick? [2026]
CRI & Third-Party Risk: Aligning Vendor Maturity with Financial Services Controls
Smartsheet vs. Quickbase vs. SmartSuite: Which Tool to Pick? [2026]
Why GRC Needs Design Thinking
Smartsheet vs. Workfront vs. SmartSuite: Which Tool to Pick? [2026]
CRI Profile 2.0 Deep Dive: What’s New & Why It Matters
Smartsheet vs. Notion vs. SmartSuite: Which Tool to Pick? [2026]
Smartsheet vs. Zoho Projects vs. SmartSuite: Which Tool to Pick? [2026]
The New Economics of Resilience
The Future of CRI: Extending the Model Beyond Financial Services
Smartsheet vs. Microsoft Project vs. SmartSuite: Which Tool to Pick? [2026]
10 Best Pathlock Alternatives & Competitors In 2026
Smartsheet vs. Basecamp vs. SmartSuite: Which Tool to Pick? [2026]
The GRC Process Layer: Why Workflow, Not Modules, Defines the Future of Risk Management
10 Best Secureframe Alternatives & Competitors In 2026
10 Best TeamDynamix Alternatives & Competitors In 2026
10 Best Protecht Alternatives & Competitors [2026]
10 Best TOPdesk Alternatives & Competitors In 2026
10 Best StandardFusion Alternatives & Competitors In 2026
The Value of a Shared Risk Language for CISOs & Boards
10 Best Origami Risk Alternatives & Competitors In 2026
10 Best 360factors Alternatives & Competitors In 2026
What's New in SmartSuite: January 2026
10 Best Workiva Alternatives & Competitors In 2026
Pathlock Pricing: Is It Worth It In 2026?
Centraleyes Pricing: Is It Worth It In 2026?
Secureframe Pricing: Is It Worth It In 2026?
CRI & Continuous Assurance: Enabling Real-Time Control Confidence
10 Best Centraleyes Alternatives & Competitors In 2026
Beyond Banking: Why the CRI Model Could Reshape Risk and Resilience Across Industries
TeamDynamix Pricing: Is It Worth It In 2026?
How CRI Enables a Connected Vendor Ecosystem in Financial Services
Drata vs. Vanta vs. SmartSuite: Which One Is Better For GRC? (2026)
Smartsheet vs. Teamwork vs. SmartSuite: Which Tool to Pick? [2026]
Smartsheet vs. Jira vs. SmartSuite: Which Tool to Pick? [2026]
Smartsheet vs. Excel vs. SmartSuite: Which One Is Better? [2026]
Smartsheet vs. ClickUp vs. SmartSuite: Which One Is Better? [2026]
Speaking a Common Language: How the CRI Profile Is Transforming Vendor Integration in Financial Services
10 Best ManageEngine Alternatives For ITSM In 2026