RFFR Compliance,
Done Properly.
Risk Ninja is the only GRC platform engineered from the ground up for the Department of Employment and Workplace Relations (DEWR) Right Fit For Risk programme — with direct sync to your Statement of Applicability spreadsheet.
RFFR Isn't Just Another Framework
Right Fit For Risk weaves together the Essential Eight, the ACSC Information Security Manual and ISO 27001 — then layers in DEWR's specific obligations and a Statement of Applicability spreadsheet that has to stay perfectly in step with your evidence. Generic GRC tooling treats those as three separate jobs. Risk Ninja treats them as one.
Built for DEWR Assessors
Designed against the actual RFFR assessment rubric — not retrofitted from a generic ISO 27001 product.
Native SoA Sync
Two-way sync between the platform and the DEWR Statement of Applicability spreadsheet — formatting and formulas preserved.
Three Frameworks, One View
Essential Eight, ISM and ISO 27001 surfaced as a single RFFR meta-framework. Update once, comply everywhere.
Defensible at Assessment Time
Evidence-backed compliance enforcement means assessors see the artefact, not just the tick.
The RFFR Meta-Framework
Every Essential Eight maturity level, every ISM control and every ISO 27001 Annex A control rolls up into a single RFFR posture — with the DEWR obligations tracked alongside.
One Workspace, Every RFFR Requirement
Risk Ninja's RFFR meta-framework page groups all of your in-scope frameworks into one assessor-ready workspace. Cross-framework mapping means a control implemented for ISM is automatically credited against Essential Eight and ISO 27001 where the mapping exists — you don't pay the implementation cost three times.
- ACSC Essential Eight with full maturity-level (ML1 / ML2 / ML3) tracking and target ML selection
- ACSC Information Security Manual — March 2026 control set imported and ready
- ISO 27001:2022 Annex A with implementation-status vocabulary
- E8 ↔ ISM compliance sync with daily reconciliation and weakest-sibling conflict resolution
- Seven DEWR RFFR obligations tracked with named Person Responsible per obligation
RFFR Meta-Framework
Sync Straight to the DEWR Spreadsheet
The Statement of Applicability stops being a shadow copy you have to maintain by hand. Risk Ninja exports directly into the official DEWR spreadsheet, preserving formatting, formulas, tabs and structure — so what your team sees in the platform is exactly what the assessor sees in the workbook.
Preview Before You Commit
A four-step modal walks the operator through every row that will be written, every unmatched control identifier, and every cell that will change — before a single byte goes near the file.
Description, Status, Notes, Owner
Risk Ninja writes the four fields that matter on each control row, matched on Control Identifier — no copy-paste, no broken references, no lost formatting.
One-Click Transfers
Per-widget Transfer buttons on the RFFR page push current ISM, E8 and ISO 27001 status to the SoA spreadsheet in seconds — ready for the next DEWR submission.
Audit-Trailed
Every transfer is logged with who, what, when. When DEWR asks how a control moved from Partial to Compliant, the answer is one click away.
AI That Reads Like Your CISO Wrote It
Risk Ninja's AI features are tuned for Australian cyber regulation, written in Australian English, and instructed not to hallucinate. They accelerate the work your team is already doing — they don't replace the judgement that DEWR is going to test.
Executive Risk Narrative
An AI-drafted, five-section, board-grade report for your CEO and executive leadership. Edit, approve, lock and download as a branded PDF — with the data snapshot frozen for future defensibility.
Hattori AI Chat
A streaming assistant that knows your risks, findings, controls, treatment plans and frameworks — ready to answer assessor-style questions while you draft your SoA.
What Next Gap Analysis
AI-driven maturity gap analysis and remediation roadmap for E8, ISM and ISO 27001 — the three frameworks that decide your RFFR outcome.
Suggest Owners & Controls
AI nominates likely control owners and suggests treatment controls when you draft a new risk — with a guardrail so BCP/DR never gets confused with Backups.
Bring Your Own LLM
OpenAI, Anthropic, Google Gemini, xAI, Perplexity, OpenRouter or any OpenAI-compatible endpoint. AES-256-GCM key storage, daily token and AUD spend caps, and per-feature model overrides. Keep AI inside your boundary if you need to.
Transparent Usage Caps
An organisation-wide AI allowance, a daily reset countdown, and a per-feature usage breakdown report. Your CFO sees the spend; your assessor sees the audit trail.
Define What Matters — Then Defend It
Your participant data, your DEWR portal access, your case-management systems — that's what RFFR is actually about protecting. Risk Ninja gives you a place to define those crown jewels and a structured lifecycle for keeping them safe.
Scoped Risk Registers
Organise risk registers around your crown jewels. Each register carries its own risks, treatment plans, owners and approvals — with a complete audit trail of who changed what and when.
Many-to-Many Treatment Plans
A single mitigation can defend several crown jewels at once. Risk Ninja models treatment plans the way your team actually works — one plan, many linked risks.
Evidence-Gated Compliance
You can't mark a control Compliant or Implemented on an auditable framework without a non-expired evidence artefact. Bypasses are recorded with a warning that the audit will fail.
Cross-Framework Impact Assessment
Change a control status in one framework and see immediately which other frameworks — and which crown-jewel registers — are affected. No more silent compliance regressions.
Action Centre with 14-Day Horizon
Overdue and upcoming items — findings, evidence renewals, treatment plans, unassigned controls — surfaced in one sidebar badge so nothing slips before assessment day.
Daily Compliance Snapshots
Compliance posture for every framework is snapshotted daily, with trend charts so you can show DEWR a defensible trajectory — not just a single-point-in-time score.
Why Heads of IT Choose Risk Ninja for RFFR
If you're carrying RFFR for your employment services organisation, you're juggling DEWR timelines, internal audit, executive reporting and a delivery roadmap that's already full. Here's what changes when RFFR runs on Risk Ninja.
You Stop Maintaining the SoA by Hand
The spreadsheet stays canonical for DEWR. The work happens in the platform. The two stay in sync.
You Walk Into Assessment Audit-Ready
Evidence on every Compliant control, version-locked executive narrative, daily compliance snapshots, every change captured in the audit log.
You Control Where the AI Runs
Bring your own LLM keys, set per-feature models, cap daily tokens and AUD spend. AI accelerates the work — on your terms.
Your Team Shares the Load
Named Person Responsible per RFFR obligation, per-control owners, role-based visibility, and the Action Centre making sure nobody's plate is invisible.
Need a Framework We Don't Have Yet?
Risk Ninja already ships with 30+ frameworks — but if your organisation needs a standard or framework we haven't built yet, we'll add it on request. Sector regulations, internal control catalogues, customer-specific control sets — ask us and we'll get it into the platform for you.
Request a FrameworkWalk Into Your Next RFFR Assessment With Confidence
Book a tailored RFFR demo. We'll show you the meta-framework, the SoA sync, the executive narrative and the Action Centre — with your DEWR timeline in mind.