The Intelligent RCSA (Risk and Control Self-Assessment) Accelerator is an end-to-end solution for automating risk workflows using Azure OpenAI and a modular agentic architecture. It enables organizations to:
- Generate draft project submissions
- Map risks to categories and sub-risks
- Map risks to controls
- Propose mitigations for each risk-control pair
- Flag issues and deficiencies
- Evaluate guardrails and enforce compliance
- Make final approval decisions
- Capture and process user feedback asynchronously
The accelerator provides a FastAPI backend, a modern React/Next.js frontend, and a flexible agent-based orchestration layer for extensibility and compliance.
- agentic_rcsa.py: Core orchestration logic, agent definitions, and workflow context management.
- api.py: FastAPI server exposing REST endpoints for workflow orchestration, feedback, and CRUD operations.
- data/: JSON catalogs for risks, controls, guardrails, and past submissions.
- output/: Stores workflow context files (one per workflow instance).
- app/: Next.js app directory structure for workflows, dashboards, and catalogs.
- components/: UI components for workflow steps, progress, forms, and catalog views.
- lib/: TypeScript utilities for API calls, workflow actions, and data formatting.
The accelerator uses modular agents, each responsible for a specific workflow step:
- Draft Agent: Generates a draft submission from a project description.
- Mapping Agent: Identifies and categorizes risks.
- Controls Agent: Maps risks to relevant controls.
- Mitigation Agent: Proposes mitigations for each risk-control pair.
- QA Agent: Flags issues and deficiencies in the draft and mitigations.
- Decision Agent: Makes approval/rejection decisions based on controls and issues.
- Guardrail Agent: Evaluates compliance with guardrail rules.
- Feedback Agent: Processes user feedback asynchronously and updates the workflow context.
All agents are orchestrated via the run_risk_workflow function and can be extended or customized for new logic.
All workflow state is stored in a single WorkflowContext dataclass and persisted as JSON. Key fields include:
project_description: User-provided descriptiondraft_submission: Draft details (title, objectives, etc.)risk_mapping: Identified riskscontrols_mapping: Controls mapped to risksmitigation_proposals: Mitigation stepsissues_list: QA flagged issuesguardrail_violations: Guardrail rule violationsdecision_result: Final approval decisionui_updates: Ordered events for UI renderingfeedbacks: User feedback per step
- Python 3.8+
- Node.js 18+
- Azure OpenAI deployment (GPT-4.1)
.envfile inbackend/with Azure OpenAI credentials:AZURE_OPENAI_DEPLOYMENT=<your_deployment_name> AZURE_OPENAI_API_KEY=<your_api_key> AZURE_OPENAI_API_VERSION=<api_version> AZURE_OPENAI_ENDPOINT=https://<your_resource>.openai.azure.com/
- Install dependencies:
cd backend pip install -r requirements.txt - Start the FastAPI server:
The API will be available at
uvicorn api:app --reload
http://127.0.0.1:8000.
- Install dependencies:
cd frontend npm install # or pnpm install
- Set the backend API URL in your environment (if not default):
export NEXT_PUBLIC_API_URL=http://127.0.0.1:8000 - Start the Next.js development server:
The frontend will be available at
npm run dev # or pnpm devhttp://localhost:3000.
- Start a new workflow from the UI or via
POST /workflow/start. - Progress through each workflow step, providing feedback as needed.
- The backend processes feedback asynchronously; the frontend polls for updates.
- All workflow state is persisted in
backend/output/as JSON for traceability.
- Add new agents: Implement new @function_tool wrappers in
agentic_rcsa.py. - Modify workflow steps: Update the
stepslist inrun_risk_workflowor orchestrator instructions. - Update catalogs: Edit JSON files in
backend/data/. - Customize UI: Extend React components in
frontend/components/.
MIT © Microsoft