From SOPs to AI agents: The evolution of risk decision-making

In 2011, my brother and I built SIRV (now the Enterprise Resilience Platform UK) to support heads of risk, security, and crisis teams in making better decisions. Back then, that meant helping someone know which button on the fire panel to press, or what to do when spotting a suspicious bag. These are high-impact, low-frequency events,  the kind you can’t afford to get wrong.

Side-by-side comparison of traditional SOP binders and a modern AI assistant interface in a security control room, showing the evolution of risk decision-making.

The limits of SOPs and training

Traditionally, security and risk teams relied on standard operating procedures (SOPs), staff training desktop exercises. This approach worked, but it left room for hesitation and human error.

We first provided decision trees, but they were slow to build and sometimes clashed with written SOPs. Even the best-trained operators had to rely on memory or instinct in moments of crisis.

The challenge of rare, high-impact incidents

In operational risk management, many critical decisions are rarely made, but when they are, the stakes are enormous. Examples include:

  • A lone worker fails to check in at 03:00.

  • A suspicious package is discovered in the post.

  • Protestors begin gathering at a sensitive site.

  • Severe weather disrupts operations.

  • A breach is detected in an access control system.

These scenarios demand fast, confident responses, but because they occur infrequently, teams often lack the muscle memory or assurance to act instantly.

From static procedures to governable AI agents

Fast forward to today: Cal, our governable AI agent for security teams, transforms how decisions are made. Built on retrieval-augmented generation AI (RAG AI), Cal contextualises your SOPs in real time and provides clear, auditable guidance.

Instead of flipping through binders or relying on fading training, teams simply upload their procedures. Cal then:

  • Identifies the incident type from structured or unstructured data.

  • Retrieves the most relevant procedure instantly.

  • Surfaces only the steps needed at that moment.

  • Creates a digital incident report for compliance and audit.

This isn’t generic AI, it’s ISO 27001 AI security software, purpose-built for risk and compliance reporting.

Human-first AI for compliance and resilience

Cal is human-first AI: it supports human judgment, never overrides it. Operators remain in control, but with instant access to the right SOPs and decision support.

Over time, Cal learns patterns, urgency, and context. That shifts organisations from reactive responses to proactive risk resilience.

And crucially, Cal is designed for GDPR-compliant AI platforms, with full audit trails, data governance. It also supports the new Martyn’s Law compliance requirements.

Real-world example: suspicious package response

In 2011, we built decision trees to help a security officer decide how to handle a suspicious bag. It required training and trust in the tool. Today, Cal handles the same scenario by:

  • Recognising the incident via operator input or sensor data.

  • Instantly retrieving the “Suspicious Item” SOP.

  • Highlighting critical steps (isolate the area, do not touch, notify authorities).

  • Generating a secure, auditable incident report for compliance.

The result: no hesitation, no guesswork, just calm, compliant, confident action.

The future is safer, not smaller

Some people worry that AI will replace jobs in security and risk teams. It won’t, the future of AI risk management software isn’t job losses, it’s better, more reliable, safer decisions.

The role of the human is shifting from manual responder to informed decision-maker. Cal is the AI for risk and compliance UK organisations need, supporting security teams in transport, financial services, and critical infrastructure.

As part of SIRV’s Enterprise Resilience Platform, Cal works seamlessly with incident management software UK (Internal Reports) and geospatial risk monitoring (Maps & Visualisations). Together, they give enterprises a governed, compliant, and resilient way to manage risk.

Get in touch

Author bio – Andrew Tollinton

Andrew Tollinton Founder SIRV and author

Andrew Tollinton is Co-Founder of SIRV, the UK’s enterprise resilience platform. A leader in risk management technology, he chairs the Institute of Strategic Risk Management’s AI in Risk Management group and regularly speaks on AI and resilience at global conferences. A London Business School alumnus, Andrew brings 20+ years’ experience at the intersection of technology, compliance and security.

Product

Cal - AI Agent

Maps & Visualisations

Internal reports

Integrations

Industries

Pharma & Life Sciences

Transport & Infrastructure

Corporate/FS

Property & FM

Trust

Security & privacy

Impact methodology

Awards & recognition

What is SIRV?

Company

Case studies

Blog

About

Contact

"SIRV helped us move beyond basic reporting into a system that actively supports decision-making". Les O'Gorman, Director of Facilities, UCB - Pharma and Life Sciences

Privacy LinkedIn Medium Cookies Accessibility Terms of use

css.php