KITE 2025 New Product Award — Local IT | SACEEC
Dimeri for Kenya

GRC Software for Kenyan Organisations

Kenya's governance, risk, and compliance environment is one of the most layered in East Africa.

Try DimeriTalk to Sales
Dimeri Risk Intelligence Platform✦ AI Active
Risk RegisterControlsIncidentsGovernanceStrategic
2Critical
4High Priority
5Active Risks
63%Avg Control

Risk Heat Map — 5×5 Matrix

← Low   Likelihood   High →

Active Risk Items

CriticalMwongozo — Board Risk Committee Effectiveness Gap
58%
CriticalDPA 2019 Section 41 — ODPC Registration Non-Compliance
45%
HighCBK Guideline — Operational Risk Framework Deficiency
64%
AI analysis has identified that the Mwongozo board risk committee effectiveness gap (KE-001) and the CBK operational risk framework deficiency (KE-003) share a common root cause: the organisation lacks a formalised risk appetite statement approved by the board.

Industry Risk Landscape

Understanding the Risk Environment

Kenya's governance and regulatory environment has undergone a significant transformation over the past decade, driven by constitutional reforms, the devolution of government, and a rapidly expanding financial services sector that demands world-class risk management.

Key risk areas covered

  • Mwongozo Code Governance & State Corporation Reporting
  • DPA 2019 Data Protection Compliance (ODPC)
  • CBK Risk Management & Prudential Guidelines
  • CMA Corporate Governance for Listed Companies

Key Frameworks & Standards

Mwongozo CodeKenya DPA 2019CMA CodeCBK Risk Management GuidelinesISO 31000COSO ERMIIA Three Lines

See how Dimeri maps your risks to the right frameworks automatically.

Book a Demo →

Core Risk Use Cases

Built for How Your Industry Actually Works

Mwongozo Code Governance & State Corporation Reporting

The Mwongozo Code requires state corporations to demonstrate governance outcomes across board effectiveness, risk management, internal audit, ethics, and stakeholder engagement.

  • Dimeri maps every risk in your register to the relevant Mwongozo governance principle, tracks the status of each governance outcome, and generates compliance reports structured to the format that parent ministries, the SCAC, and parliamentary oversight committees expect.
  • Board chairs and CEOs of state corporations can see at a glance which Mwongozo requirements are fully addressed, which have gaps, and what remediation actions are underway.

DPA 2019 Data Protection Compliance (ODPC)

DPA 2019 compliance requires registration with the ODPC, documented lawful basis for every category of personal data processed, data protection impact assessments for high-risk processing, breach notification within 72 hours, records of processing activities, and evidence of appropriate technical and organisational safeguards.

  • Dimeri creates a structured DPA 2019 compliance register that links every processing activity to its lawful basis, tracks consent records and data subject access requests, manages cross-border transfer documentation, and logs data breach incidents with ODPC notification timelines.
  • Each processing activity is linked to the responsible data protection officer, and compliance status is visible on a real-time scorecard.

CBK Risk Management & Prudential Guidelines

The CBK Prudential Guidelines require commercial banks and microfinance institutions to maintain comprehensive enterprise risk management frameworks with documented risk registers covering credit risk, market risk, operational risk, liquidity risk, technology risk, and cybersecurity risk.

  • Banks must conduct periodic stress tests, report risk exposures to the CBK, and ensure the board risk committee actively oversees the risk management function.
  • Dimeri provides a structured risk register that maps every risk to the specific CBK guideline it addresses, tracks control effectiveness with quantitative metrics, and generates the periodic risk reports that banks submit to the CBK.

CMA Corporate Governance for Listed Companies

The CMA Code of Corporate Governance Practices requires NSE-listed companies to establish governance structures that include independent board oversight, functioning audit and risk committees, documented risk management frameworks, and transparent governance disclosures in annual reports.

  • Dimeri maps your risk register and governance activities to the specific requirements of the CMA Code, tracks compliance with continuing listing obligations, and generates governance disclosures structured to the format that the CMA and NSE expect.
  • Board secretaries and company secretaries of listed companies can produce governance sections of the annual report directly from Dimeri's live data — showing board composition and evaluation outcomes, risk committee activities and findings, risk management framework maturity, and compliance with each CMA Code requirement.

Digital Risk Register

GRC Register — Kenyan Regulatory View

✦ Powered by AI
Risk IDRisk DescriptionOwnerScoreControl %
KE-001Mwongozo — Board Risk Committee Effectiveness GapCorporation Secretary18
58%
KE-002DPA 2019 Section 41 — ODPC Registration Non-ComplianceData Protection Officer20
45%
KE-003CBK Guideline — Operational Risk Framework DeficiencyChief Risk Officer16
64%
KE-004CMA Code — Governance Disclosure Gap in Annual ReportCompany Secretary12
70%
KE-005PFM Act 2012 — Quarterly Risk Report Submission DelayAccounting Officer9
78%
AI analysis has identified that the Mwongozo board risk committee effectiveness gap (KE-001) and the CBK operational risk framework deficiency (KE-003) share a common root cause: the organisation lacks a formalised risk appetite statement approved by the board. Without a documented risk appetite, the board risk committee cannot effectively evaluate whether residual risk levels are acceptable, and the CBK operational risk framework lacks the foundational reference point required by the Prudential Guidelines. Establishing a board-approved risk appetite statement with defined tolerance thresholds would reduce residual risk scores for both items by an estimated 40% and resolve two regulatory findings simultaneously.

Control & Incident Tracking

Three Lines of Defence — Tracked and Tested

Every risk in your register links to preventive, detective, and corrective controls. Effectiveness percentages update as evidence is logged. Full audit trail for regulators.

Preventive

Kenyan Regulatory Obligation Mapping

Every applicable Kenyan regulation — Mwongozo Code, DPA 2019, CBK Prudential Guidelines, CMA Code, PFM Act 2012, IRA requirements, SASRA standards — is mapped to the specific risks and controls in your register. When the ODPC issues new guidance, the CBK publishes an updated prudential circular, or the CMA amends listing requirements, Dimeri identifies which existing risks are affected and flags any gaps in your control coverage. Obligation owners receive automated reminders before compliance deadlines — including ODPC registration renewal dates, CBK periodic reporting deadlines, and CMA annual governance disclosure timelines. The mapping is maintained as a living document rather than a point-in-time exercise, ensuring your organisation stays ahead of Kenya's evolving regulatory landscape.

Effectiveness: 86%
Detective

Multi-Regulator Compliance Scorecard

A single-screen traffic-light scorecard shows your compliance status against every Mwongozo governance principle, DPA 2019 requirement, CBK prudential guideline, and CMA Code obligation. Each item is rated green, amber, or red based on current evidence and control effectiveness, with trend arrows showing whether compliance is improving or deteriorating. For organisations regulated by multiple Kenyan bodies — such as a bank that must satisfy CBK, CMA, and DPA 2019 requirements simultaneously — the scorecard provides a consolidated view that eliminates the need to maintain separate compliance trackers for each regulator. The scorecard updates automatically as assurance activities are completed and evidence is uploaded, giving the board risk committee a real-time view of the organisation's regulatory posture without waiting for quarterly reports.

Effectiveness: 82%
Corrective

Remediation Workflow & Regulator Reporting

When a governance gap, compliance breach, or audit finding is identified — whether from an internal review, an ODPC audit, a CBK examination, or an Auditor-General report — Dimeri creates a structured remediation workflow with assigned owners, due dates, and evidence requirements. Progress is tracked through to closure with a full audit trail. Board and committee reports are generated automatically from current data, showing risk profile changes, remediation progress, emerging risks, and compliance status across all applicable Kenyan frameworks. For state corporations reporting to parent ministries and parliamentary committees, the reports are structured to the format that Mwongozo and the PFM Act require. For banks reporting to the CBK, risk reports align to the prudential reporting templates. The manual process of compiling governance reports from scattered spreadsheets and departmental inputs is replaced by automated, evidence-based reporting.

Effectiveness: 76%

Risk Register Software vs Excel

Why Spreadsheets Fail in This Industry

Spreadsheets cannot handle the complexity, volume, and real-time demands of modern industrial risk management. Here is where they consistently break down — and what Dimeri does instead.

Spreadsheet ProblemDimeri Solution
Mwongozo governance compliance tracked in static Word documents that are outdated within weeks and cannot demonstrate evidence trails to the Auditor-General or EACC
Living Mwongozo governance register that maps risks to governance principles in real time, with structured evidence trails for every compliance requirement ready for oversight body review
DPA 2019 processing records and ODPC registration documentation scattered across department folders with no central view of compliance status or breach notification timelines
Centralised DPA 2019 compliance register with full traceability from processing activity to lawful basis, DPIA documentation, ODPC registration status, and 72-hour breach notification tracking
CBK risk registers maintained in Excel files across different risk categories with no consolidated view for the board risk committee or CBK on-site examinations
Unified CBK-aligned risk register covering credit, operational, market, liquidity, technology, and cyber risk with automated prudential reporting and examination-ready documentation
CMA governance disclosures for the annual report compiled manually over several weeks from scattered board and committee records, often incomplete by the submission deadline
Board-ready CMA governance disclosures generated in minutes from live data, with evidence references for every Code requirement and continuing listing obligation
No way to identify connections between governance gaps across different regulators — a risk appetite deficiency affects Mwongozo, CBK, and CMA compliance simultaneously but is managed separately in each silo
AI automatically identifies cross-regulator linkages — a risk appetite gap that affects Mwongozo governance, CBK prudential compliance, and CMA Code requirements is flagged once and remediated across all frameworks simultaneously

Frequently Asked Questions

Common Questions

Related Resources

Deepen Your Knowledge

GuideData Protection Act 2019 Compliance GuideTemplateMwongozo Code Governance TemplatePageGovernance & Compliance SoftwarePageEnterprise Risk Management PlatformPageGRC Software South Africa
Try DimeriTalk to Sales