For startups and SMEs

The integrated GRC platform that knows exactly what applies to you.

Governance, risk and compliance on one platform — powered by our Applicability Certainty Model that scopes your obligations to your real operations and demonstrates the reasoning behind every call. Enterprise-grade capability, on a startup or SME budget.

13 Core services 11+ module packs One Core One audit log
A compliance and risk leader reviewing an applicability dashboard.
About us

Two decades of GRC. A decade in the standards. One platform.

Over twenty years of hands-on governance, risk and compliance work — and more than ten years involved in the development of the ISO GRC standards — led us to build two things the market didn’t have: the Organisational Context Engine (OCE) and the Applicability Certainty Model (ACM).

Together they power a GRC Spine that aligns regulatory requirements to controls, to recognised frameworks, with evidence tracking and maturity rating along the thread. The result simplifies and strengthens an organisation’s GRC capability at once — and gives that organisation back the time and budget to spend on its core activities, instead of on compliance overhead.

Our solution

Same regulatory weight as the enterprise. None of the enterprise resources.

Growing and mid-sized organisations carry the same obligations as the largest firms in their sector — but without the budget, the tooling, or a full in-house GRC team. Three things follow, and we built EnableGRC to answer each one.

01

The capability gap

The same regulatory challenges land on you as on the enterprise — but the systems built to handle them are priced for the enterprise. So teams fall back to spreadsheets, and the GRC expertise needed across every area isn’t in-house, forcing reliance on outside consultants and specialists for each new domain.

02

The clarity gap

Regulatory frameworks are complex and often contradictory — leading to duplicated controls covering one obligation three ways, a pile of reports nobody trusts, and little clarity on whether a control is truly being met. Our Spine and OCE are the answer: one thread from the law to the control to its evidence, scoped to what genuinely applies to you.

03

The integration gap

To meet requirements, organisations stitch together point tools that were never designed to work together — separate logins, separate audit trails, separate versions of the truth. Our truly integrated iGRC platform runs Governance, Risk and Compliance on one Core: one identity, one evidence repository, one audit log.

How the platform answers it.

EnableGRC pairs two layers — the Organisational Context Engine and the Applicability Certainty Model — to decide what genuinely binds you, and to record why. From there, one connected Spine carries the thread to controls, evidence and frameworks.

OCE — your real context

The Organisational Context Engine captures who you actually are: every legal entity, the jurisdictions you operate in, the activities you perform, and your size across four axes — headcount, revenue, asset value and transaction volume — per entity and at group level.

ACM — certainty, not assumption

The Applicability Certainty Model decides each obligation by the certainty that it applies. Clear obligations are binding. Genuinely uncertain ones — an undefined size threshold, a law reaching you through a reseller, a threshold met only at group level — route to a documented review with the reasoning attached, rather than being silently included or dropped.

The Spine

From the regulation, to the obligation, to the control, to its evidence, to the framework it satisfies — and a maturity rating along the way. One connected thread. Map a control once; see every obligation it meets. No duplicated controls, no orphaned evidence.

Defensible by design

Every applicability call carries its factors, and every state change is written to a seven-year cryptographically chained audit log. When a regulator or auditor asks why a law applies — or doesn’t — the answer is already on file.

Features

Thirteen Core services. A growing pack framework. One Core.

Every tenant runs on the same Core — same identity, same evidence repository, same audit log. A pack never implements its own; it uses the Core. That is what makes iGRC an integrated platform rather than a collection of point tools sharing a brand.

Core platform — 13 services

01Administration PortalTenant lifecycle, branding, user provisioning, role-based access, licence management, data import (ETL) with HRIS and IAM systems, self-serve billing (GBP / USD / EUR), settings, audit log.
02Compliance Platform ISO 37301Obligations register, control library, policy management, attestation workflow, evidence repository, gap analysis.
03Risk Management ISO 31000Unified risk register, configurable scoring (3×3 / 4×4 / 5×5), preloaded category library, treatment workflow, KRIs, heatmaps, bow-tie analysis.
04Governance Portal ISO 37000Committee and board management, delegation-of-authority matrix, governance document library, automated board-reporting pack generation.
05Audit Function ISO 19011Audit universe, risk-based annual planning, digital workpapers, findings register, follow-up tracking, external auditor portal.
06Incident Management ISO 27001 A.5.24–27Incident capture and handling lifecycle, triage, investigation, and regulatory-notification tracking.
07Learning Management System (LMS)Role- and event-driven training assignment, completion tracking and certifications. Shared substrate across packs (e.g. safeguarding training).
08BI & ReportingPrebuilt dashboards, drag-and-drop report builder, scheduled exports, regulator-ready templates (e.g. EU DORA ICT-register, SFDR).
09AI CapabilitiesPolicy drafting, control suggestion, case summarisation, translation, risk-narrative generation. Responsible-AI controls; no training on tenant data.
10Organisational Context Engine ISO 37301 §4Context capture and the applicability inputs that power the ACM: internal/external context, interested parties, scope, entities, jurisdictions, activities and size.
11Regulatory DatabaseMaintained regulatory catalogue across multiple jurisdictions, with daily ingestion, editorial review, change alerting and impact analysis.
12Third-Party Risk ManagementVendor inventory, due-diligence questionnaires (SIG, CAIQ, custom), continuous monitoring, contracts, offboarding, SLAs.
13My ItemsA personal workspace — your tasks, approvals and items gathered from across every active module in one place.

Module packs — the domain layer

Sixteen packs in the catalogue, grouped into domains and activated per tenant. Each ships with preloaded policy templates, risk and control libraries, regulatory mappings and standard reports — and runs on the same Core, so a control mapped once counts everywhere.

Ethics & ConductAvailableISO 37002 · 37008 · 37009

Whistleblowing & Speak-up with triage and internal investigations, paired with Conflict of Interest — declarations feed the speak-up and investigations process.

Anti-Bribery & CorruptionGifts & Hospitality liveISO 37001 · UK Bribery Act · FCPA

Gifts & hospitality register with thresholds and public-official flags; full anti-bribery programme (risk assessment, intermediary due diligence) coming.

Anti-Money LaunderingAvailableUK MLR 2017 · EU AMLDs · FATF

AML programme framework, transaction monitoring, SAR/STR workflow, regulator reports.

KYC / EDDAvailableFATF · EU AMLD6

Customer and enhanced due diligence, PEP and sanctions screening, ongoing monitoring.

Supply ChainAvailableUK Modern Slavery Act · EU CSDDD

Supplier risk, modern-slavery screening, transparency, critical-supplier monitoring.

Third-Party Risk (TPRM)Core-bundledISO 31000 · EU DORA

Vendor lifecycle, due diligence, continuous monitoring — bundled with Core. TPRM+ premium adds concentration risk, contractual safeguards and 4th-party tracking.

ESG & SustainabilityAvailableCSRD/ESRS · ISSB

Materiality, GHG inventory (Scope 1/2/3), target tracking, framework disclosures.

Crypto / MiCA / DLTAvailableEU MiCA · Travel Rule

Crypto-asset service provider readiness, crypto AML, market-abuse surveillance.

Sports GRCAvailableBS 25800

Grassroots GRC + event-ops: policies, training matrix, safeguarding, volunteer rota.

Fraud PreventionComing soonUK Fraud Act · ACFE · COSO

Fraud risk register, red-flag monitoring, investigations (reuses the Ethics investigations engine).

Crisis Management & Business ContinuityComing soonISO 22301 · 22361 · DORA

Incident response, crisis teams, tabletops, BIA, recovery strategies, RTO/RPO, dependency mapping.

Cyber & Information SecurityComing soonISO 27001 · NIST CSF 2 · NIS2

Security policies, ISMS controls, vulnerability management, access reviews.

Data Protection & PrivacyComing soonEU GDPR · UK GDPR · CCPA

ROPA, DPIAs, data-subject requests, breach register, cross-border transfer registers.

Packs are sector-agnostic at the Core and schema-aligned to the relevant standard. Available integrated, or standalone on a Core-light shell.

How we compare

One platform against the usual workarounds.

Capability EnableGRC iGRC Spreadsheets Point tools
(Vanta · Drata · Sprinto)
Consultants
(Big-4 / mid-tier)
Governance + Risk + Compliance in one platformCompliance onlyAdvice, not a platform
Applicability scoped to your real operations (ACM + OCE)Manual, per engagement
Defensible audit trail on every decisionPartialIn documents
One control mapped to every obligation it meetsManual
Configurable depth (risk matrix size, pack activation)n/aFixedn/a
Regulatory database + change alertingPartialBespoke
Runs without an outside specialist for each domainPartial✗ (that’s the model)
Priced for a startup or SME£ per area

Point tools are tools, not a function — they automate compliance evidence but leave Governance, Risk and the judgement of what applies to you. EnableGRC does all three, on one Core.

Request a walkthrough

See it on your own context.

A 20-minute walkthrough, scoped to your sector and jurisdictions. No slideware — we run your context through the OCE and show you the applicability call, the reasoning, and the audit trail.

  • Built by a team that has been involved in the development of ISO standards for over ten years.
  • Governance, Risk and Compliance on one integrated platform — not a stitched-together toolset.
  • Truly global — multi-entity, multi-jurisdiction, sector-agnostic.

Why EnableGRC

Enable, don’t block.

A decade in the standardsOur team have been involved in the development of ISO GRC standards for over ten years.
Truly integratedOne Core for Governance, Risk and Compliance — one identity, one audit log.
Truly globalMulti-entity, multi-jurisdiction, sector-agnostic — built for organisations operating anywhere.