The integrated GRC platform that knows exactly what applies to you.
Governance, risk and compliance on one platform — powered by our Applicability Certainty Model that scopes your obligations to your real operations and demonstrates the reasoning behind every call. Enterprise-grade capability, on a startup or SME budget.
Two decades of GRC. A decade in the standards. One platform.
Over twenty years of hands-on governance, risk and compliance work — and more than ten years involved in the development of the ISO GRC standards — led us to build two things the market didn’t have: the Organisational Context Engine (OCE) and the Applicability Certainty Model (ACM).
Together they power a GRC Spine that aligns regulatory requirements to controls, to recognised frameworks, with evidence tracking and maturity rating along the thread. The result simplifies and strengthens an organisation’s GRC capability at once — and gives that organisation back the time and budget to spend on its core activities, instead of on compliance overhead.
Same regulatory weight as the enterprise. None of the enterprise resources.
Growing and mid-sized organisations carry the same obligations as the largest firms in their sector — but without the budget, the tooling, or a full in-house GRC team. Three things follow, and we built EnableGRC to answer each one.
The capability gap
The same regulatory challenges land on you as on the enterprise — but the systems built to handle them are priced for the enterprise. So teams fall back to spreadsheets, and the GRC expertise needed across every area isn’t in-house, forcing reliance on outside consultants and specialists for each new domain.
The clarity gap
Regulatory frameworks are complex and often contradictory — leading to duplicated controls covering one obligation three ways, a pile of reports nobody trusts, and little clarity on whether a control is truly being met. Our Spine and OCE are the answer: one thread from the law to the control to its evidence, scoped to what genuinely applies to you.
The integration gap
To meet requirements, organisations stitch together point tools that were never designed to work together — separate logins, separate audit trails, separate versions of the truth. Our truly integrated iGRC platform runs Governance, Risk and Compliance on one Core: one identity, one evidence repository, one audit log.
How the platform answers it.
EnableGRC pairs two layers — the Organisational Context Engine and the Applicability Certainty Model — to decide what genuinely binds you, and to record why. From there, one connected Spine carries the thread to controls, evidence and frameworks.
OCE — your real context
The Organisational Context Engine captures who you actually are: every legal entity, the jurisdictions you operate in, the activities you perform, and your size across four axes — headcount, revenue, asset value and transaction volume — per entity and at group level.
ACM — certainty, not assumption
The Applicability Certainty Model decides each obligation by the certainty that it applies. Clear obligations are binding. Genuinely uncertain ones — an undefined size threshold, a law reaching you through a reseller, a threshold met only at group level — route to a documented review with the reasoning attached, rather than being silently included or dropped.
The Spine
From the regulation, to the obligation, to the control, to its evidence, to the framework it satisfies — and a maturity rating along the way. One connected thread. Map a control once; see every obligation it meets. No duplicated controls, no orphaned evidence.
Defensible by design
Every applicability call carries its factors, and every state change is written to a seven-year cryptographically chained audit log. When a regulator or auditor asks why a law applies — or doesn’t — the answer is already on file.
Thirteen Core services. A growing pack framework. One Core.
Every tenant runs on the same Core — same identity, same evidence repository, same audit log. A pack never implements its own; it uses the Core. That is what makes iGRC an integrated platform rather than a collection of point tools sharing a brand.
Core platform — 13 services
| 01 | Administration Portal | Tenant lifecycle, branding, user provisioning, role-based access, licence management, data import (ETL) with HRIS and IAM systems, self-serve billing (GBP / USD / EUR), settings, audit log. |
| 02 | Compliance Platform ISO 37301 | Obligations register, control library, policy management, attestation workflow, evidence repository, gap analysis. |
| 03 | Risk Management ISO 31000 | Unified risk register, configurable scoring (3×3 / 4×4 / 5×5), preloaded category library, treatment workflow, KRIs, heatmaps, bow-tie analysis. |
| 04 | Governance Portal ISO 37000 | Committee and board management, delegation-of-authority matrix, governance document library, automated board-reporting pack generation. |
| 05 | Audit Function ISO 19011 | Audit universe, risk-based annual planning, digital workpapers, findings register, follow-up tracking, external auditor portal. |
| 06 | Incident Management ISO 27001 A.5.24–27 | Incident capture and handling lifecycle, triage, investigation, and regulatory-notification tracking. |
| 07 | Learning Management System (LMS) | Role- and event-driven training assignment, completion tracking and certifications. Shared substrate across packs (e.g. safeguarding training). |
| 08 | BI & Reporting | Prebuilt dashboards, drag-and-drop report builder, scheduled exports, regulator-ready templates (e.g. EU DORA ICT-register, SFDR). |
| 09 | AI Capabilities | Policy drafting, control suggestion, case summarisation, translation, risk-narrative generation. Responsible-AI controls; no training on tenant data. |
| 10 | Organisational Context Engine ISO 37301 §4 | Context capture and the applicability inputs that power the ACM: internal/external context, interested parties, scope, entities, jurisdictions, activities and size. |
| 11 | Regulatory Database | Maintained regulatory catalogue across multiple jurisdictions, with daily ingestion, editorial review, change alerting and impact analysis. |
| 12 | Third-Party Risk Management | Vendor inventory, due-diligence questionnaires (SIG, CAIQ, custom), continuous monitoring, contracts, offboarding, SLAs. |
| 13 | My Items | A personal workspace — your tasks, approvals and items gathered from across every active module in one place. |
Module packs — the domain layer
Sixteen packs in the catalogue, grouped into domains and activated per tenant. Each ships with preloaded policy templates, risk and control libraries, regulatory mappings and standard reports — and runs on the same Core, so a control mapped once counts everywhere.
Whistleblowing & Speak-up with triage and internal investigations, paired with Conflict of Interest — declarations feed the speak-up and investigations process.
Gifts & hospitality register with thresholds and public-official flags; full anti-bribery programme (risk assessment, intermediary due diligence) coming.
AML programme framework, transaction monitoring, SAR/STR workflow, regulator reports.
Customer and enhanced due diligence, PEP and sanctions screening, ongoing monitoring.
Supplier risk, modern-slavery screening, transparency, critical-supplier monitoring.
Vendor lifecycle, due diligence, continuous monitoring — bundled with Core. TPRM+ premium adds concentration risk, contractual safeguards and 4th-party tracking.
Materiality, GHG inventory (Scope 1/2/3), target tracking, framework disclosures.
Crypto-asset service provider readiness, crypto AML, market-abuse surveillance.
Grassroots GRC + event-ops: policies, training matrix, safeguarding, volunteer rota.
Fraud risk register, red-flag monitoring, investigations (reuses the Ethics investigations engine).
Incident response, crisis teams, tabletops, BIA, recovery strategies, RTO/RPO, dependency mapping.
Security policies, ISMS controls, vulnerability management, access reviews.
ROPA, DPIAs, data-subject requests, breach register, cross-border transfer registers.
Packs are sector-agnostic at the Core and schema-aligned to the relevant standard. Available integrated, or standalone on a Core-light shell.
One platform against the usual workarounds.
| Capability | EnableGRC iGRC | Spreadsheets | Point tools (Vanta · Drata · Sprinto) |
Consultants (Big-4 / mid-tier) |
|---|---|---|---|---|
| Governance + Risk + Compliance in one platform | ✓ | ✗ | Compliance only | Advice, not a platform |
| Applicability scoped to your real operations (ACM + OCE) | ✓ | ✗ | ✗ | Manual, per engagement |
| Defensible audit trail on every decision | ✓ | ✗ | Partial | In documents |
| One control mapped to every obligation it meets | ✓ | ✗ | ✗ | Manual |
| Configurable depth (risk matrix size, pack activation) | ✓ | n/a | Fixed | n/a |
| Regulatory database + change alerting | ✓ | ✗ | Partial | Bespoke |
| Runs without an outside specialist for each domain | ✓ | ✗ | Partial | ✗ (that’s the model) |
| Priced for a startup or SME | ✓ | ✓ | £ per area | ✗ |
Point tools are tools, not a function — they automate compliance evidence but leave Governance, Risk and the judgement of what applies to you. EnableGRC does all three, on one Core.
See it on your own context.
A 20-minute walkthrough, scoped to your sector and jurisdictions. No slideware — we run your context through the OCE and show you the applicability call, the reasoning, and the audit trail.
- Built by a team that has been involved in the development of ISO standards for over ten years.
- Governance, Risk and Compliance on one integrated platform — not a stitched-together toolset.
- Truly global — multi-entity, multi-jurisdiction, sector-agnostic.