logo
Sign UpSign InTry for free
GRC Software

GRC software for unified governance, risk, and compliance

GRC software unifies governance, risk, and compliance into a single platform - one policy library, one risk register, one control inventory, one mapping to every compliance obligation. This page shows the GRC operating cycle as a BPMN process map so the unification is visible, not just claimed.

Jack Finnegan, Founder & CEO, BA Copilot

By Jack Finnegan ยท Updated 21 May 2026

Map your GRC cycleCompliance hub
What it is

What GRC software actually is

GRC software is the category of platform that unifies governance (policies and accountabilities), risk (identification, assessment, treatment), and compliance (mapping controls to regulatory obligations) in one operating environment. The acronym was coined in February 2002 by analyst Michael Rasmussen at Forrester Research; OCEG (Open Compliance and Ethics Group, founded the same year by Scott Mitchell) published the first GRC capability model (the Red Book) in 2004. The category has since matured into a broad market segment served by integrated platforms.
Major platforms include ServiceNow IRM (formerly GRC), Archer (originally RSA Archer; carved out from RSA Security under Symphony Technology Group / Clearlake ownership in 2021 - STG acquired RSA from Dell in 2020 with Ontario Teachers' Pension Plan Board and AlpInvest Partners, and Clearlake joined as an equal partner via a strategic equity investment in August 2021 - and now owned by Cinven since July 2023), MetricStream, Optro (formerly AuditBoard, rebranded March 2026), Workiva, Diligent (formerly Galvanize/ACL, now branded as the Diligent One Platform), LogicGate, and many smaller specialists. The category overlaps significantly with internal-audit software, SOX compliance software, and third-party risk management software - most platforms bundle several of these together with varying depth in each.
The problem today

Your GRC platform has the data but cannot show the process

GRC platforms are excellent at storing the artefacts: policies, risk registers, control libraries, test results, evidence. They are usually poor at showing how the work flows - the actual process by which a policy becomes a control, becomes an obligation mapping, becomes a test, becomes evidence, becomes a report. The result is a platform full of data that the second line can defend in a deep-dive but the first line cannot easily navigate, and the executive risk committee receives as a dashboard with no narrative attached.
The fix is treating the GRC cycle as a process. The BPMN map of the cycle becomes the navigation layer over the platform's data: which step produced this evidence, which obligation does it satisfy, where in the cycle is this issue. That changes GRC from a data store into a working management system.
Three pillars + issue management

Three pillars of GRC, plus issue management

Governance

Policies, accountabilities, decision rights, escalation paths. Governance answers "who decides, and against what rules?".

Risk

Identification, assessment, treatment, monitoring. Risk answers "what could go wrong, and what are we doing about it?".

Compliance

Mapping controls to obligations (laws, regulations, standards, contractual commitments). Compliance answers "are we doing what we have to do?".

Issue management (cross-cutting)

Every control test, audit finding, and incident produces issues. The closing-the-loop discipline is what separates a working GRC programme from a documentation exercise.

Process Map

The GRC operating cycle as a process map

A unified cycle covering all three letters - policies, risks, controls, obligations, testing, issue management, reporting.

Open in editor

The GRC operating cycle as a process map

A unified governance, risk, and compliance (GRC) cycle rendered as a BPMN 2.0 process. Policies feed risks feed controls feed compliance obligations - tested, monitored, reported, with issue management closing the loop.

  1. Define governance scope and publish the policy library.
  2. Identify and assess risks against the policies.
  3. Implement controls that mitigate the risks and satisfy compliance obligations.
  4. Map controls to specific obligations (SOX, ISO 27001, PCI DSS, GDPR, etc.).
  5. Test and monitor controls on the agreed cadence.
  6. If issues are identified, route to issue management for tracking to closure. Otherwise the result feeds reporting.
  7. Report to the executive risk committee and the board on the agreed cadence.
What this diagram shows: The cycle starts at the period kickoff (annual or biannual). Policies set the governance frame. Risk assessment runs against those policies. Controls implement against the risks. Compliance mapping ties each control to specific obligations (SOX, ISO 27001, PCI DSS, GDPR, sector-specific regulations). Testing and monitoring runs on cadence. The issues gateway routes any failed tests into issue management for tracking to closure before reporting flows to the risk committee and the board.
FAQ

Frequently asked questions

What is GRC software?

GRC software unifies governance, risk, and compliance into a single platform - one policy library, one risk register, one control inventory, one set of compliance obligation mappings. The acronym was coined in February 2002 by Michael Rasmussen at Forrester Research, with OCEG (founded the same year by Scott Mitchell) publishing the first GRC standard (the Red Book / GRC Capability Model) in 2004. The category is now served by major platforms including ServiceNow IRM, Archer, MetricStream, Optro (formerly AuditBoard), Workiva, Diligent, and LogicGate.

What is the difference between GRC software and risk management software?

Risk management software is narrower - it focuses on the risk lifecycle alone. GRC software is broader - it adds policy and compliance management on top of risk, often with internal-audit workflow bundled in. Many firms run risk management as a module of a GRC platform; some firms run them as separate systems with integrations.

What is the difference between GRC and IRM?

Integrated Risk Management (IRM) is the term Gartner introduced in 2017 (with the first IRM Magic Quadrant published in 2018) as an evolution of GRC. IRM emphasises broader risk types (operational, strategic, third-party, cyber, ESG) and stronger integration with business operations. In practice the two are largely synonymous, with IRM weighted slightly toward risk and GRC weighted slightly toward compliance.

Do you need separate GRC and SOX platforms?

It depends on size and maturity. Many large enterprises have a SOX platform (e.g. Optro, formerly AuditBoard) plus a separate GRC platform (e.g. Archer or ServiceNow IRM) because the SOX-specific workflows are deep enough to justify a specialist tool. Mid-market firms often consolidate into a single GRC platform with a SOX module. The right answer depends on the SOX team's sophistication and the firm's appetite for platform sprawl.

How does process mapping fit into GRC?

GRC operates on processes - each control sits in a business process, each policy governs a process, each compliance obligation maps to processes that demonstrate adherence. Without process maps, the GRC platform's data is anchorless - the audit team cannot easily walk through how a control operates, the second line cannot easily explain to the board what a finding means in operational terms. BPMN process maps are the navigation layer over the GRC data store.

Does BA Copilot replace our GRC platform?

No. BA Copilot is the modelling layer - it produces and maintains the BPMN process maps that the controls in your GRC platform sit inside. The GRC platform owns the data; BA Copilot produces the diagrams that give the data meaning. Integration is via BPMN export attached to control records in the platform.

Jack Finnegan, Founder & CEO, BA Copilot
From the founder

14 Years in BPMN

I'm Jack Finnegan. I've spent fourteen years working hands-on with BPMN, as an analyst, an engineer, and a product director, where I felt every sharp edge of legacy business process platforms.

BA Copilot is the platform I wanted on every one of these projects: AI-first process management, which treats BPMN as a first-class output rather than an export afterthought.

Jack Finnegan on LinkedIn
Cosmic background pattern
Decorative rectangle pattern

Make GRC actually integrated

Open the GRC cycle template, attach your existing controls to the workflow they actually sit inside, and produce the BPMN navigation layer that turns the platform from data store into management system.