77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Governance, Risk and Compliance: How GRC becomes an operational discipline
Governance & Compliance

Governance, Risk and Compliance: How GRC becomes an operational discipline

22 June 202612 min readBy Dr. Henrik Bauer
CIVAC

Governance, risk and compliance only works if the appointment certificate, risk register and audit evidence live in the same system. This article shows how GRC according to ISO 37301 and ISO 31000 is managed as an operational process, not as a slide carousel.

Governance, Risk and Compliance, or GRC for short, has been no longer an abstract three-pillar model since the adoption of ISO 37301:2021 (compliance management systems) and the update of ISO 31000:2018 (risk management), but rather an auditable discipline with clear legal foundations. Today, supervisory authorities such as BaFin, BSI and the Data Protection Conference do not require a declaration of intent, but rather documented proof: appointment certificate, signed, filed, verifiable. The pressure on German medium-sized businesses has increased dramatically since the NIS 2 implementation in the BSIG, the CSRD and the LkSG came into force. Industry estimates suggest that there are around 29,500 NIS 2-affected companies in Germany, of which more than two thirds do not have an integrated GRC system. Auditors and auditors regularly determine that the risk register, control matrix and reporting line do not fit together.

This article explains how governance, risk and compliance move from a strategic statement to an operational platform. You will find out which three layers belong in a modern GRC model, how the interaction with ISMS, data protection and whistleblower protection works and which tools can create an appointment certificate, a reporting line and an audit trail in two working days instead of six weeks. You will receive a concrete migration routine from the Excel risk register to the platform as well as a list of the audit questions that auditors actually ask. The focus is on the CIVAC Compliance Platform and Officer-as-a-Service, which GRC does not describe as a concept, but as executable software in a client with EU data residency and 25 assignable officer roles.

Key Takeaways

  • According to ISO 37301 and ISO 31000, GRC is a documented process with an appointment certificate, risk register and audit evidence, not a management philosophy.
  • The three pillars of governance, risk and compliance belong in a common platform with a uniform reporting line to the management.
  • CIVAC offers workspace licence for internal officers or orderable Officer-as-a-Service in 2 business days.

What governance, risk and compliance mean in terms of regulation today

Governance, risk and compliance is often used synonymously with compliance in practice, but is broader and more clearly defined in regulatory terms. Governance refers to the structure and process organisation of the management including supervisory structures, reporting lines and representation regulations. Risk includes the systematic identification, assessment and control of operational, financial, legal and IT-related risks in accordance with ISO 31000:2018. Compliance means verifiable compliance with external requirements (GDPR, NIS 2 implementation in BSIG, LkSG, HinSchG, OWiG) and internal guidelines. The three terms overlap, but are not identical: strong governance without risk management remains formal, good risk management without a compliance connection is not sanction-proof.

The regulatory obligation to integrate these three pillars arises from several sources. Section 91 (2) AktG obliges boards of directors to set up an early risk detection system. Section 93 AktG specifies the management board's duty of care with the business judgment rule. Section 130 OWiG extends the duty of supervision to all legal entities and penalizes violations of this with fines of up to 10 million euros. ISO 37301:2021 defines seven building blocks of a compliance management system: leadership, planning, support, operations, assessment, improvement and organisational context. ISO 31000:2018 complements risk assessment procedures such as probability-impact matrix and risk appetite statement. All in all, an integrated duty model is created.

Anyone who separates governance, risk and compliance today creates friction and duplicate data storage. The Compliance Officer needs the risk register of the risk manager. The information security officer needs the governance structure for escalation and release channels. An integrated GRC platform brings this data together into one source of truth, with a common reporting line and an audit trail. Others run compliance like a filing cabinet. We run it like software. This is not style, but verifiability: the examiner calls, the proof is ready, with version status, approval and reference to the relevant paragraph or standard control.

The three layers of a GRC model: Strategy, Process, Evidence

A working GRC model consists of three layers, which are often mixed together. The strategic layer determines which risks management accepts, which values ​​the company protects and which reporting channels apply. It is documented in a code of conduct, a compliance policy and a risk appetite statement. These documents are not static; they are released at least annually by the management and approved by the supervisory body. Without this release, the model loses its viability because the risk acceptance cannot be attributed.

The procedural layer translates strategy into recurring processes. This includes risk inventory, control matrix, training plan, audit plan, incident management, supplier audit and reporting routine. Each process has an owner, a cycle and a delivery object. A training plan without proof of attendance is not a process, but an intention. A risk register without an assessment workflow is a list, not a system. An audit plan without documented findings and follow-up is a calendar entry. Without a clear cadence, processes become lost in sight. At this layer it is decided whether the strategy becomes reality or remains a concept.

The evidence layer is the point at which tests are decided. Appointment certificates, protocols, proof of training, control tests, audit reports and reports to authorities are located here. The clock starts on awareness. If you don't know where the last pen test protocol is, you will lose the deadline and thus possibly the presumption of compliance. The CIVAC platform brings together all three layers: 490 ready-to-use audit templates, one reporting line per role, a common audit trail with version control, acknowledgments of receipt and evidentiary value assurance. This turns the shift model into an ongoing process instead of a diagram that stands up to audits and relieves the burden in day-to-day business.

ISO 37301, ISO 31000 and the reference to national law

ISO 37301:2021 is the internationally certifiable standard for compliance management systems and replaces the older ISO 19600:2014. It can be audited according to ISO/IEC 17021 and, for the first time, provides a testing framework that can be integrated with ISO/IEC 27001:2022 (information security) and ISO 14001:2015 (environmental management). The core of the standard are the seven building blocks and the Plan-Do-Check-Act cycle, which continuously improves every compliance process. Certification according to ISO 37301 is still rarely widespread in German medium-sized companies, but is becoming increasingly important as a tender requirement in the corporate environment.

ISO 31000:2018 cannot be certified, but is considered the de facto standard for risk management. The standard defines eight principles (e.g. integration, dynamic adaptation, best available information) and a process of communication, context setting, risk identification, analysis, assessment, treatment and monitoring. ISO/IEC 31010:2019 complements the selection of risk assessment procedures with over 30 methods, from bowtie analysis to Monte Carlo simulation. In conjunction with ISO 37301, an integrated GRC framework is created that simultaneously covers compliance and risk requirements and that auditors accept as a recognised framework.

In German law, several standards intertwine. Section 91 (2) AktG requires an early risk detection system, Section 93 AktG requires the board of directors to exercise due diligence. Section 130 OWiG sanctions violations of supervisory duties with fines of up to 10 million euros. In the financial sector, MaRisk (BaFin), in insurance MaGo (BaFin), in data protection supplement Articles 24 and 32 GDPR. Since the 2026 amendment to the BSIG, NIS-2 has added explicit management obligations: personal liability of the board of directors, mandatory training, fines of up to 10 million euros or 2 percent of group sales for essential facilities. Anyone who runs GRC according to ISO 37301 and ISO 31000 covers the German legal situation in a model that is documented in an audit-proof manner. § 130 OWiG-proof, BSIG-proof, GDPR-proof. This reduces the effort required for parallel test questions.

Risk register, control matrix and reporting line in practice

The risk register is the heart of a GRC model. It lists each identified risk with category (operational, financial, legal, IT, reputation), probability of occurrence, amount of damage, risk owner, status of treatment and next test date. A tried-and-tested 5x5 matrix with documented risk appetite of management, which defines the acceptance thresholds per level of damage and probability of occurrence. Without risk owners, ghost risks arise that no one continues. Without a risk appetite statement, there is no basis for assessing when a treatment decision becomes necessary.

The control matrix links each risk with at least one control. Controls are divided into preventative, detective and corrective and are provided with a test cycle. ISO/IEC 27001:2022 provides 93 controls that can serve as a starting point for the IT area. ISO 37301 supplements procedural controls such as the dual control principle, approval channels and proof of training. A control without a test is an assumption. A tested control with documented results is proof. The test frequency is determined based on risk: high-risk checks quarterly or on an ad-hoc basis, less critical checks annually. Audit-proof, documented, ISO-proof.

The reporting line regulates who reports what to whom and at what frequency. Compliance officers, data protection officers, information security officers and risk managers report directly to management, usually quarterly plus ad hoc in the event of reportable incidents such as data breaches, NIS 2 security incidents or substantiated information from the reporting office. The CIVAC workspace maps this reporting line as a workflow: every role has its dashboard, every message triggers the correct escalation, every report is archived with the version status and confirmation of receipt. Escalation rules are configurable so that an incident above a defined threshold automatically reaches the board. This means that the reporting line is not theory, but rather a system. Licence the workspace for your internal representatives, or have our representatives order it.

How GRC interacts with data protection, ISMS and whistleblower protection

A common mistake is the separation of GRC, data protection and information security. In practice, these areas overlap greatly because the same technical and organisational measures serve multiple regimes. A data breach according to Art. 33 GDPR is at the same time a compliance incident, an IT security incident and potentially an NIS 2 reportable event according to Section 32 BSIG. Anyone who has three separate reporting channels loses the 72-hour deadline of the GDPR or the 24-hour deadline of the NIS-2. Anyone who runs an integrated incident management process reports once with documented distribution logic and fulfils three obligations.

The data protection officer provides the list of processing activities in accordance with Art. 30 GDPR and the data protection impact assessment in accordance with Art. 35 GDPR. The Information Security Officer operates the ISMS according to ISO/IEC 27001:2022 with the 93 controls mentioned. The compliance officer ensures ISO 37301-compliant documentation and monitoring of the supervisory obligation in accordance with Section 130 OWiG. In the CIVAC model, these three roles share a client, a reporting line and an audit trail, without visibility rights being mixed.

Whistleblower protection according to HinSchG (since July 2023) is also part of GRC. Companies with 50 or more employees must operate an internal reporting office, confirm reports within 7 days and provide feedback within 3 months. Violations cost a fine of up to 50,000 euros, and systematic obstruction costs up to 500,000 euros. The reporting office must be confidential, independent of instructions and staffed with sufficient qualifications, but can also be appointed externally. A GRC platform that puts whistleblower cases in the same incident database as compliance incidents (with strictly separated visibility rights and confidentiality-compliant workflows) reduces duplication of work and closes compliance gaps. The auditor calls, the evidence is ready. A separate role architecture with its own logbooks also prevents internal investigations from becoming vulnerable to unauthorized data access. The platform logs every access in an audit-proof manner.

GRC in medium-sized companies: effort, costs and time-to-compliance

Medium-sized companies often shy away from GRC because they have corporate structures in mind and experience consulting offers in the six-figure range. In fact, an ISO 37301-compliant compliance management system can be set up in a company with 100 to 1,000 employees in 12 to 16 weeks if standardised templates are used. The classic route via individual consulting projects lasts 6 to 12 months and typically costs 80,000 to 250,000 euros for the initial phase plus ongoing personnel costs. A platform-based implementation shortens this phase to a fraction and reduces the commitment to external advice.

The main cost items are the appointment of representatives, documentation development, training, tooling and external audits. When appointing a compliance and data protection officer externally, providers typically allow for a lead time of 2 to 4 weeks, and even longer for specialised roles such as ISB or LkSG officer. The CIVAC SLA is 2 working days instead of the classic 2 to 6 weeks and is contractually guaranteed. This shortens the time to compliance for companies that have to fulfil obligations at short notice due to NIS 2 implementation, LkSG or CSRD, for example because a tender requires proof or an audit was scheduled at short notice.

Tooling is the second lever. Excel-based risk registers fail the first audit because versioning, release workflows and reporting lines are not mapped mechanically. A specialised GRC platform with multi-client capability, role model and EU data residency costs a fraction of an in-house development and provides auditability out of the box. Anyone budgeting for GRC in medium-sized companies should plan 60 percent personnel expenses, 25 percent tooling and 15 percent external audits. An integrated platform shifts this mix towards automation and relieves those responsible for documentation work, leaving more time for professional risk assessment.

Auditability: What auditors really want to see in a GRC audit

Auditors according to ISO 37301, ISO 27001 or BaFin audit follow a recurring pattern. They don't ask for concepts, but for evidence, and they usually open the exam with the same sequence. The first question is almost always: Who is the compliance officer and since when? Is the appointment certificate with the date, signature and description of the task available? Without this certificate, the audit is locked in an unplanned discussion about responsibilities for the first 15 minutes, and the burden of proof shifts against the company.

The second question concerns the reporting line. Auditors want to see minutes of the last four compliance reports to management, including agenda, participants and resolutions. If these are missing, the effectiveness of the CMS cannot be proven and standard conformity according to ISO 37301 Section 9 is in fact not achieved. The third question focuses on the last incident: How was it detected, reported, handled, documented, closed? The audit trail must be complete from the first notice to the final report, with date, person and version information.

The fourth question concerns training. Who was trained on what topic, when, with what results, with what effectiveness test? E-learning statistics without a knowledge test are attendance lists, not proof of training. Auditors can tell the difference from the first sample. The fifth question is the toughest: Which risks did you consciously not address and why? This shows whether a risk appetite is documented and approved by management, or whether the selection of the risks treated remains implicit and therefore vulnerable. The CIVAC platform provides a predefined report with the required evidence for each of these five questions. The appointment certificate, signed, filed, verifiable.

From Excel risk register to GRC platform: migration in 6 steps

Most companies start GRC with Excel and SharePoint. This works until the first serious audit or the first reportable data breach. The model fails at the latest when an auditor, the BSI or a corporate customer requests the audit trail. The migration to an integrated platform can be structured in six steps without having to pause ongoing operations. Each step delivers a definable added value, so that auditability can be achieved after the first two steps.

Step 1 is the inventory: Which documents, lists and processes exist? Who is the owner? Which obligations are unclear? Step 2 is role clarification: Have compliance, data protection, information security and, if applicable, ESG officers been formally appointed and documented with an appointment document? Are there any representative regulations? Step 3 is the data migration: risk register, control matrix, incidents and training certificates are transferred to the platform, with reference to the original document for the history and with documented mapping between the old and new structure.

Step 4 is the construction of the reporting line as a workflow including escalation rules and recipient lists per incident type. Step 5 is the training of the representatives and management, as the NIS 2 implementation explicitly requires management training with proof. Step 6 is the initial audit rehearsal: An internal audit goes through the five auditor questions from the previous section and identifies gaps that are closed before the external appointment. The CIVAC FAQ describes this migration in detail. With 490 ready-to-use audit templates and the dual model option, steps 1 to 6 can be completed in 8 to 12 weeks, depending on company size and maturity level. Others run compliance like a filing cabinet. We run it like software.

How CIVAC manages governance, risk and compliance operationally

CIVAC is a compliance platform and officer-as-a-service based in Germany and EU data residency. The platform covers 25 officer roles, from compliance officer to data protection and information security officer to ESG, whistleblower and hygiene officer. Each role comes with its duty matrix, appointment certificate template, reporting line and a role-specific audit trail. The integrated ISMS follows ISO/IEC 27001:2022 with the 93 controls; The 490 audit templates cover internal and external audits, including supplier audits and process audits.

The dual model is the answer to two different needs. Companies with their own representatives licence the CIVAC workspace and immediately gain auditability without building their own tool or juggling Excel lists. Companies without sufficient internal resources can appoint a CIVAC representative externally and receive the role and platform from a single source, with defined response times and fixed escalation paths. Licence the workspace for your internal representatives, or have our representatives order it. Both models run on the same client, so that changes are possible without data migration.

The SLA time of 2 working days is measurable and contractually guaranteed. This is relevant for companies that, after implementing NIS 2, have to prove that they have representatives at short notice, close a gap in an audit or operate a tender with a documented compliance function. Turn reading into a mandate.: If you no longer want to run GRC as a PowerPoint slide, but as a running system with an appointment certificate, reporting line and audit trail, write to info@civac.de or use the contact form on civac.de. In the initial discussion, we will clarify whether a workspace licence, officer-as-a-service or the combination fits your structure. The CIVAC role overview shows all 25 representative profiles with orderability and SLA.

FAQ

What is the difference between compliance management and GRC?

Compliance management according to ISO 37301 focuses on compliance with external and internal requirements. GRC also integrates governance (structural organisation, reporting lines) and risk management according to ISO 31000. A GRC system therefore contains a compliance management system, but goes beyond that by including risks and control structures.

Do medium-sized companies really need a GRC system?

Companies with around 50 employees or more are subject to HinSchG obligations, and those with 250 employees or more are also subject to CSRD reporting obligations from 2026. A large proportion of medium-sized companies are subject to NIS-2. An integrated GRC system significantly reduces duplication of work compared to separate compliance, data protection and IT security isolated solutions.

Which ISO standards are relevant for a GRC framework?

The central ones are ISO 37301:2021 for compliance management systems, ISO 31000:2018 for risk management and ISO/IEC 27001:2022 for information security. In addition, ISO 14001 (environment), ISO 45001 (occupational safety) and ISO 37001 (anti-corruption) are added depending on the industry. The standards are largely compatible and can be integrated.

How long does it take to build a GRC system?

With standardised templates and a platform solution, 12 to 16 weeks are realistic, and for ISO 37301 certification an additional 4 to 6 months for the audit process. Consulting projects without tooling typically last 9 to 18 months. The CIVAC platform significantly reduces setup time.

Who is liable for GRC violations in the company?

The board of directors and management are primarily liable for breaches of supervisory duties in accordance with Section 93 AktG and Section 43 GmbHG. Section 130 OWiG provides for fines of up to 10 million euros. With NIS-2, personal liability of management for IT security breaches is added. Agents are liable within the scope of their appointment.

Can CIVAC only cover individual GRC blocks?

Yes. You can licence the workspace exclusively for data protection, ISMS, whistleblower protection or ESG or have individual representatives appointed. The modules can be combined and can be gradually expanded to include additional roles without having to set up a new platform.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles