{ "id": "swiss-finma-grc-ics-decision-graph", "title": "Swiss FINMA GRC/ICS Software Buyer Decision Graph", "description": "Vendor-neutral evidence map for FINMA-regulated Swiss financial firms selecting Governance/Risk/Compliance and Internal Control System software. The graph maps buyer segments to Swiss regulatory anchors, buyer-side evidence controls, and public-source product capability evidence only.", "layout": "cose", "lastReviewed": "2026-04-30", "evidenceCutoff": "2026-04-30", "nodes": [ { "id": "swiss-bank-bankg", "label": "Swiss bank under BankG", "type": "firm-segment", "subtype": "bank", "summary": "FINMA-authorised banking institution requiring board-level governance, ICS, outsourcing and operational-resilience evidence.", "description": "Use this segment for banks, including systemically important banks where SNB designation and FINMA Circular 2023/01 add resilience and data-governance pressure. RFPs should require traceable control ownership, testing, exceptions, remediation, outsourcing records and operational-risk evidence rather than generic GRC screenshots.", "url": "https://www.fedlex.admin.ch/eli/cc/51/117_121_129/de", "evidence": [ "Fedlex BankG, https://www.fedlex.admin.ch/eli/cc/51/117_121_129/de, accessed 2026-04-30", "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30", "FINMA Circular 2017/01 Corporate governance - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf [stale — older than 2024], accessed 2026-04-30", "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ], "tags": [ "bank", "bankg", "ics", "operational-risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "FINMA Circular 2008/24 is archived; bank ICS mapping should be reconciled with Circular 2017/01 and current FINMA guidance before publication." }, { "id": "swiss-securities-firm-finig", "label": "Swiss securities firm under FINIG", "type": "firm-segment", "subtype": "securities-firm", "summary": "FINMA-authorised securities firm requiring governance, conduct, AML and outsourcing controls.", "description": "This segment covers securities firms authorised under FINIG and subject to FINSA conduct and AMLA controls. RFPs should verify whether the software can evidence regulated outsourcing, client-service conduct controls, AML handoffs and periodic compliance attestations.", "url": "https://www.fedlex.admin.ch/eli/cc/2018/801/en", "evidence": [ "Fedlex FINIG, https://www.fedlex.admin.ch/eli/cc/2018/801/en, accessed 2026-04-30", "Fedlex FINSA, https://www.fedlex.admin.ch/eli/cc/2019/758/en, accessed 2026-04-30", "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30", "Fedlex AMLO, https://www.fedlex.admin.ch/eli/cc/2015/791/en, accessed 2026-04-30", "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30" ], "tags": [ "securities-firm", "finig", "finsa", "amla" ], "isFinrayProduct": false, "coiNote": null, "watching": "Applicability of bank-specific FINMA circular controls must be confirmed for the firm's licence category and supervisory practice." }, { "id": "swiss-portfolio-manager-trustee-finig", "label": "Swiss portfolio manager or trustee under FINIG", "type": "firm-segment", "subtype": "portfolio-manager-trustee", "summary": "Portfolio managers and trustees requiring proportionate governance, conduct, AML and data-protection controls.", "description": "Use this segment for smaller FINMA-licensed firms where proportionality matters but evidence discipline still matters. RFPs should avoid overbuying enterprise suites while still requiring control registers, attestations, AML evidence and regulatory reporting packs.", "url": "https://www.fedlex.admin.ch/eli/cc/2018/801/en", "evidence": [ "Fedlex FINIG, https://www.fedlex.admin.ch/eli/cc/2018/801/en, accessed 2026-04-30", "Fedlex FINSA, https://www.fedlex.admin.ch/eli/cc/2019/758/en, accessed 2026-04-30", "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30", "Fedlex AMLO, https://www.fedlex.admin.ch/eli/cc/2015/791/en, accessed 2026-04-30", "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30" ], "tags": [ "portfolio-manager", "trustee", "finig", "proportionality" ], "isFinrayProduct": false, "coiNote": null, "watching": "Buyers should define minimum viable ICS depth before vendor demos; otherwise enterprise tooling will obscure workflow gaps." }, { "id": "swiss-insurer-isa", "label": "Swiss insurer under ISA", "type": "firm-segment", "subtype": "insurer", "summary": "FINMA-supervised insurer requiring governance, outsourcing, operational-risk, privacy and, where applicable, AML evidence.", "description": "Use this segment for insurance undertakings under the Insurance Supervision Act. RFPs should require outsourcing inventories, operational continuity evidence, board/audit-committee reporting, privacy controls and insurance-specific risk taxonomy support.", "url": "https://www.fedlex.admin.ch/eli/cc/2005/734/de", "evidence": [ "Fedlex ISA, https://www.fedlex.admin.ch/eli/cc/2005/734/de, accessed 2026-04-30", "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30", "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30", "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30", "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30" ], "tags": [ "insurer", "isa", "outsourcing", "operational-risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "Circular 2018/03 is directly relevant to banks and insurers; verify insurance-specific governance expectations with current FINMA supervisory practice." }, { "id": "swiss-asset-manager-cisa-finig", "label": "Swiss asset manager or fund house under CISA/FINIG", "type": "firm-segment", "subtype": "asset-manager-fund-house", "summary": "Asset managers and fund houses requiring fund-governance, conduct, AML, outsourcing and data-protection controls.", "description": "Use this segment for managers of collective assets and fund houses where CISA and FINIG obligations overlap. RFPs should verify evidence capture across delegated activities, valuation/governance committees, conflicts, AML controls and investor-facing conduct processes.", "url": "https://www.fedlex.admin.ch/eli/cc/2006/822/en", "evidence": [ "Fedlex CISA, https://www.fedlex.admin.ch/eli/cc/2006/822/en, accessed 2026-04-30", "Fedlex FINIG, https://www.fedlex.admin.ch/eli/cc/2018/801/en, accessed 2026-04-30", "Fedlex FINSA, https://www.fedlex.admin.ch/eli/cc/2019/758/en, accessed 2026-04-30", "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30", "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30" ], "tags": [ "asset-manager", "fund-house", "cisa", "finig" ], "isFinrayProduct": false, "coiNote": null, "watching": "Delegation and outsourcing scope should be separated in the RFP; vendors often blur third-party risk, outsourcing and supplier management." }, { "id": "finma-licence-applicant", "label": "FINMA licence applicant", "type": "firm-segment", "subtype": "licence-applicant", "summary": "Applicant institution needing application-grade governance evidence before authorisation.", "description": "Use this segment for firms building a control environment before FINMA authorisation. RFPs should prioritize explainable evidence bundles, named control owners, policy-to-control traceability, audit trails, issue remediation and operating-model proof over broad feature catalogues.", "url": "https://www.finma.ch/en/", "evidence": [ "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30", "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30" ], "tags": [ "licence-applicant", "finma", "evidence" ], "isFinrayProduct": false, "coiNote": null, "watching": "Application-stage buyers should not accept vendor claims of FINMA readiness without a mapped control narrative and independent review." }, { "id": "finma", "label": "FINMA", "type": "regulator", "subtype": "financial-market-supervisor", "summary": "Swiss Financial Market Supervisory Authority.", "description": "FINMA is the main supervisory anchor for the buyer profiles in this graph. RFPs should map software evidence to supervisory audit trails, ad-hoc notification workflows and remediation tracking rather than treating FINMA as a generic reporting recipient.", "url": "https://www.finma.ch/en/", "evidence": [ "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30", "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30" ], "tags": [ "switzerland", "supervisor", "finma" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "fdpic", "label": "FDPIC", "type": "regulator", "subtype": "data-protection-supervisor", "summary": "Swiss Federal Data Protection and Information Commissioner.", "description": "FDPIC is the data-protection authority relevant to Swiss FADP/DSG evidence. RFPs should require privacy evidence that can be exported and reconciled with operational incidents, outsourcing records and processing inventories.", "url": "https://www.edoeb.admin.ch/en", "evidence": [ "FDPIC official website, https://www.edoeb.admin.ch/en, accessed 2026-04-30", "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30" ], "tags": [ "switzerland", "privacy", "fdpic" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "snb", "label": "SNB", "type": "regulator", "subtype": "central-bank-financial-stability", "summary": "Swiss National Bank financial-stability authority relevant to systemically important banks.", "description": "The SNB is relevant where systemically important banks and functions are in scope. RFPs for systemic banks should include data aggregation, resilience and critical-function evidence suitable for supervisory scrutiny.", "url": "https://www.snb.ch/en/the-snb/mandates-goals/financial-stability/swiss-banking-sector", "evidence": [ "SNB Swiss banking sector, https://www.snb.ch/en/the-snb/mandates-goals/financial-stability/swiss-banking-sector, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ], "tags": [ "switzerland", "snb", "systemic-bank" ], "isFinrayProduct": false, "coiNote": null, "watching": "Use only for systemic-bank contexts; most FINIG firms and non-systemic buyers should not overweight SNB-specific requirements." }, { "id": "finmasa", "label": "FINMASA", "type": "regulation", "subtype": "statute", "summary": "Federal Act on the Swiss Financial Market Supervisory Authority.", "description": "FINMASA anchors FINMA's supervisory mandate. Buyers should map regulator-interaction evidence, supervisory correspondence, audit-report tracking and enforcement-sensitive workflows to this anchor.", "url": "https://www.fedlex.admin.ch/eli/cc/2008/736/en", "evidence": [ "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30" ], "tags": [ "finmasa", "supervision", "statute" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "bankg", "label": "BankG", "type": "regulation", "subtype": "statute", "summary": "Swiss Banking Act.", "description": "BankG is the sectoral anchor for Swiss banks. RFPs should map bank governance, ICS, outsourcing, operational-risk and reporting controls to BankG-specific supervisory expectations.", "url": "https://www.fedlex.admin.ch/eli/cc/51/117_121_129/de", "evidence": [ "Fedlex BankG, https://www.fedlex.admin.ch/eli/cc/51/117_121_129/de, accessed 2026-04-30" ], "tags": [ "bankg", "banking", "statute" ], "isFinrayProduct": false, "coiNote": null, "watching": "English source was not retrieved in this session; German Fedlex source was retrieved." }, { "id": "finig", "label": "FINIG", "type": "regulation", "subtype": "statute", "summary": "Swiss Financial Institutions Act.", "description": "FINIG is the sectoral anchor for portfolio managers, trustees, managers of collective assets and securities firms. Buyers should use it to define licence-category scope and proportionality before buying a generic enterprise GRC platform.", "url": "https://www.fedlex.admin.ch/eli/cc/2018/801/en", "evidence": [ "Fedlex FINIG, https://www.fedlex.admin.ch/eli/cc/2018/801/en, accessed 2026-04-30" ], "tags": [ "finig", "financial-institutions", "statute" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "finsa", "label": "FINSA", "type": "regulation", "subtype": "statute", "summary": "Swiss Financial Services Act.", "description": "FINSA anchors client-service conduct and documentation controls. RFPs should require evidence links from policies and advisory/suitability processes into compliance attestations and exceptions.", "url": "https://www.fedlex.admin.ch/eli/cc/2019/758/en", "evidence": [ "Fedlex FINSA, https://www.fedlex.admin.ch/eli/cc/2019/758/en, accessed 2026-04-30" ], "tags": [ "finsa", "conduct", "statute" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "cisa", "label": "CISA", "type": "regulation", "subtype": "statute", "summary": "Swiss Collective Investment Schemes Act.", "description": "CISA is relevant to fund houses and collective-asset structures. RFPs should test whether the product can capture delegated-control evidence, valuation/governance approvals and fund-specific compliance records.", "url": "https://www.fedlex.admin.ch/eli/cc/2006/822/en", "evidence": [ "Fedlex CISA, https://www.fedlex.admin.ch/eli/cc/2006/822/en, accessed 2026-04-30" ], "tags": [ "cisa", "funds", "asset-management" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "isa", "label": "ISA", "type": "regulation", "subtype": "statute", "summary": "Swiss Insurance Supervision Act.", "description": "ISA is the sectoral anchor for insurers. RFPs should require insurer-specific governance, outsourcing, risk and compliance evidence instead of accepting bank-only control libraries.", "url": "https://www.fedlex.admin.ch/eli/cc/2005/734/de", "evidence": [ "Fedlex ISA, https://www.fedlex.admin.ch/eli/cc/2005/734/de, accessed 2026-04-30" ], "tags": [ "isa", "insurance", "statute" ], "isFinrayProduct": false, "coiNote": null, "watching": "English source was not retrieved in this session; German Fedlex source was retrieved." }, { "id": "amla", "label": "AMLA", "type": "regulation", "subtype": "statute", "summary": "Swiss Anti-Money Laundering Act.", "description": "AMLA anchors AML/CFT controls for covered financial intermediaries. RFPs should require traceability from KYC/CDD, monitoring, investigations and suspicious-activity escalation to evidence exports.", "url": "https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en", "evidence": [ "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30" ], "tags": [ "amla", "aml", "cft" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "amlo", "label": "AMLO", "type": "regulation", "subtype": "ordinance", "summary": "Swiss Anti-Money Laundering Ordinance.", "description": "AMLO operationalises AMLA requirements and should be used to define evidence depth for due diligence, monitoring and documentation. RFPs should distinguish core AML case tooling from GRC evidence overlays.", "url": "https://www.fedlex.admin.ch/eli/cc/2015/791/en", "evidence": [ "Fedlex AMLO, https://www.fedlex.admin.ch/eli/cc/2015/791/en, accessed 2026-04-30" ], "tags": [ "amlo", "aml", "ordinance" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "finma-circ-2008-24", "label": "FINMA Circular 2008/24 Supervision and internal control — banks", "type": "regulation", "subtype": "finma-circular-archived", "summary": "Historical FINMA circular anchor for bank supervision and internal control.", "description": "The source retrieved is FINMA's archive page, not a current consolidated circular page. Treat this node as a required historical anchor only; publication should not imply current force without FINMA confirmation and should cross-map to Circular 2017/01.", "url": "https://www.finma.ch/en/documentation/archiv/rundschreiben/archiv-2008/", "evidence": [ "FINMA Circular archive 2008/24 Supervision and internal control - banks, https://www.finma.ch/en/documentation/archiv/rundschreiben/archiv-2008/ [stale — older than 2024], accessed 2026-04-30" ], "tags": [ "finma-circular", "ics", "bank", "archived" ], "isFinrayProduct": false, "coiNote": null, "watching": "High publication risk: the brief asked for a current consolidated version, but the retrieved source is archived and stale." }, { "id": "finma-circ-2017-01", "label": "FINMA Circular 2017/01 Corporate governance — banks", "type": "regulation", "subtype": "finma-circular", "summary": "Current bank corporate-governance and internal-control reference retrieved for this session.", "description": "This circular is included to avoid pretending the archived 2008/24 source is current. RFPs for banks should use it for governance, risk management and internal control framing alongside operational-resilience and outsourcing circulars.", "url": "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf", "evidence": [ "FINMA Circular 2017/01 Corporate governance - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf [stale — older than 2024], accessed 2026-04-30" ], "tags": [ "finma-circular", "corporate-governance", "ics", "bank" ], "isFinrayProduct": false, "coiNote": null, "watching": "Confirm whether any 2026 amendments or consultations affect publication wording." }, { "id": "finma-circ-2018-03", "label": "FINMA Circular 2018/03 Outsourcing — banks and insurers", "type": "regulation", "subtype": "finma-circular", "summary": "FINMA outsourcing circular for banks and insurers.", "description": "Use this as the control anchor for material-outsourcing assessment, outsourcing registers, audit/access rights, subcontracting, exit planning and concentration-risk evidence. RFPs should require mapping to a buyer's actual outsourcing taxonomy, not just a generic vendor-risk module.", "url": "https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en", "evidence": [ "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ], "tags": [ "finma-circular", "outsourcing", "third-party-risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "The retrieved English PDF is stale; verify the latest consolidated language before publication." }, { "id": "finma-circ-2023-01", "label": "FINMA Circular 2023/01 Operational risks and resilience — banks", "type": "regulation", "subtype": "finma-circular", "summary": "FINMA operational-risk and resilience circular for banks, effective from 2024.", "description": "Use this as the anchor for ICT risk, cyber resilience, critical functions, BCM, scenario testing, third-party concentration and risk data evidence in banks. RFPs should require demonstrable mappings to resilience controls and not rely on a vendor's broad operational-risk label alone.", "url": "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf", "evidence": [ "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ], "tags": [ "finma-circular", "operational-risk", "resilience", "bank" ], "isFinrayProduct": false, "coiNote": null, "watching": "Systemically important bank treatment should be reconciled with SNB critical-function expectations." }, { "id": "fadp-dsg", "label": "Swiss FADP / DSG", "type": "regulation", "subtype": "statute", "summary": "Revised Swiss Federal Act on Data Protection, in force from 1 September 2023.", "description": "FADP/DSG anchors privacy governance, processing inventories, privacy impact assessments and breach-response evidence. RFPs should require evidence exportability and integration with outsourcing and incident workflows.", "url": "https://www.fedlex.admin.ch/eli/cc/2022/491/en", "evidence": [ "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30", "FDPIC official website, https://www.edoeb.admin.ch/en, accessed 2026-04-30" ], "tags": [ "fadp", "dsg", "privacy", "data-protection" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "iso-27001-27002", "label": "ISO/IEC 27001 / 27002", "type": "standard", "subtype": "information-security", "summary": "Information-security management and control-reference standards.", "description": "Use ISO 27001/27002 as a control-library and assurance reference, not as a substitute for Swiss regulatory mapping. Buyers should require mappings from information-security controls into FINMA operational-risk, outsourcing and privacy evidence.", "url": "https://www.iso.org/standard/27001", "evidence": [ "ISO/IEC 27001 information security management, https://www.iso.org/standard/27001 [stale — older than 2024], accessed 2026-04-30", "ISO/IEC 27002 information security controls, https://www.iso.org/standard/75652.html [stale — older than 2024], accessed 2026-04-30" ], "tags": [ "iso", "information-security", "controls" ], "isFinrayProduct": false, "coiNote": null, "watching": "Licensing/access to full standards text may affect how much content can be embedded in the public graph." }, { "id": "coso-2013", "label": "COSO 2013 Internal Control framework", "type": "standard", "subtype": "internal-control-framework", "summary": "Internal-control reference architecture for control environment, risk assessment, control activities, information/communication and monitoring.", "description": "Use COSO as a method reference for ICS design and testing discipline. RFPs should require the vendor to show how control objectives, testing, deficiencies, remediation and re-attestation are represented.", "url": "https://www.coso.org/guidance-on-ic", "evidence": [ "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ], "tags": [ "coso", "ics", "internal-control" ], "isFinrayProduct": false, "coiNote": null, "watching": "Source is stale by date but the framework remains widely used; do not present it as Swiss-law-specific." }, { "id": "nist-csf-2", "label": "NIST Cybersecurity Framework 2.0", "type": "standard", "subtype": "cybersecurity-framework", "summary": "Cybersecurity framework commonly mapped to risk and resilience controls.", "description": "Use NIST CSF as a common mapping layer for cyber and operational-resilience evidence. RFPs should require the mapping to be explicit and buyer-approved, especially for FINMA Circular 2023/01 contexts.", "url": "https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final", "evidence": [ "NIST Cybersecurity Framework 2.0, https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final, accessed 2026-04-30" ], "tags": [ "nist", "cybersecurity", "resilience" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "isae-3402-soc2", "label": "ISAE 3402 / SOC 2", "type": "standard", "subtype": "third-party-assurance", "summary": "Assurance-report standards used in outsourcing and vendor-risk due diligence.", "description": "Use ISAE 3402 and SOC 2 as third-party assurance artefacts for outsourced services and SaaS providers. RFPs should require current reports, bridge letters, scope alignment and carve-out review rather than accepting a logo or certificate.", "url": "https://www.iaasb.org/publications/staff-overview-international-standard-assurance-engagements-isae-3402-assurance-reports-controls", "evidence": [ "IAASB ISAE 3402 staff overview, https://www.iaasb.org/publications/staff-overview-international-standard-assurance-engagements-isae-3402-assurance-reports-controls [stale — older than 2024], accessed 2026-04-30", "AICPA SOC 2, https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2, accessed 2026-04-30" ], "tags": [ "assurance", "soc2", "isae3402", "outsourcing" ], "isFinrayProduct": false, "coiNote": null, "watching": "Require current assurance periods; stale or narrow-scope reports should not satisfy FINMA outsourcing evidence." }, { "id": "bcbs-239", "label": "BCBS 239", "type": "standard", "subtype": "risk-data-aggregation", "summary": "Basel principles for risk data aggregation and risk reporting.", "description": "Use BCBS 239 where banks, especially systemic banks, need risk-data aggregation and reporting evidence. RFPs should verify lineage, ownership, reconciliation, timeliness and reporting controls rather than generic dashboards.", "url": "https://www.bis.org/publ/bcbs239.htm", "evidence": [ "BIS BCBS 239, https://www.bis.org/publ/bcbs239.htm [stale — older than 2024], accessed 2026-04-30" ], "tags": [ "bcbs239", "risk-data", "systemic-bank" ], "isFinrayProduct": false, "coiNote": null, "watching": "Best fit for larger or systemic banking contexts; do not impose on small FINIG firms without a proportionality analysis." }, { "id": "ics-evidence-bundle", "label": "ICS evidence bundle", "type": "control", "subtype": "internal-control-evidence", "summary": "Control register, testing, exceptions, attestations and remediation evidence for the internal control system.", "description": "This is the core buyer-side evidence bundle for GRC/ICS selection. RFPs should require control-owner assignment, test plans, evidence upload, exception workflows, remediation due dates, re-attestation and exportable audit trails.", "url": "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf", "evidence": [ "FINMA Circular 2017/01 Corporate governance - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf [stale — older than 2024], accessed 2026-04-30", "FINMA Circular archive 2008/24 Supervision and internal control - banks, https://www.finma.ch/en/documentation/archiv/rundschreiben/archiv-2008/ [stale — older than 2024], accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ], "tags": [ "ics", "controls", "evidence" ], "isFinrayProduct": false, "coiNote": null, "watching": "Avoid a tool-only view; the operating model and control taxonomy must exist before automation." }, { "id": "outsourcing-register-materiality", "label": "Outsourcing register and material-outsourcing assessment", "type": "control", "subtype": "outsourcing-evidence", "summary": "Register, materiality analysis, due diligence, audit rights, subcontracting, exit and concentration-risk evidence.", "description": "This control translates outsourcing obligations into evidence the buyer can operate. RFPs should require service criticality, materiality rationale, data location, subcontractors, SLA/KPI evidence, exit plans, audit/access rights and assurance-document tracking.", "url": "https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en", "evidence": [ "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30", "IAASB ISAE 3402 staff overview, https://www.iaasb.org/publications/staff-overview-international-standard-assurance-engagements-isae-3402-assurance-reports-controls [stale — older than 2024], accessed 2026-04-30", "AICPA SOC 2, https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2, accessed 2026-04-30" ], "tags": [ "outsourcing", "third-party-risk", "register" ], "isFinrayProduct": false, "coiNote": null, "watching": "Vendor-risk modules often stop at questionnaires; FINMA outsourcing evidence needs contract, exit, audit-right and concentration logic." }, { "id": "operational-risk-resilience-evidence", "label": "Operational-risk and resilience evidence", "type": "control", "subtype": "operational-resilience-evidence", "summary": "ICT risk, BCM, scenario testing, critical-function, incident and third-party concentration evidence.", "description": "This control bundles the evidence banks need for operational-risk and resilience management. RFPs should require critical-function mapping, BCM exercises, scenario tests, incident links, KRIs, cyber/ICT controls and third-party concentration analysis.", "url": "https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf", "evidence": [ "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30", "NIST Cybersecurity Framework 2.0, https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final, accessed 2026-04-30", "ISO/IEC 27001 information security management, https://www.iso.org/standard/27001 [stale — older than 2024], accessed 2026-04-30", "BIS BCBS 239, https://www.bis.org/publ/bcbs239.htm [stale — older than 2024], accessed 2026-04-30" ], "tags": [ "operational-risk", "resilience", "bcm", "ict-risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "For non-banks, use this as a useful control model but do not overstate bank-only circular applicability." }, { "id": "aml-cft-evidence", "label": "AML/CFT evidence", "type": "control", "subtype": "aml-evidence", "summary": "KYC/CDD lifecycle, transaction-monitoring, investigations and suspicious-activity reporting evidence.", "description": "This control is not a replacement for specialist AML systems. RFPs should define whether the GRC/ICS product records AML governance evidence only or also integrates with case-management, transaction-monitoring and SAR escalation systems.", "url": "https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en", "evidence": [ "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30", "Fedlex AMLO, https://www.fedlex.admin.ch/eli/cc/2015/791/en, accessed 2026-04-30" ], "tags": [ "aml", "cft", "kyc", "sar" ], "isFinrayProduct": false, "coiNote": null, "watching": "Most enterprise GRC suites will not be primary AML transaction-monitoring engines; treat AML system integration as a gating question." }, { "id": "data-protection-evidence", "label": "Data-protection evidence", "type": "control", "subtype": "privacy-evidence", "summary": "DPIA, processing register, breach response, privacy incidents and data-protection governance evidence.", "description": "This control captures the privacy evidence expected under Swiss FADP/DSG. RFPs should require records of processing, DPIA workflow, breach triage, data-subject request evidence, vendor-data processing links and retention controls.", "url": "https://www.fedlex.admin.ch/eli/cc/2022/491/en", "evidence": [ "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30", "FDPIC official website, https://www.edoeb.admin.ch/en, accessed 2026-04-30", "ISO/IEC 27001 information security management, https://www.iso.org/standard/27001 [stale — older than 2024], accessed 2026-04-30" ], "tags": [ "privacy", "fadp", "dsg", "dpia" ], "isFinrayProduct": false, "coiNote": null, "watching": "Check whether the product has native privacy operations or only configurable risk workflows." }, { "id": "internal-audit-sod", "label": "Internal audit and SoD", "type": "control", "subtype": "audit-and-segregation", "summary": "Internal audit workflows, 4-eyes controls, two-line/three-line ownership and periodic re-attestation evidence.", "description": "This control tests whether the product supports independent assurance rather than only first-line task management. RFPs should require audit plans, issue follow-up, SoD-sensitive roles, approval chains, reviewer independence and periodic recertification.", "url": "https://www.coso.org/guidance-on-ic", "evidence": [ "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30", "FINMA Circular 2017/01 Corporate governance - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf [stale — older than 2024], accessed 2026-04-30" ], "tags": [ "internal-audit", "sod", "three-lines" ], "isFinrayProduct": false, "coiNote": null, "watching": "Vendors often say 'workflow' when they mean task routing; require explicit SoD, independence and re-attestation evidence." }, { "id": "regulator-interaction-evidence", "label": "Regulator interaction evidence", "type": "control", "subtype": "supervisory-evidence", "summary": "FINMA audit reports, supervisory correspondence, ad-hoc notifications, action plans and supervisory disclosure packs.", "description": "This control captures the evidence bridge from internal control operation to supervisory interaction. RFPs should require report packs, status history, ownership, management sign-off, issue remediation and defensible export formats.", "url": "https://www.finma.ch/en/", "evidence": [ "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30", "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30" ], "tags": [ "finma", "regulator-interaction", "audit-report" ], "isFinrayProduct": false, "coiNote": null, "watching": "Do not imply direct electronic submission to FINMA unless the vendor provides primary-source evidence." }, { "id": "metricstream-inc", "label": "MetricStream Inc.", "type": "vendor", "subtype": "integrated-grc-vendor", "summary": "MetricStream provides GRC and integrated risk management software.", "description": "The public sources support broad GRC, risk, compliance and operational-risk capabilities. Buyers must verify Swiss regulatory references, data residency, implementation model, assurance artefacts and whether legacy M7/Risk Cloud naming matches the current commercial package.", "url": "https://www.metricstream.com/", "evidence": [ "MetricStream website, https://www.metricstream.com/, accessed 2026-04-30", "MetricStream GRC Platform, https://www.metricstream.com/platform.htm, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "vendor", "grc", "integrated-risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified from public primary sources in this session." }, { "id": "servicenow-inc", "label": "ServiceNow Inc.", "type": "vendor", "subtype": "platform-vendor", "summary": "ServiceNow provides integrated risk, operational-risk and vendor-risk products on the Now Platform.", "description": "The public sources support IRM/GRC, operational risk and vendor or third-party risk management capabilities. Buyers must verify whether their existing ServiceNow footprint creates operating leverage or lock-in, and whether Swiss regulatory mappings are productised or delivered by implementation partners.", "url": "https://www.servicenow.com/", "evidence": [ "ServiceNow Integrated Risk Management, https://www.servicenow.com/products/integrated-risk-management.html, accessed 2026-04-30", "ServiceNow Governance, Risk and Compliance, https://www.servicenow.com/products/governance-risk-and-compliance.html, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "vendor", "servicenow", "irm" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified from public primary sources in this session." }, { "id": "archer-integrated-risk-management", "label": "Archer Integrated Risk Management", "type": "vendor", "subtype": "integrated-risk-vendor", "summary": "Archer provides integrated risk management products and risk quantification.", "description": "The public sources support enterprise risk, operational risk, third-party risk, IT risk and compliance positioning. Buyers must verify entity ownership, Swiss hosting/support model, current product naming and FINMA mapping.", "url": "https://www.archerirm.com/", "evidence": [ "Archer website, https://www.archerirm.com/, accessed 2026-04-30", "Archer GRC solutions, https://www.archerirm.com/solutions, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "vendor", "archer", "integrated-risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "Archer/RSA legacy naming should be cleaned up before publication; public pages now present Archer as the primary brand." }, { "id": "workiva-inc", "label": "Workiva Inc.", "type": "vendor", "subtype": "reporting-grc-vendor", "summary": "Workiva provides connected reporting, GRC, internal-control and audit-management software.", "description": "The public sources support controls, audit, GRC and reporting workflows. Buyers should test whether Workiva is the control evidence spine, the reporting layer, or both; the answer changes integration and data-lineage requirements.", "url": "https://www.workiva.com/", "evidence": [ "Workiva website, https://www.workiva.com/, accessed 2026-04-30", "Workiva platform, https://www.workiva.com/platform, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "vendor", "workiva", "reporting", "grc" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified from public primary sources in this session." }, { "id": "auditboard-optro-inc", "label": "AuditBoard / Optro", "type": "vendor", "subtype": "grc-vendor", "summary": "AuditBoard has rebranded as Optro and provides audit, risk and compliance software.", "description": "The public sources support Optro's GRC positioning and AuditBoard-branded product evidence for CrossComply, OpsAudit and ESG. Buyers must verify legal-contracting entity, brand transition, product continuity and Swiss regulatory references.", "url": "https://optro.ai/", "evidence": [ "Optro formerly AuditBoard website, https://optro.ai/, accessed 2026-04-30", "AuditBoard announces CrossComply, https://auditboard.com/blog/auditboard-announces-crosscomply?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "vendor", "auditboard", "optro", "grc" ], "isFinrayProduct": false, "coiNote": null, "watching": "Brand transition is a publication watch item; name the contracting entity precisely in the buyer guide." }, { "id": "logicgate-inc", "label": "LogicGate Inc.", "type": "vendor", "subtype": "grc-vendor", "summary": "LogicGate provides the Risk Cloud GRC platform and configurable risk/compliance applications.", "description": "The public sources support Risk Cloud, regulatory compliance, enterprise risk and IT-risk adjacent capabilities. Buyers must verify control-library depth, Swiss regulatory mappings and implementation dependency on configuration services.", "url": "https://www.logicgate.com/", "evidence": [ "LogicGate website, https://www.logicgate.com/, accessed 2026-04-30", "LogicGate Risk Cloud platform, https://www.logicgate.com/platform/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "vendor", "logicgate", "risk-cloud" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified from public primary sources in this session." }, { "id": "resolver-kroll", "label": "Resolver / Kroll", "type": "vendor", "subtype": "risk-intelligence-vendor", "summary": "Resolver provides risk intelligence, risk management and compliance management software and is part of Kroll.", "description": "The public sources support Resolver risk and compliance capabilities and Kroll ownership. Buyers must verify which Kroll/Resolver entity contracts, data hosting, assurance reports and Swiss financial-services references.", "url": "https://www.resolver.com/", "evidence": [ "Resolver website, https://www.resolver.com/, accessed 2026-04-30", "Resolver GRC software, https://www.resolver.com/grc-software/, accessed 2026-04-30", "Kroll acquires Resolver, https://www.kroll.com/en/newsroom/kroll-acquires-resolver-leader-risk-intelligence-technology [stale — older than 2024], accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "vendor", "resolver", "kroll", "risk-intelligence" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified from public primary sources in this session." }, { "id": "diligent-corp", "label": "Diligent Corp.", "type": "vendor", "subtype": "governance-grc-vendor", "summary": "Diligent provides Diligent One, HighBond, ESG and board-governance products.", "description": "The public sources support board governance, GRC platform, ESG and HighBond evidence, but the HighBond product sheet retrieved is stale. Buyers must verify current packaging, integration between Boards and GRC modules, Swiss references and assurance artefacts.", "url": "https://www.diligent.com/", "evidence": [ "Diligent website, https://www.diligent.com/, accessed 2026-04-30", "Diligent One Platform, https://www.diligent.com/platform/diligent-one, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "vendor", "diligent", "highbond", "boards" ], "isFinrayProduct": false, "coiNote": null, "watching": "HighBond evidence in this session includes a stale product sheet; require current product collateral." }, { "id": "onetrust-llc", "label": "OneTrust LLC", "type": "vendor", "subtype": "privacy-grc-vendor", "summary": "OneTrust provides privacy, third-party risk, technology risk and GRC-related products.", "description": "The public sources support privacy operations, third-party risk and tech-risk/compliance capabilities. Buyers must verify Swiss FADP coverage, FINMA outsourcing alignment, data residency and whether GRC workflows are native or configured.", "url": "https://www.onetrust.com/", "evidence": [ "OneTrust website, https://www.onetrust.com/, accessed 2026-04-30", "OneTrust Tech Risk and Compliance, https://www.onetrust.com/solutions/tech-risk-and-compliance/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "vendor", "onetrust", "privacy", "third-party-risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified from public primary sources in this session." }, { "id": "sai360", "label": "SAI360", "type": "vendor", "subtype": "grc-vendor", "summary": "SAI360 provides integrated risk and compliance management software.", "description": "The public sources support integrated GRC, enterprise/operational risk, TPRM, compliance, risk management and internal-audit use cases. Buyers must verify Swiss financial-sector references, regulatory mappings and commercial terms.", "url": "https://www.sai360.com/", "evidence": [ "SAI360 website, https://www.sai360.com/, accessed 2026-04-30", "SAI360 Integrated GRC, https://www.sai360.com/solutions/integrated-grc, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "vendor", "sai360", "grc" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified from public primary sources in this session." }, { "id": "ibm", "label": "IBM", "type": "vendor", "subtype": "enterprise-software-vendor", "summary": "IBM provides OpenPages as its GRC platform.", "description": "The public sources support OpenPages for risk, compliance and audit in a modular cloud or on-premises model. Buyers must verify OpenPages deployment architecture, Swiss hosting, IBM contracting entity, assurance reports and FINMA-mapped reference architecture.", "url": "https://www.ibm.com/products/openpages", "evidence": [ "IBM OpenPages, https://www.ibm.com/products/openpages, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "vendor", "ibm", "openpages" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified from public primary sources in this session." }, { "id": "navex", "label": "NAVEX", "type": "vendor", "subtype": "grc-vendor", "summary": "NAVEX provides NAVEX One and legacy Lockpath risk/governance capabilities.", "description": "The public sources support NAVEX One GRC positioning and Lockpath operational-risk and financial-services compliance materials. Buyers must verify current Lockpath/Keylight product status, packaging, data hosting, Swiss references and assurance artefacts.", "url": "https://www.navex.com/en-us/", "evidence": [ "NAVEX website, https://www.navex.com/en-us/, accessed 2026-04-30", "NAVEX One platform, https://www.navex.com/en-us/platform/, accessed 2026-04-30", "NAVEX Global acquires Lockpath, https://www.navex.com/en-us/company/press-room/navex-global-acquires-lockpath-inc/ [stale — older than 2024], accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "vendor", "navex", "lockpath", "keylight" ], "isFinrayProduct": false, "coiNote": null, "watching": "Lockpath/Keylight evidence includes stale acquisition and upgrade pages; require current product naming." }, { "id": "finray-technologies-ltd", "label": "Finray Technologies Ltd", "type": "vendor", "subtype": "swiss-fintech-vendor", "summary": "Finray provides infrastructure and control systems for regulated financial institutions, including Ordinis.", "description": "The public sources support Ordinis positioning around governance, risk, compliance, approvals and audit evidence. Because Finray publishes this guide, buyers should require independent assurance artefacts, external review and the same RFP treatment used for every competitor.", "url": "https://finray.tech/", "evidence": [ "Finray Technologies, https://finray.tech/, accessed 2026-04-30", "Finray Ordinis, https://finray.tech/platforms/ordinis/, accessed 2026-04-30", "[evidence pending — vendor outreach required: independent assurance artefacts, external security review, FINMA-regulated Swiss references, tenant isolation, pricing model, implementation timeline, API limits, data residency, audit evidence export format]" ], "tags": [ "vendor", "finray", "ordinis", "coi" ], "isFinrayProduct": false, "coiNote": null, "watching": null }, { "id": "swiss-grc-ag", "label": "Swiss GRC AG", "type": "vendor", "subtype": "swiss-grc-vendor", "summary": "Swiss GRC provides GRC Toolbox software from Switzerland.", "description": "The public sources support Swiss GRC software across GRC, ICS, risk management, audit, operational resilience and TPRM. Buyers should verify FINMA-regulated use cases, deployment model, data hosting, assurance reports and module licensing.", "url": "https://swissgrc.com/en/", "evidence": [ "Swiss GRC website, https://swissgrc.com/en/, accessed 2026-04-30", "Swiss GRC solutions, https://swissgrc.com/en/solutions/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "vendor", "swiss", "grc-toolbox", "local" ], "isFinrayProduct": false, "coiNote": null, "watching": "Public Swiss customer references exist, but regulated-entity scope and FINMA audit use cases still require RFP confirmation." }, { "id": "metricstream-m7-platform", "label": "MetricStream M7 platform", "type": "product", "subtype": "grc-product", "summary": "Legacy MetricStream integrated risk platform product name.", "description": "Public source supports M7 as an integrated risk platform announcement and current platform evidence supports broader integrated risk use. Buyers must verify whether M7 remains the contracted product name or has been replaced by current platform packaging.", "url": "https://www.metricstream.com/pressNews/pr-956-MetricStream-launches-M7-integrated-risk-platform.htm", "evidence": [ "MetricStream M7 integrated risk platform announcement, https://www.metricstream.com/pressNews/pr-956-MetricStream-launches-M7-integrated-risk-platform.htm [stale — older than 2024], accessed 2026-04-30", "MetricStream GRC Platform, https://www.metricstream.com/platform.htm, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "metricstream", "m7", "platform" ], "isFinrayProduct": false, "coiNote": null, "watching": "M7 source is stale; current packaging must be verified." }, { "id": "metricstream-risk-cloud", "label": "MetricStream Risk Cloud", "type": "product", "subtype": "grc-product", "summary": "MetricStream risk management platform/product label to be verified.", "description": "Public pages support risk management and a broad platform, but a distinct public Risk Cloud product page was not verified. Buyers should require SKU/package confirmation and module-level evidence before comparing it with products named Risk Cloud by other vendors.", "url": "https://www.metricstream.com/platform.htm", "evidence": [ "MetricStream GRC Platform, https://www.metricstream.com/platform.htm, accessed 2026-04-30", "MetricStream Risk Management Software, https://www.metricstream.com/products/risk-management.htm, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "metricstream", "risk-cloud", "risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "Product naming evidence is pending." }, { "id": "metricstream-oprisk", "label": "MetricStream Operational Risk Management", "type": "product", "subtype": "grc-product", "summary": "MetricStream operational risk management product.", "description": "Public source supports operational-risk management features including dashboards and risk-control effectiveness views. Buyers must map this to FINMA Circular 2023/01 evidence requirements and verify resilience, BCM and critical-function coverage.", "url": "https://www.metricstream.com/products/operational-risk-management.htm", "evidence": [ "MetricStream Operational Risk Management, https://www.metricstream.com/products/operational-risk-management.htm, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "metricstream", "operational-risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "metricstream-compliance", "label": "MetricStream Compliance Management", "type": "product", "subtype": "grc-product", "summary": "MetricStream compliance and regulatory compliance product.", "description": "Public sources support compliance workflows, mapping of regulations to controls and regulatory compliance management. Buyers should verify Swiss legal-source ingestion, FINMA audit packs and obligation lifecycle controls.", "url": "https://www.metricstream.com/products/compliance-management.htm", "evidence": [ "MetricStream Compliance Management, https://www.metricstream.com/products/compliance-management.htm, accessed 2026-04-30", "MetricStream Regulatory Compliance, https://www.metricstream.com/products/regulatory-compliance.htm, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "metricstream", "compliance" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "metricstream-internal-audit", "label": "MetricStream Internal Audit Management", "type": "product", "subtype": "grc-product", "summary": "MetricStream internal-audit product label requiring direct evidence confirmation.", "description": "The retrieved MetricStream site lists internal audit management in the product navigation and the platform page supports audit programs. Buyers should require a current direct product page, audit workflow demo and SoD/three-lines mapping.", "url": "https://www.metricstream.com/", "evidence": [ "MetricStream website, https://www.metricstream.com/, accessed 2026-04-30", "MetricStream GRC Platform, https://www.metricstream.com/platform.htm, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "metricstream", "internal-audit" ], "isFinrayProduct": false, "coiNote": null, "watching": "Direct product page not retrieved in this session." }, { "id": "servicenow-irm-grc", "label": "ServiceNow IRM / GRC suite", "type": "product", "subtype": "grc-product", "summary": "ServiceNow integrated risk management and GRC suite.", "description": "Public sources support automated risk and compliance workflows and GRC positioning. Buyers should verify FINMA-specific control libraries, evidence export and implementation dependency on platform configuration.", "url": "https://www.servicenow.com/products/integrated-risk-management.html", "evidence": [ "ServiceNow Integrated Risk Management, https://www.servicenow.com/products/integrated-risk-management.html, accessed 2026-04-30", "ServiceNow Governance, Risk and Compliance, https://www.servicenow.com/products/governance-risk-and-compliance.html, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "servicenow", "irm", "grc" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "servicenow-vendor-risk-management", "label": "ServiceNow Vendor Risk Management", "type": "product", "subtype": "grc-product", "summary": "ServiceNow vendor or third-party risk management product.", "description": "Public sources support continuous vendor monitoring, assessment and remediation workflows. Buyers should map this against FINMA Circular 2018/03 requirements for material outsourcing, audit rights, exit and concentration risk.", "url": "https://www.servicenow.com/uk/products/vendor-risk-management.html", "evidence": [ "ServiceNow Vendor Risk Management, https://www.servicenow.com/uk/products/vendor-risk-management.html, accessed 2026-04-30", "ServiceNow Third-Party Risk Management, https://www.servicenow.com/products/third-party-risk-management.html, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "servicenow", "vendor-risk", "third-party-risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "servicenow-operational-risk-management", "label": "ServiceNow Operational Risk Management", "type": "product", "subtype": "grc-product", "summary": "ServiceNow operational risk management product.", "description": "Public sources support operational-risk monitoring and dashboarding. Buyers should verify BCM, scenario testing, ICT risk, critical-function and third-party concentration evidence before treating it as FINMA Circular 2023/01-ready.", "url": "https://www.servicenow.com/products/operational-risk-management.html", "evidence": [ "ServiceNow Operational Risk Management, https://www.servicenow.com/products/operational-risk-management.html, accessed 2026-04-30", "ServiceNow Operational Risk dashboard documentation, https://www.servicenow.com/docs/r/governance-risk-compliance/grc-risk-management-workspace/operational-risk-dashboard.html, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "servicenow", "operational-risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "archer-suite", "label": "Archer Suite", "type": "product", "subtype": "grc-product", "summary": "Archer integrated risk management suite.", "description": "Public sources support a collaborative business-level risk and compliance program across functions and third-party ecosystem. Buyers should verify current modules, implementation scope and Swiss regulatory mapping.", "url": "https://help.archerirm.cloud/platform_2024_11/en-us/content/shared_topics/archer_suite.htm", "evidence": [ "Archer Suite documentation, https://help.archerirm.cloud/platform_2024_11/en-us/content/shared_topics/archer_suite.htm, accessed 2026-04-30", "Archer GRC solutions, https://www.archerirm.com/solutions, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "archer", "suite", "integrated-risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "archer-insight", "label": "Archer Insight", "type": "product", "subtype": "grc-product", "summary": "Archer risk quantification and prioritisation product.", "description": "Public source supports risk quantification and prioritisation of significant risks. Buyers should verify whether Insight produces control evidence or only supports risk analytics and executive prioritisation.", "url": "https://www.archerirm.com/archer-insight-risk-quantification", "evidence": [ "Archer Insight risk quantification, https://www.archerirm.com/archer-insight-risk-quantification, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "archer", "insight", "risk-quantification" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "workiva-wdesk", "label": "Workiva Wdesk", "type": "product", "subtype": "grc-product", "summary": "Legacy Workiva Wdesk label for connected controls and reporting workflows.", "description": "Public source supports Wdesk use in SOX controls management, but the direct Wdesk source is stale and Workiva now emphasises the Workiva platform. Buyers should verify current naming and whether Wdesk is still relevant for procurement.", "url": "https://www.workiva.com/resources/implementation-guide-sox-controls-management", "evidence": [ "Workiva Wdesk SOX Controls Management implementation guide, https://www.workiva.com/resources/implementation-guide-sox-controls-management [stale — older than 2024], accessed 2026-04-30", "Workiva platform, https://www.workiva.com/platform, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "workiva", "wdesk", "controls" ], "isFinrayProduct": false, "coiNote": null, "watching": "Wdesk evidence is stale; current Workiva packaging should be used." }, { "id": "workiva-reporting", "label": "Workiva Reporting", "type": "product", "subtype": "grc-product", "summary": "Workiva reporting and disclosure management capability.", "description": "Public sources support financial reporting and disclosure management with connected data. Buyers should verify whether supervisory reporting packs and FINMA audit report evidence are in scope or require configuration.", "url": "https://www.workiva.com/resources/workiva-financial-reporting-and-disclosure-management", "evidence": [ "Workiva Financial Reporting and Disclosure Management, https://www.workiva.com/resources/workiva-financial-reporting-and-disclosure-management, accessed 2026-04-30", "Workiva platform, https://www.workiva.com/platform, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "workiva", "reporting", "disclosure" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "auditboard-crosscomply", "label": "AuditBoard CrossComply", "type": "product", "subtype": "grc-product", "summary": "AuditBoard CrossComply compliance product.", "description": "Public source supports CrossComply as a compliance product for frameworks, controls and policies. Buyers should verify current Optro packaging, Swiss regulatory mapping and whether it handles financial-services regulatory obligations beyond security/compliance frameworks.", "url": "https://auditboard.com/blog/auditboard-announces-crosscomply?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=", "evidence": [ "AuditBoard announces CrossComply, https://auditboard.com/blog/auditboard-announces-crosscomply?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=, accessed 2026-04-30", "AuditBoard CrossComply Live, https://resources.optro.ai/auditboard-live-compliance.html?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "auditboard", "crosscomply", "compliance" ], "isFinrayProduct": false, "coiNote": null, "watching": "Brand transition and module packaging require verification." }, { "id": "auditboard-opsaudit", "label": "AuditBoard OpsAudit", "type": "product", "subtype": "grc-product", "summary": "AuditBoard OpsAudit internal audit product.", "description": "Public source supports audit planning, fieldwork and reporting workflows. Buyers should verify SoD, independence controls, Swiss audit-report packs and current Optro product naming.", "url": "https://resources.optro.ai/opsaudit-live-may.html?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=", "evidence": [ "AuditBoard OpsAudit Live, https://resources.optro.ai/opsaudit-live-may.html?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=, accessed 2026-04-30", "Optro formerly AuditBoard website, https://optro.ai/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "auditboard", "opsaudit", "internal-audit" ], "isFinrayProduct": false, "coiNote": null, "watching": "Brand transition and current packaging require verification." }, { "id": "auditboard-riskoversight", "label": "AuditBoard RiskOversight", "type": "product", "subtype": "grc-product", "summary": "AuditBoard RiskOversight product label requiring current public evidence confirmation.", "description": "The retrieved Optro and AuditBoard sources support general risk and compliance positioning but did not provide a direct RiskOversight primary page in this session. Buyers should require product-page evidence, module scope and Swiss references before relying on this node.", "url": "https://optro.ai/", "evidence": [ "Optro formerly AuditBoard website, https://optro.ai/, accessed 2026-04-30", "AuditBoard compliance solutions, https://auditboard.com/solutions/compliance?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "auditboard", "riskoversight", "risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "Direct product page not retrieved in this session." }, { "id": "auditboard-esg", "label": "AuditBoard / Optro ESG", "type": "product", "subtype": "grc-product", "summary": "Optro ESG product.", "description": "Public source supports ESG data collection and reporting workflows. This is adjacent to the FINMA GRC/ICS scope, so buyers should include it only where ESG governance evidence is part of the RFP.", "url": "https://optro.ai/product/esg", "evidence": [ "Optro ESG product, https://optro.ai/product/esg, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "auditboard", "optro", "esg" ], "isFinrayProduct": false, "coiNote": null, "watching": "Not a core FINMA ICS control unless buyer includes ESG governance." }, { "id": "logicgate-risk-cloud", "label": "LogicGate Risk Cloud", "type": "product", "subtype": "grc-product", "summary": "LogicGate Risk Cloud GRC platform.", "description": "Public sources support a GRC platform with risk assessments, mitigation workflows, evidence monitoring and reports. Buyers should verify financial-services mappings, data hosting and implementation effort.", "url": "https://www.logicgate.com/platform/", "evidence": [ "LogicGate Risk Cloud platform, https://www.logicgate.com/platform/, accessed 2026-04-30", "LogicGate website, https://www.logicgate.com/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "logicgate", "risk-cloud", "platform" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "logicgate-rcm", "label": "LogicGate Regulatory Compliance Management", "type": "product", "subtype": "grc-product", "summary": "LogicGate regulatory compliance management solution.", "description": "Public source supports regulatory compliance documentation, reporting and exam workflows. Buyers should verify Swiss legal obligation libraries and FINMA audit pack outputs.", "url": "https://www.logicgate.com/solutions/regulatory-compliance-management/", "evidence": [ "LogicGate Regulatory Compliance Management, https://www.logicgate.com/solutions/regulatory-compliance-management/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "logicgate", "regulatory-compliance" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "logicgate-erm", "label": "LogicGate ERM", "type": "product", "subtype": "grc-product", "summary": "LogicGate enterprise risk management application.", "description": "Public sources support centralized enterprise risk, assessments, mitigations and reporting. Buyers should verify operational-resilience evidence depth and cross-control links to ICS testing.", "url": "https://www.logicgate.com/platform/applications/enterprise-risk-management-application/", "evidence": [ "LogicGate Enterprise Risk Management application, https://www.logicgate.com/platform/applications/enterprise-risk-management-application/, accessed 2026-04-30", "LogicGate Enterprise Risk Management solution, https://www.logicgate.com/solutions/enterprise-risk-management/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "logicgate", "erm", "risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "logicgate-it-risk", "label": "LogicGate IT Risk", "type": "product", "subtype": "grc-product", "summary": "LogicGate IT-risk-adjacent capability within Risk Cloud.", "description": "Public sources list IT risk and cyber/compliance use cases within the risk management suite. Buyers should require explicit ICT-risk, cyber and privacy evidence workflows before using it for FINMA operational-resilience mapping.", "url": "https://www.logicgate.com/solutions/team/risk-management/", "evidence": [ "LogicGate risk management team solutions, https://www.logicgate.com/solutions/team/risk-management/, accessed 2026-04-30", "LogicGate Risk Cloud platform, https://www.logicgate.com/platform/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "logicgate", "it-risk", "cyber" ], "isFinrayProduct": false, "coiNote": null, "watching": "Direct IT Risk product page not retrieved in this session." }, { "id": "resolver-risk", "label": "Resolver Risk", "type": "product", "subtype": "grc-product", "summary": "Resolver risk management product.", "description": "Public sources support enterprise risk management, risk assessment and action tracking. Buyers should verify operational-resilience, BCM and FINMA control-library mappings.", "url": "https://www.resolver.com/grc-software/risk-management/", "evidence": [ "Resolver Enterprise Risk Management Software, https://www.resolver.com/grc-software/risk-management/, accessed 2026-04-30", "Resolver GRC software, https://www.resolver.com/grc-software/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "resolver", "risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "resolver-compliance", "label": "Resolver Compliance", "type": "product", "subtype": "grc-product", "summary": "Resolver compliance management product.", "description": "Public sources support regulatory change tracking, control testing and compliance dashboards. Buyers should verify Swiss legal sources, regulator-interaction packs and audit-evidence exports.", "url": "https://www.resolver.com/grc-software/compliance-management/", "evidence": [ "Resolver Compliance Management Software, https://www.resolver.com/grc-software/compliance-management/, accessed 2026-04-30", "Resolver integrated GRC software, https://www.resolver.com/solutions/integrated-grc-software/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "resolver", "compliance" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "diligent-highbond", "label": "Diligent HighBond", "type": "product", "subtype": "grc-product", "summary": "Diligent HighBond GRC platform.", "description": "Public source supports HighBond centralising workflow, procedures, reporting and analytics for GRC, but the retrieved product sheet is stale. Buyers should require current collateral, assurance artefacts and product-roadmap evidence.", "url": "https://www.diligent.com/-/media/project/diligent/master/landing-pages/rsa-conference-2022/product-sheet--highbond-platform.pdf?hash=A93B6B2E3B646ECBEEE3904DC21813E8&rev=d7b454b0-e2c2-455d-92e0-94508fa8c2d4", "evidence": [ "Diligent HighBond platform product sheet, https://www.diligent.com/-/media/project/diligent/master/landing-pages/rsa-conference-2022/product-sheet--highbond-platform.pdf?hash=A93B6B2E3B646ECBEEE3904DC21813E8&rev=d7b454b0-e2c2-455d-92e0-94508fa8c2d4 [stale — older than 2024], accessed 2026-04-30", "Diligent HighBond API, https://developer.diligent.com/api/highbond, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "diligent", "highbond", "grc" ], "isFinrayProduct": false, "coiNote": null, "watching": "HighBond evidence is stale; require current product page or datasheet." }, { "id": "diligent-esg", "label": "Diligent ESG", "type": "product", "subtype": "grc-product", "summary": "Diligent ESG reporting and governance product.", "description": "Public sources support ESG data collection, framework mapping and reporting workflows. It is adjacent to FINMA GRC/ICS unless the buyer includes ESG governance in the RFP.", "url": "https://www.diligent.com/products/diligent-esg", "evidence": [ "Diligent ESG, https://www.diligent.com/products/diligent-esg, accessed 2026-04-30", "Diligent ESG features, https://www.diligent.com/solutions/esg-features, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "diligent", "esg" ], "isFinrayProduct": false, "coiNote": null, "watching": "Not a core FINMA ICS control unless buyer includes ESG governance." }, { "id": "diligent-boards", "label": "Diligent Boards", "type": "product", "subtype": "grc-product", "summary": "Diligent board management software.", "description": "Public sources support board-management and governance workflows. Buyers should verify whether board materials and approvals link to control evidence, risk decisions and supervisory issue tracking.", "url": "https://www.diligent.com/lp/board-management-software-enterprise", "evidence": [ "Diligent board management software, https://www.diligent.com/lp/board-management-software-enterprise, accessed 2026-04-30", "Diligent One Platform, https://www.diligent.com/platform/diligent-one, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "diligent", "boards", "governance" ], "isFinrayProduct": false, "coiNote": null, "watching": "Board governance is relevant but not a substitute for ICS tooling." }, { "id": "onetrust-grc", "label": "OneTrust GRC / Tech Risk and Compliance", "type": "product", "subtype": "grc-product", "summary": "OneTrust technology risk and compliance/GRC capability.", "description": "Public sources support technology risk, compliance automation, assessments and policy or compliance tracking concepts. Buyers should verify native GRC module scope, Swiss regulatory libraries and exportable evidence.", "url": "https://www.onetrust.com/solutions/tech-risk-and-compliance/", "evidence": [ "OneTrust Tech Risk and Compliance, https://www.onetrust.com/solutions/tech-risk-and-compliance/, accessed 2026-04-30", "OneTrust GRC glossary, https://www.onetrust.com/glossary/governance-risk-and-compliance-grc/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "onetrust", "grc", "tech-risk" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "onetrust-privacy", "label": "OneTrust Privacy Operations", "type": "product", "subtype": "grc-product", "summary": "OneTrust privacy operations product.", "description": "Public source supports privacy operations including data activity visibility and records of processing. Buyers should verify Swiss FADP-specific templates, breach workflow, cross-border transfer records and processor/vendor links.", "url": "https://www.onetrust.com/products/privacy-operations/", "evidence": [ "OneTrust Privacy Operations, https://www.onetrust.com/products/privacy-operations/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "onetrust", "privacy", "fadp" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "onetrust-third-party-risk", "label": "OneTrust Third-Party Risk Management", "type": "product", "subtype": "grc-product", "summary": "OneTrust third-party risk management product.", "description": "Public sources support third-party inventory, automated assessments, monitoring and reporting. Buyers should verify FINMA material-outsourcing fields, exit plans, subcontractor controls and concentration-risk analysis.", "url": "https://www.onetrust.com/products/third-party-risk-management/", "evidence": [ "OneTrust Third-Party Risk Management, https://www.onetrust.com/products/third-party-risk-management/, accessed 2026-04-30", "OneTrust Third-Party Management solutions, https://www.onetrust.com/solutions/third-party-management/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "onetrust", "third-party-risk", "outsourcing" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "sai360-grc-platform", "label": "SAI360 GRC platform", "type": "product", "subtype": "grc-product", "summary": "SAI360 integrated GRC platform.", "description": "Public sources support integrated GRC with standards, controls and risk/compliance management. Buyers should verify Swiss legal mappings, deployment model and package pricing.", "url": "https://www.sai360.com/solutions/integrated-grc", "evidence": [ "SAI360 Integrated GRC, https://www.sai360.com/solutions/integrated-grc, accessed 2026-04-30", "SAI360 website, https://www.sai360.com/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "sai360", "grc", "platform" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "ibm-openpages", "label": "IBM OpenPages", "type": "product", "subtype": "grc-product", "summary": "IBM OpenPages GRC platform.", "description": "Public sources support OpenPages for risk, compliance, audit, operational risk and regulatory compliance in a modular model. Buyers should verify Swiss hosting, implementation model, system integrations and assurance evidence.", "url": "https://www.ibm.com/products/openpages", "evidence": [ "IBM OpenPages, https://www.ibm.com/products/openpages, accessed 2026-04-30", "IBM OpenPages Operational Risk, https://www.ibm.com/products/openpages/operational-risk, accessed 2026-04-30", "IBM OpenPages Regulatory Compliance, https://www.ibm.com/products/openpages/regulatory-compliance, accessed 2026-04-30", "IBM OpenPages GRC solutions documentation, https://www.ibm.com/docs/en/openpages/9.0.0?topic=guide-openpages-grc-solutions, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "ibm", "openpages", "grc" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "navex-lockpath-keylight", "label": "Lockpath Keylight", "type": "product", "subtype": "grc-product", "summary": "Legacy Lockpath Keylight risk management platform.", "description": "Public source supports Keylight as a legacy Lockpath risk management platform, but the evidence is stale. Buyers should verify whether Keylight is still sold, replaced or rebranded under NAVEX One.", "url": "https://www.navex.com/en-us/company/press-room/navex-global-announces-upgrade-to-lockpath-risk-management-platform/", "evidence": [ "NAVEX Global announces upgrade to Lockpath Keylight risk management platform, https://www.navex.com/en-us/company/press-room/navex-global-announces-upgrade-to-lockpath-risk-management-platform/ [stale — older than 2024], accessed 2026-04-30", "NAVEX Lockpath support topic, https://support.navex.com/s/topic/0TO1T000000bMVQWA2/lockpath?language=en_US, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "navex", "lockpath", "keylight" ], "isFinrayProduct": false, "coiNote": null, "watching": "Stale product evidence; current product status must be verified." }, { "id": "navex-risk-manager", "label": "NAVEX One Risk & Governance / Risk Manager", "type": "product", "subtype": "grc-product", "summary": "NAVEX One risk governance and compliance capability.", "description": "Public sources support NAVEX One risk, compliance, operational-risk and financial-services compliance use cases. Buyers should verify current module naming, FINMA outsourcing fields and implementation model.", "url": "https://www.navex.com/en-us/platform/risk-governance-irm/", "evidence": [ "NAVEX One Risk Governance and Compliance, https://www.navex.com/en-us/platform/risk-governance-irm/, accessed 2026-04-30", "NAVEX One platform, https://www.navex.com/en-us/platform/, accessed 2026-04-30", "NAVEX Lockpath Operational Risk Management datasheet, https://www.navex.com/en-us/resources/datasheets/operational-risk-management/, accessed 2026-04-30", "NAVEX regulatory compliance and risk management for financial services, https://www.navex.com/en-us/resources/datasheets/regulatory-compliance-and-risk-management-financial-services/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "navex", "risk-governance", "irm" ], "isFinrayProduct": false, "coiNote": null, "watching": "No FINMA-regulated Swiss reference was verified." }, { "id": "finray-ordinis", "label": "Ordinis", "type": "product", "subtype": "grc-product", "summary": "Finray Ordinis is a governance, risk, compliance, approvals and audit-evidence product.", "description": "Public sources support Ordinis as an operating system for controls, approvals, attestations and audit evidence. Because this guide is published by Finray, buyers should treat every claim as requiring independent validation and should not use this graph as a recommendation.", "url": "https://finray.tech/platforms/ordinis/", "evidence": [ "Finray Ordinis, https://finray.tech/platforms/ordinis/, accessed 2026-04-30", "Finray Technologies, https://finray.tech/, accessed 2026-04-30", "[evidence pending — vendor outreach required: independent assurance artefacts, external security review, FINMA-regulated Swiss references, tenant isolation, pricing model, implementation timeline, API limits, data residency, audit evidence export format]" ], "tags": [ "finray", "ordinis", "ics", "coi" ], "isFinrayProduct": true, "coiNote": "Finray Technologies Ltd ships Ordinis; Finray Intelligence recuses this product from ranking, scoring league tables and any best-of recommendation. Buyers should require independent assurance artefacts and external review before procurement.", "watching": "Independent assurance and external review required before procurement." }, { "id": "swiss-grc-toolbox", "label": "Swiss GRC Toolbox", "type": "product", "subtype": "grc-product", "summary": "Swiss GRC Toolbox GRC platform.", "description": "Public sources support GRC Toolbox across GRC, ICS, risk and related modules, with Swiss customer references on the vendor site. Buyers should verify regulated financial-services scope, module licensing, data hosting and assurance reports.", "url": "https://swissgrc.com/en/", "evidence": [ "Swiss GRC website, https://swissgrc.com/en/, accessed 2026-04-30", "Swiss GRC Internal Control Software ICS, https://swissgrc.com/en/internal-control-software-ics/, accessed 2026-04-30", "Swiss GRC Risk Management Software, https://swissgrc.com/en/risk-management-software/, accessed 2026-04-30", "Swiss GRC solutions, https://swissgrc.com/en/solutions/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ], "tags": [ "swiss-grc", "grc-toolbox", "ics" ], "isFinrayProduct": false, "coiNote": null, "watching": "Swiss market relevance is strong, but FINMA-specific evidence still requires outreach." } ], "edges": [ { "source": "swiss-bank-bankg", "target": "finmasa", "type": "requires", "label": "Banks fall within FINMA's supervisory framework.", "strength": null, "evidence": [ "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30", "Fedlex BankG, https://www.fedlex.admin.ch/eli/cc/51/117_121_129/de, accessed 2026-04-30" ] }, { "source": "swiss-bank-bankg", "target": "bankg", "type": "requires", "label": "Swiss banks require BankG-aligned governance and evidence.", "strength": null, "evidence": [ "Fedlex BankG, https://www.fedlex.admin.ch/eli/cc/51/117_121_129/de, accessed 2026-04-30" ] }, { "source": "swiss-bank-bankg", "target": "finsa", "type": "requires", "label": "Banks providing financial services must consider FINSA conduct evidence.", "strength": null, "evidence": [ "Fedlex FINSA, https://www.fedlex.admin.ch/eli/cc/2019/758/en, accessed 2026-04-30" ] }, { "source": "swiss-bank-bankg", "target": "amla", "type": "requires", "label": "Banks must operate AML/CFT evidence under AMLA.", "strength": null, "evidence": [ "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30" ] }, { "source": "swiss-bank-bankg", "target": "amlo", "type": "requires", "label": "Banks must operationalise AML controls under AMLO where applicable.", "strength": null, "evidence": [ "Fedlex AMLO, https://www.fedlex.admin.ch/eli/cc/2015/791/en, accessed 2026-04-30" ] }, { "source": "swiss-bank-bankg", "target": "fadp-dsg", "type": "requires", "label": "Banks process personal data and require FADP/DSG evidence.", "strength": null, "evidence": [ "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30" ] }, { "source": "swiss-bank-bankg", "target": "finma-circ-2017-01", "type": "requires", "label": "Bank governance and ICS evidence should be mapped to FINMA Circular 2017/01.", "strength": null, "evidence": [ "FINMA Circular 2017/01 Corporate governance - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "swiss-bank-bankg", "target": "finma-circ-2018-03", "type": "requires", "label": "Bank outsourcing evidence should be mapped to FINMA Circular 2018/03.", "strength": null, "evidence": [ "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "swiss-bank-bankg", "target": "finma-circ-2023-01", "type": "requires", "label": "Bank operational-risk and resilience evidence should be mapped to FINMA Circular 2023/01.", "strength": null, "evidence": [ "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "swiss-bank-bankg", "target": "finma-circ-2008-24", "type": "requires", "label": "Historical bank ICS references may require crosswalk from archived Circular 2008/24.", "strength": null, "evidence": [ "FINMA Circular archive 2008/24 Supervision and internal control - banks, https://www.finma.ch/en/documentation/archiv/rundschreiben/archiv-2008/ [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "swiss-securities-firm-finig", "target": "finmasa", "type": "requires", "label": "Securities firms are supervised under FINMA's statutory framework.", "strength": null, "evidence": [ "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30", "Fedlex FINIG, https://www.fedlex.admin.ch/eli/cc/2018/801/en, accessed 2026-04-30" ] }, { "source": "swiss-securities-firm-finig", "target": "finig", "type": "requires", "label": "Securities firms require FINIG licence-category controls.", "strength": null, "evidence": [ "Fedlex FINIG, https://www.fedlex.admin.ch/eli/cc/2018/801/en, accessed 2026-04-30" ] }, { "source": "swiss-securities-firm-finig", "target": "finsa", "type": "requires", "label": "Securities firms require FINSA conduct evidence.", "strength": null, "evidence": [ "Fedlex FINSA, https://www.fedlex.admin.ch/eli/cc/2019/758/en, accessed 2026-04-30" ] }, { "source": "swiss-securities-firm-finig", "target": "amla", "type": "requires", "label": "Securities firms require AML/CFT evidence where in scope.", "strength": null, "evidence": [ "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30" ] }, { "source": "swiss-securities-firm-finig", "target": "amlo", "type": "requires", "label": "Securities firms must operationalise AML controls under AMLO where applicable.", "strength": null, "evidence": [ "Fedlex AMLO, https://www.fedlex.admin.ch/eli/cc/2015/791/en, accessed 2026-04-30" ] }, { "source": "swiss-securities-firm-finig", "target": "fadp-dsg", "type": "requires", "label": "Securities firms require FADP/DSG privacy evidence.", "strength": null, "evidence": [ "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30" ] }, { "source": "swiss-securities-firm-finig", "target": "finma-circ-2018-03", "type": "requires", "label": "Material outsourcing assessments may be relevant where supervisory outsourcing expectations apply.", "strength": null, "evidence": [ "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "swiss-portfolio-manager-trustee-finig", "target": "finmasa", "type": "requires", "label": "Portfolio managers and trustees are supervised under FINMA's statutory framework.", "strength": null, "evidence": [ "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30", "Fedlex FINIG, https://www.fedlex.admin.ch/eli/cc/2018/801/en, accessed 2026-04-30" ] }, { "source": "swiss-portfolio-manager-trustee-finig", "target": "finig", "type": "requires", "label": "Portfolio managers and trustees require FINIG controls.", "strength": null, "evidence": [ "Fedlex FINIG, https://www.fedlex.admin.ch/eli/cc/2018/801/en, accessed 2026-04-30" ] }, { "source": "swiss-portfolio-manager-trustee-finig", "target": "finsa", "type": "requires", "label": "Portfolio managers and trustees require FINSA conduct evidence.", "strength": null, "evidence": [ "Fedlex FINSA, https://www.fedlex.admin.ch/eli/cc/2019/758/en, accessed 2026-04-30" ] }, { "source": "swiss-portfolio-manager-trustee-finig", "target": "amla", "type": "requires", "label": "Portfolio managers and trustees require AML/CFT evidence where in scope.", "strength": null, "evidence": [ "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30" ] }, { "source": "swiss-portfolio-manager-trustee-finig", "target": "amlo", "type": "requires", "label": "Portfolio managers and trustees must operationalise AML controls under AMLO where applicable.", "strength": null, "evidence": [ "Fedlex AMLO, https://www.fedlex.admin.ch/eli/cc/2015/791/en, accessed 2026-04-30" ] }, { "source": "swiss-portfolio-manager-trustee-finig", "target": "fadp-dsg", "type": "requires", "label": "Portfolio managers and trustees require FADP/DSG privacy evidence.", "strength": null, "evidence": [ "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30" ] }, { "source": "swiss-insurer-isa", "target": "finmasa", "type": "requires", "label": "Insurers are supervised under FINMA's statutory framework.", "strength": null, "evidence": [ "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30", "Fedlex ISA, https://www.fedlex.admin.ch/eli/cc/2005/734/de, accessed 2026-04-30" ] }, { "source": "swiss-insurer-isa", "target": "isa", "type": "requires", "label": "Insurers require ISA-aligned governance and risk evidence.", "strength": null, "evidence": [ "Fedlex ISA, https://www.fedlex.admin.ch/eli/cc/2005/734/de, accessed 2026-04-30" ] }, { "source": "swiss-insurer-isa", "target": "amla", "type": "requires", "label": "Insurers require AML/CFT evidence where product scope triggers AMLA.", "strength": null, "evidence": [ "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30" ] }, { "source": "swiss-insurer-isa", "target": "fadp-dsg", "type": "requires", "label": "Insurers require FADP/DSG privacy evidence.", "strength": null, "evidence": [ "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30" ] }, { "source": "swiss-insurer-isa", "target": "finma-circ-2018-03", "type": "requires", "label": "Insurers should map outsourcing evidence to FINMA Circular 2018/03.", "strength": null, "evidence": [ "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "swiss-asset-manager-cisa-finig", "target": "finmasa", "type": "requires", "label": "Asset managers and fund houses are supervised under FINMA's statutory framework.", "strength": null, "evidence": [ "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30", "Fedlex CISA, https://www.fedlex.admin.ch/eli/cc/2006/822/en, accessed 2026-04-30", "Fedlex FINIG, https://www.fedlex.admin.ch/eli/cc/2018/801/en, accessed 2026-04-30" ] }, { "source": "swiss-asset-manager-cisa-finig", "target": "cisa", "type": "requires", "label": "Fund houses and collective investment structures require CISA controls.", "strength": null, "evidence": [ "Fedlex CISA, https://www.fedlex.admin.ch/eli/cc/2006/822/en, accessed 2026-04-30" ] }, { "source": "swiss-asset-manager-cisa-finig", "target": "finig", "type": "requires", "label": "Asset managers require FINIG controls.", "strength": null, "evidence": [ "Fedlex FINIG, https://www.fedlex.admin.ch/eli/cc/2018/801/en, accessed 2026-04-30" ] }, { "source": "swiss-asset-manager-cisa-finig", "target": "finsa", "type": "requires", "label": "Asset managers and fund houses require FINSA conduct evidence where applicable.", "strength": null, "evidence": [ "Fedlex FINSA, https://www.fedlex.admin.ch/eli/cc/2019/758/en, accessed 2026-04-30" ] }, { "source": "swiss-asset-manager-cisa-finig", "target": "amla", "type": "requires", "label": "Asset managers and fund houses require AML/CFT evidence where in scope.", "strength": null, "evidence": [ "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30" ] }, { "source": "swiss-asset-manager-cisa-finig", "target": "amlo", "type": "requires", "label": "Asset managers and fund houses must operationalise AML controls under AMLO where applicable.", "strength": null, "evidence": [ "Fedlex AMLO, https://www.fedlex.admin.ch/eli/cc/2015/791/en, accessed 2026-04-30" ] }, { "source": "swiss-asset-manager-cisa-finig", "target": "fadp-dsg", "type": "requires", "label": "Asset managers and fund houses require FADP/DSG privacy evidence.", "strength": null, "evidence": [ "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30" ] }, { "source": "finma-licence-applicant", "target": "finmasa", "type": "requires", "label": "Licence applicants must prepare evidence for FINMA supervisory review.", "strength": null, "evidence": [ "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30" ] }, { "source": "finma-licence-applicant", "target": "bankg", "type": "requires", "label": "Bank applicants must build BankG-aligned evidence.", "strength": null, "evidence": [ "Fedlex BankG, https://www.fedlex.admin.ch/eli/cc/51/117_121_129/de, accessed 2026-04-30" ] }, { "source": "finma-licence-applicant", "target": "finig", "type": "requires", "label": "FINIG applicants must build licence-category evidence.", "strength": null, "evidence": [ "Fedlex FINIG, https://www.fedlex.admin.ch/eli/cc/2018/801/en, accessed 2026-04-30" ] }, { "source": "finma-licence-applicant", "target": "finsa", "type": "requires", "label": "Applicants with client-service activity need FINSA conduct evidence.", "strength": null, "evidence": [ "Fedlex FINSA, https://www.fedlex.admin.ch/eli/cc/2019/758/en, accessed 2026-04-30" ] }, { "source": "finma-licence-applicant", "target": "amla", "type": "requires", "label": "Applicants in scope must build AML/CFT evidence before launch.", "strength": null, "evidence": [ "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30" ] }, { "source": "finma-licence-applicant", "target": "fadp-dsg", "type": "requires", "label": "Applicants must evidence privacy governance under FADP/DSG.", "strength": null, "evidence": [ "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30" ] }, { "source": "finma-circ-2017-01", "target": "ics-evidence-bundle", "type": "requires", "label": "The bank corporate-governance circular anchors internal-control evidence for banks.", "strength": "partial", "evidence": [ "FINMA Circular 2017/01 Corporate governance - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf [stale — older than 2024], accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "finma-circ-2008-24", "target": "ics-evidence-bundle", "type": "requires", "label": "The archived 2008/24 circular is retained as a historical internal-control anchor.", "strength": "indirect", "evidence": [ "FINMA Circular archive 2008/24 Supervision and internal control - banks, https://www.finma.ch/en/documentation/archiv/rundschreiben/archiv-2008/ [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "finma-circ-2017-01", "target": "internal-audit-sod", "type": "requires", "label": "Bank governance and internal-control arrangements require auditability and role separation.", "strength": "partial", "evidence": [ "FINMA Circular 2017/01 Corporate governance - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "finma-circ-2018-03", "target": "outsourcing-register-materiality", "type": "requires", "label": "The outsourcing circular anchors material-outsourcing registers and assessments.", "strength": "partial", "evidence": [ "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "finma-circ-2018-03", "target": "regulator-interaction-evidence", "type": "requires", "label": "Outsourcing evidence must be defensible for supervisory inspection and audit rights.", "strength": "partial", "evidence": [ "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30", "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30" ] }, { "source": "finma-circ-2023-01", "target": "operational-risk-resilience-evidence", "type": "requires", "label": "The operational-risk circular anchors resilience, ICT-risk and critical-function evidence for banks.", "strength": "partial", "evidence": [ "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "finma-circ-2023-01", "target": "outsourcing-register-materiality", "type": "requires", "label": "Operational resilience evidence includes third-party concentration and dependency analysis.", "strength": "partial", "evidence": [ "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30", "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "finma-circ-2023-01", "target": "regulator-interaction-evidence", "type": "requires", "label": "Banks should maintain resilience evidence that can support supervisory dialogue.", "strength": "partial", "evidence": [ "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30", "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30" ] }, { "source": "amla", "target": "aml-cft-evidence", "type": "requires", "label": "AMLA anchors buyer evidence for due diligence and suspicious-activity governance.", "strength": "partial", "evidence": [ "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30" ] }, { "source": "amlo", "target": "aml-cft-evidence", "type": "requires", "label": "AMLO operationalises AML evidence requirements at ordinance level.", "strength": "partial", "evidence": [ "Fedlex AMLO, https://www.fedlex.admin.ch/eli/cc/2015/791/en, accessed 2026-04-30" ] }, { "source": "fadp-dsg", "target": "data-protection-evidence", "type": "requires", "label": "FADP/DSG anchors privacy evidence including processing records, DPIAs and breach response.", "strength": "partial", "evidence": [ "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30", "FDPIC official website, https://www.edoeb.admin.ch/en, accessed 2026-04-30" ] }, { "source": "finmasa", "target": "regulator-interaction-evidence", "type": "requires", "label": "FINMASA anchors supervisory interaction and evidentiary discipline toward FINMA.", "strength": "partial", "evidence": [ "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30", "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30" ] }, { "source": "bankg", "target": "ics-evidence-bundle", "type": "requires", "label": "BankG buyers should maintain bank-grade ICS evidence.", "strength": "partial", "evidence": [ "Fedlex BankG, https://www.fedlex.admin.ch/eli/cc/51/117_121_129/de, accessed 2026-04-30", "FINMA Circular 2017/01 Corporate governance - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "finig", "target": "ics-evidence-bundle", "type": "requires", "label": "FINIG buyers should maintain proportionate governance and control evidence.", "strength": "partial", "evidence": [ "Fedlex FINIG, https://www.fedlex.admin.ch/eli/cc/2018/801/en, accessed 2026-04-30" ] }, { "source": "finsa", "target": "regulator-interaction-evidence", "type": "requires", "label": "FINSA conduct evidence should be available for compliance review and supervisory challenge.", "strength": "partial", "evidence": [ "Fedlex FINSA, https://www.fedlex.admin.ch/eli/cc/2019/758/en, accessed 2026-04-30" ] }, { "source": "isa", "target": "operational-risk-resilience-evidence", "type": "requires", "label": "Insurers should maintain operational-risk and resilience evidence proportionate to their business.", "strength": "partial", "evidence": [ "Fedlex ISA, https://www.fedlex.admin.ch/eli/cc/2005/734/de, accessed 2026-04-30", "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "cisa", "target": "regulator-interaction-evidence", "type": "requires", "label": "Fund houses should maintain evidence for delegated activities and supervisory review.", "strength": "partial", "evidence": [ "Fedlex CISA, https://www.fedlex.admin.ch/eli/cc/2006/822/en, accessed 2026-04-30" ] }, { "source": "ics-evidence-bundle", "target": "finma-circ-2017-01", "type": "compliant-with", "label": "ICS evidence supports compliance with bank governance and internal-control expectations.", "strength": "partial", "evidence": [ "FINMA Circular 2017/01 Corporate governance - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf [stale — older than 2024], accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "outsourcing-register-materiality", "target": "finma-circ-2018-03", "type": "compliant-with", "label": "The outsourcing register supports compliance evidence under FINMA outsourcing expectations.", "strength": "partial", "evidence": [ "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30", "IAASB ISAE 3402 staff overview, https://www.iaasb.org/publications/staff-overview-international-standard-assurance-engagements-isae-3402-assurance-reports-controls [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "operational-risk-resilience-evidence", "target": "finma-circ-2023-01", "type": "compliant-with", "label": "Operational-risk and resilience evidence supports compliance evidence under Circular 2023/01.", "strength": "partial", "evidence": [ "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30", "NIST Cybersecurity Framework 2.0, https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final, accessed 2026-04-30" ] }, { "source": "aml-cft-evidence", "target": "amla", "type": "compliant-with", "label": "AML/CFT evidence supports AMLA compliance evidence.", "strength": "partial", "evidence": [ "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30", "Fedlex AMLO, https://www.fedlex.admin.ch/eli/cc/2015/791/en, accessed 2026-04-30" ] }, { "source": "data-protection-evidence", "target": "fadp-dsg", "type": "compliant-with", "label": "Privacy evidence supports Swiss FADP/DSG compliance evidence.", "strength": "partial", "evidence": [ "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30", "FDPIC official website, https://www.edoeb.admin.ch/en, accessed 2026-04-30" ] }, { "source": "internal-audit-sod", "target": "finma-circ-2017-01", "type": "compliant-with", "label": "Internal audit and SoD evidence supports bank internal-control governance.", "strength": "partial", "evidence": [ "FINMA Circular 2017/01 Corporate governance - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf [stale — older than 2024], accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "regulator-interaction-evidence", "target": "finmasa", "type": "compliant-with", "label": "Regulator interaction records support supervisory evidence under FINMASA.", "strength": "partial", "evidence": [ "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30", "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30" ] }, { "source": "ics-evidence-bundle", "target": "swiss-bank-bankg", "type": "evidence-for", "label": "ICS evidence is a central evidence bundle for Swiss banks.", "strength": "partial", "evidence": [ "FINMA Circular 2017/01 Corporate governance - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf [stale — older than 2024], accessed 2026-04-30", "Fedlex BankG, https://www.fedlex.admin.ch/eli/cc/51/117_121_129/de, accessed 2026-04-30" ] }, { "source": "outsourcing-register-materiality", "target": "swiss-bank-bankg", "type": "evidence-for", "label": "Outsourcing evidence supports bank supervisory readiness.", "strength": "partial", "evidence": [ "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30", "Fedlex BankG, https://www.fedlex.admin.ch/eli/cc/51/117_121_129/de, accessed 2026-04-30" ] }, { "source": "outsourcing-register-materiality", "target": "swiss-insurer-isa", "type": "evidence-for", "label": "Outsourcing evidence supports insurer supervisory readiness.", "strength": "partial", "evidence": [ "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30", "Fedlex ISA, https://www.fedlex.admin.ch/eli/cc/2005/734/de, accessed 2026-04-30" ] }, { "source": "aml-cft-evidence", "target": "swiss-securities-firm-finig", "type": "evidence-for", "label": "AML/CFT evidence supports securities-firm compliance readiness.", "strength": "partial", "evidence": [ "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30", "Fedlex FINIG, https://www.fedlex.admin.ch/eli/cc/2018/801/en, accessed 2026-04-30" ] }, { "source": "data-protection-evidence", "target": "swiss-portfolio-manager-trustee-finig", "type": "evidence-for", "label": "Privacy evidence supports smaller FINIG firms handling client data.", "strength": "partial", "evidence": [ "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30", "Fedlex FINIG, https://www.fedlex.admin.ch/eli/cc/2018/801/en, accessed 2026-04-30" ] }, { "source": "regulator-interaction-evidence", "target": "finma-licence-applicant", "type": "evidence-for", "label": "Regulatory interaction evidence supports licence-application readiness.", "strength": "partial", "evidence": [ "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30", "Fedlex FINMASA, https://www.fedlex.admin.ch/eli/cc/2008/736/en, accessed 2026-04-30" ] }, { "source": "coso-2013", "target": "ics-evidence-bundle", "type": "prerequisite-for", "label": "COSO provides a practical architecture for designing and evidencing an ICS.", "strength": "indirect", "evidence": [ "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "iso-27001-27002", "target": "operational-risk-resilience-evidence", "type": "prerequisite-for", "label": "ISO 27001/27002 controls provide an information-security baseline for operational-resilience evidence.", "strength": "indirect", "evidence": [ "ISO/IEC 27001 information security management, https://www.iso.org/standard/27001 [stale — older than 2024], accessed 2026-04-30", "ISO/IEC 27002 information security controls, https://www.iso.org/standard/75652.html [stale — older than 2024], accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "nist-csf-2", "target": "operational-risk-resilience-evidence", "type": "prerequisite-for", "label": "NIST CSF 2.0 provides a cybersecurity mapping layer for resilience evidence.", "strength": "indirect", "evidence": [ "NIST Cybersecurity Framework 2.0, https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "isae-3402-soc2", "target": "outsourcing-register-materiality", "type": "prerequisite-for", "label": "Third-party assurance reports are practical evidence inputs for outsourcing due diligence.", "strength": "indirect", "evidence": [ "IAASB ISAE 3402 staff overview, https://www.iaasb.org/publications/staff-overview-international-standard-assurance-engagements-isae-3402-assurance-reports-controls [stale — older than 2024], accessed 2026-04-30", "AICPA SOC 2, https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2, accessed 2026-04-30", "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "bcbs-239", "target": "operational-risk-resilience-evidence", "type": "prerequisite-for", "label": "BCBS 239 provides a risk-data aggregation and reporting reference for systemic-bank resilience evidence.", "strength": "indirect", "evidence": [ "BIS BCBS 239, https://www.bis.org/publ/bcbs239.htm [stale — older than 2024], accessed 2026-04-30", "SNB Swiss banking sector, https://www.snb.ch/en/the-snb/mandates-goals/financial-stability/swiss-banking-sector, accessed 2026-04-30" ] }, { "source": "iso-27001-27002", "target": "data-protection-evidence", "type": "prerequisite-for", "label": "Information-security controls support privacy evidence under Swiss FADP/DSG.", "strength": "indirect", "evidence": [ "ISO/IEC 27001 information security management, https://www.iso.org/standard/27001 [stale — older than 2024], accessed 2026-04-30", "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30" ] }, { "source": "coso-2013", "target": "finma-circ-2017-01", "type": "compliant-with", "label": "COSO is a methodological reference that can support bank ICS mapping but is not Swiss law.", "strength": "indirect", "evidence": [ "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30", "FINMA Circular 2017/01 Corporate governance - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "nist-csf-2", "target": "finma-circ-2023-01", "type": "compliant-with", "label": "NIST CSF can complement FINMA operational-resilience mapping for cyber controls.", "strength": "indirect", "evidence": [ "NIST Cybersecurity Framework 2.0, https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "iso-27001-27002", "target": "finma-circ-2023-01", "type": "compliant-with", "label": "ISO 27001/27002 can complement ICT and information-security controls under operational-resilience mapping.", "strength": "indirect", "evidence": [ "ISO/IEC 27001 information security management, https://www.iso.org/standard/27001 [stale — older than 2024], accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "isae-3402-soc2", "target": "finma-circ-2018-03", "type": "compliant-with", "label": "ISAE 3402 and SOC 2 reports can support outsourcing due diligence where scope aligns.", "strength": "indirect", "evidence": [ "IAASB ISAE 3402 staff overview, https://www.iaasb.org/publications/staff-overview-international-standard-assurance-engagements-isae-3402-assurance-reports-controls [stale — older than 2024], accessed 2026-04-30", "AICPA SOC 2, https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2, accessed 2026-04-30", "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "bcbs-239", "target": "finma-circ-2023-01", "type": "compliant-with", "label": "BCBS 239 can complement risk-data and reporting expectations in systemic-bank contexts.", "strength": "indirect", "evidence": [ "BIS BCBS 239, https://www.bis.org/publ/bcbs239.htm [stale — older than 2024], accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "finma-circ-2018-03", "target": "finma-circ-2023-01", "type": "complementary-to", "label": "Outsourcing and operational-resilience obligations overlap around third-party dependencies and concentration risk.", "strength": "indirect", "evidence": [ "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "amla", "target": "amlo", "type": "complementary-to", "label": "AMLO operationalises AMLA requirements and should be mapped together for AML evidence.", "strength": "indirect", "evidence": [ "Fedlex AMLA, https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en, accessed 2026-04-30", "Fedlex AMLO, https://www.fedlex.admin.ch/eli/cc/2015/791/en, accessed 2026-04-30" ] }, { "source": "iso-27001-27002", "target": "nist-csf-2", "type": "complementary-to", "label": "ISO and NIST controls can be cross-mapped for ICT and cyber resilience.", "strength": "indirect", "evidence": [ "ISO/IEC 27001 information security management, https://www.iso.org/standard/27001 [stale — older than 2024], accessed 2026-04-30", "NIST Cybersecurity Framework 2.0, https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final, accessed 2026-04-30" ] }, { "source": "metricstream-m7-platform", "target": "metricstream-inc", "type": "produced-by", "label": "MetricStream M7 platform is produced or marketed by MetricStream Inc..", "strength": "full", "evidence": [ "MetricStream M7 integrated risk platform announcement, https://www.metricstream.com/pressNews/pr-956-MetricStream-launches-M7-integrated-risk-platform.htm [stale — older than 2024], accessed 2026-04-30", "MetricStream GRC Platform, https://www.metricstream.com/platform.htm, accessed 2026-04-30" ] }, { "source": "metricstream-risk-cloud", "target": "metricstream-inc", "type": "produced-by", "label": "MetricStream Risk Cloud is produced or marketed by MetricStream Inc..", "strength": "full", "evidence": [ "MetricStream GRC Platform, https://www.metricstream.com/platform.htm, accessed 2026-04-30", "MetricStream Risk Management Software, https://www.metricstream.com/products/risk-management.htm, accessed 2026-04-30" ] }, { "source": "metricstream-oprisk", "target": "metricstream-inc", "type": "produced-by", "label": "MetricStream Operational Risk Management is produced or marketed by MetricStream Inc..", "strength": "full", "evidence": [ "MetricStream Operational Risk Management, https://www.metricstream.com/products/operational-risk-management.htm, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ] }, { "source": "metricstream-compliance", "target": "metricstream-inc", "type": "produced-by", "label": "MetricStream Compliance Management is produced or marketed by MetricStream Inc..", "strength": "full", "evidence": [ "MetricStream Compliance Management, https://www.metricstream.com/products/compliance-management.htm, accessed 2026-04-30", "MetricStream Regulatory Compliance, https://www.metricstream.com/products/regulatory-compliance.htm, accessed 2026-04-30" ] }, { "source": "metricstream-internal-audit", "target": "metricstream-inc", "type": "produced-by", "label": "MetricStream Internal Audit Management is produced or marketed by MetricStream Inc..", "strength": "full", "evidence": [ "MetricStream website, https://www.metricstream.com/, accessed 2026-04-30", "MetricStream GRC Platform, https://www.metricstream.com/platform.htm, accessed 2026-04-30" ] }, { "source": "servicenow-irm-grc", "target": "servicenow-inc", "type": "produced-by", "label": "ServiceNow IRM / GRC suite is produced or marketed by ServiceNow Inc..", "strength": "full", "evidence": [ "ServiceNow Integrated Risk Management, https://www.servicenow.com/products/integrated-risk-management.html, accessed 2026-04-30", "ServiceNow Governance, Risk and Compliance, https://www.servicenow.com/products/governance-risk-and-compliance.html, accessed 2026-04-30" ] }, { "source": "servicenow-vendor-risk-management", "target": "servicenow-inc", "type": "produced-by", "label": "ServiceNow Vendor Risk Management is produced or marketed by ServiceNow Inc..", "strength": "full", "evidence": [ "ServiceNow Vendor Risk Management, https://www.servicenow.com/uk/products/vendor-risk-management.html, accessed 2026-04-30", "ServiceNow Third-Party Risk Management, https://www.servicenow.com/products/third-party-risk-management.html, accessed 2026-04-30" ] }, { "source": "servicenow-operational-risk-management", "target": "servicenow-inc", "type": "produced-by", "label": "ServiceNow Operational Risk Management is produced or marketed by ServiceNow Inc..", "strength": "full", "evidence": [ "ServiceNow Operational Risk Management, https://www.servicenow.com/products/operational-risk-management.html, accessed 2026-04-30", "ServiceNow Operational Risk dashboard documentation, https://www.servicenow.com/docs/r/governance-risk-compliance/grc-risk-management-workspace/operational-risk-dashboard.html, accessed 2026-04-30" ] }, { "source": "archer-suite", "target": "archer-integrated-risk-management", "type": "produced-by", "label": "Archer Suite is produced or marketed by Archer Integrated Risk Management.", "strength": "full", "evidence": [ "Archer Suite documentation, https://help.archerirm.cloud/platform_2024_11/en-us/content/shared_topics/archer_suite.htm, accessed 2026-04-30", "Archer GRC solutions, https://www.archerirm.com/solutions, accessed 2026-04-30" ] }, { "source": "archer-insight", "target": "archer-integrated-risk-management", "type": "produced-by", "label": "Archer Insight is produced or marketed by Archer Integrated Risk Management.", "strength": "full", "evidence": [ "Archer Insight risk quantification, https://www.archerirm.com/archer-insight-risk-quantification, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ] }, { "source": "workiva-wdesk", "target": "workiva-inc", "type": "produced-by", "label": "Workiva Wdesk is produced or marketed by Workiva Inc..", "strength": "full", "evidence": [ "Workiva Wdesk SOX Controls Management implementation guide, https://www.workiva.com/resources/implementation-guide-sox-controls-management [stale — older than 2024], accessed 2026-04-30", "Workiva platform, https://www.workiva.com/platform, accessed 2026-04-30" ] }, { "source": "workiva-reporting", "target": "workiva-inc", "type": "produced-by", "label": "Workiva Reporting is produced or marketed by Workiva Inc..", "strength": "full", "evidence": [ "Workiva Financial Reporting and Disclosure Management, https://www.workiva.com/resources/workiva-financial-reporting-and-disclosure-management, accessed 2026-04-30", "Workiva platform, https://www.workiva.com/platform, accessed 2026-04-30" ] }, { "source": "auditboard-crosscomply", "target": "auditboard-optro-inc", "type": "produced-by", "label": "AuditBoard CrossComply is produced or marketed by AuditBoard / Optro.", "strength": "full", "evidence": [ "AuditBoard announces CrossComply, https://auditboard.com/blog/auditboard-announces-crosscomply?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=, accessed 2026-04-30", "AuditBoard CrossComply Live, https://resources.optro.ai/auditboard-live-compliance.html?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=, accessed 2026-04-30" ] }, { "source": "auditboard-opsaudit", "target": "auditboard-optro-inc", "type": "produced-by", "label": "AuditBoard OpsAudit is produced or marketed by AuditBoard / Optro.", "strength": "full", "evidence": [ "AuditBoard OpsAudit Live, https://resources.optro.ai/opsaudit-live-may.html?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=, accessed 2026-04-30", "Optro formerly AuditBoard website, https://optro.ai/, accessed 2026-04-30" ] }, { "source": "auditboard-riskoversight", "target": "auditboard-optro-inc", "type": "produced-by", "label": "AuditBoard RiskOversight is produced or marketed by AuditBoard / Optro.", "strength": "full", "evidence": [ "Optro formerly AuditBoard website, https://optro.ai/, accessed 2026-04-30", "AuditBoard compliance solutions, https://auditboard.com/solutions/compliance?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=, accessed 2026-04-30" ] }, { "source": "auditboard-esg", "target": "auditboard-optro-inc", "type": "produced-by", "label": "AuditBoard / Optro ESG is produced or marketed by AuditBoard / Optro.", "strength": "full", "evidence": [ "Optro ESG product, https://optro.ai/product/esg, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ] }, { "source": "logicgate-risk-cloud", "target": "logicgate-inc", "type": "produced-by", "label": "LogicGate Risk Cloud is produced or marketed by LogicGate Inc..", "strength": "full", "evidence": [ "LogicGate Risk Cloud platform, https://www.logicgate.com/platform/, accessed 2026-04-30", "LogicGate website, https://www.logicgate.com/, accessed 2026-04-30" ] }, { "source": "logicgate-rcm", "target": "logicgate-inc", "type": "produced-by", "label": "LogicGate Regulatory Compliance Management is produced or marketed by LogicGate Inc..", "strength": "full", "evidence": [ "LogicGate Regulatory Compliance Management, https://www.logicgate.com/solutions/regulatory-compliance-management/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ] }, { "source": "logicgate-erm", "target": "logicgate-inc", "type": "produced-by", "label": "LogicGate ERM is produced or marketed by LogicGate Inc..", "strength": "full", "evidence": [ "LogicGate Enterprise Risk Management application, https://www.logicgate.com/platform/applications/enterprise-risk-management-application/, accessed 2026-04-30", "LogicGate Enterprise Risk Management solution, https://www.logicgate.com/solutions/enterprise-risk-management/, accessed 2026-04-30" ] }, { "source": "logicgate-it-risk", "target": "logicgate-inc", "type": "produced-by", "label": "LogicGate IT Risk is produced or marketed by LogicGate Inc..", "strength": "full", "evidence": [ "LogicGate risk management team solutions, https://www.logicgate.com/solutions/team/risk-management/, accessed 2026-04-30", "LogicGate Risk Cloud platform, https://www.logicgate.com/platform/, accessed 2026-04-30" ] }, { "source": "resolver-risk", "target": "resolver-kroll", "type": "produced-by", "label": "Resolver Risk is produced or marketed by Resolver / Kroll.", "strength": "full", "evidence": [ "Resolver Enterprise Risk Management Software, https://www.resolver.com/grc-software/risk-management/, accessed 2026-04-30", "Resolver GRC software, https://www.resolver.com/grc-software/, accessed 2026-04-30" ] }, { "source": "resolver-compliance", "target": "resolver-kroll", "type": "produced-by", "label": "Resolver Compliance is produced or marketed by Resolver / Kroll.", "strength": "full", "evidence": [ "Resolver Compliance Management Software, https://www.resolver.com/grc-software/compliance-management/, accessed 2026-04-30", "Resolver integrated GRC software, https://www.resolver.com/solutions/integrated-grc-software/, accessed 2026-04-30" ] }, { "source": "diligent-highbond", "target": "diligent-corp", "type": "produced-by", "label": "Diligent HighBond is produced or marketed by Diligent Corp..", "strength": "full", "evidence": [ "Diligent HighBond platform product sheet, https://www.diligent.com/-/media/project/diligent/master/landing-pages/rsa-conference-2022/product-sheet--highbond-platform.pdf?hash=A93B6B2E3B646ECBEEE3904DC21813E8&rev=d7b454b0-e2c2-455d-92e0-94508fa8c2d4 [stale — older than 2024], accessed 2026-04-30", "Diligent HighBond API, https://developer.diligent.com/api/highbond, accessed 2026-04-30" ] }, { "source": "diligent-esg", "target": "diligent-corp", "type": "produced-by", "label": "Diligent ESG is produced or marketed by Diligent Corp..", "strength": "full", "evidence": [ "Diligent ESG, https://www.diligent.com/products/diligent-esg, accessed 2026-04-30", "Diligent ESG features, https://www.diligent.com/solutions/esg-features, accessed 2026-04-30" ] }, { "source": "diligent-boards", "target": "diligent-corp", "type": "produced-by", "label": "Diligent Boards is produced or marketed by Diligent Corp..", "strength": "full", "evidence": [ "Diligent board management software, https://www.diligent.com/lp/board-management-software-enterprise, accessed 2026-04-30", "Diligent One Platform, https://www.diligent.com/platform/diligent-one, accessed 2026-04-30" ] }, { "source": "onetrust-grc", "target": "onetrust-llc", "type": "produced-by", "label": "OneTrust GRC / Tech Risk and Compliance is produced or marketed by OneTrust LLC.", "strength": "full", "evidence": [ "OneTrust Tech Risk and Compliance, https://www.onetrust.com/solutions/tech-risk-and-compliance/, accessed 2026-04-30", "OneTrust GRC glossary, https://www.onetrust.com/glossary/governance-risk-and-compliance-grc/, accessed 2026-04-30" ] }, { "source": "onetrust-privacy", "target": "onetrust-llc", "type": "produced-by", "label": "OneTrust Privacy Operations is produced or marketed by OneTrust LLC.", "strength": "full", "evidence": [ "OneTrust Privacy Operations, https://www.onetrust.com/products/privacy-operations/, accessed 2026-04-30", "[evidence pending — vendor outreach required: FINMA-regulated Swiss references, Swiss/EU data residency, tenant isolation, encryption and key management, role model and segregation-of-duties mapping, implementation timeline, pricing model, API limits, audit evidence export, independent assurance artefacts]" ] }, { "source": "onetrust-third-party-risk", "target": "onetrust-llc", "type": "produced-by", "label": "OneTrust Third-Party Risk Management is produced or marketed by OneTrust LLC.", "strength": "full", "evidence": [ "OneTrust Third-Party Risk Management, https://www.onetrust.com/products/third-party-risk-management/, accessed 2026-04-30", "OneTrust Third-Party Management solutions, https://www.onetrust.com/solutions/third-party-management/, accessed 2026-04-30" ] }, { "source": "sai360-grc-platform", "target": "sai360", "type": "produced-by", "label": "SAI360 GRC platform is produced or marketed by SAI360.", "strength": "full", "evidence": [ "SAI360 Integrated GRC, https://www.sai360.com/solutions/integrated-grc, accessed 2026-04-30", "SAI360 website, https://www.sai360.com/, accessed 2026-04-30" ] }, { "source": "ibm-openpages", "target": "ibm", "type": "produced-by", "label": "IBM OpenPages is produced or marketed by IBM.", "strength": "full", "evidence": [ "IBM OpenPages, https://www.ibm.com/products/openpages, accessed 2026-04-30", "IBM OpenPages Operational Risk, https://www.ibm.com/products/openpages/operational-risk, accessed 2026-04-30" ] }, { "source": "navex-lockpath-keylight", "target": "navex", "type": "produced-by", "label": "Lockpath Keylight is produced or marketed by NAVEX.", "strength": "full", "evidence": [ "NAVEX Global announces upgrade to Lockpath Keylight risk management platform, https://www.navex.com/en-us/company/press-room/navex-global-announces-upgrade-to-lockpath-risk-management-platform/ [stale — older than 2024], accessed 2026-04-30", "NAVEX Lockpath support topic, https://support.navex.com/s/topic/0TO1T000000bMVQWA2/lockpath?language=en_US, accessed 2026-04-30" ] }, { "source": "navex-risk-manager", "target": "navex", "type": "produced-by", "label": "NAVEX One Risk & Governance / Risk Manager is produced or marketed by NAVEX.", "strength": "full", "evidence": [ "NAVEX One Risk Governance and Compliance, https://www.navex.com/en-us/platform/risk-governance-irm/, accessed 2026-04-30", "NAVEX One platform, https://www.navex.com/en-us/platform/, accessed 2026-04-30" ] }, { "source": "finray-ordinis", "target": "finray-technologies-ltd", "type": "produced-by", "label": "Ordinis is produced or marketed by Finray Technologies Ltd.", "strength": "full", "evidence": [ "Finray Ordinis, https://finray.tech/platforms/ordinis/, accessed 2026-04-30", "Finray Technologies, https://finray.tech/, accessed 2026-04-30" ] }, { "source": "swiss-grc-toolbox", "target": "swiss-grc-ag", "type": "produced-by", "label": "Swiss GRC Toolbox is produced or marketed by Swiss GRC AG.", "strength": "full", "evidence": [ "Swiss GRC website, https://swissgrc.com/en/, accessed 2026-04-30", "Swiss GRC Internal Control Software ICS, https://swissgrc.com/en/internal-control-software-ics/, accessed 2026-04-30" ] }, { "source": "metricstream-m7-platform", "target": "ics-evidence-bundle", "type": "implements", "label": "Public sources support integrated risk, compliance and audit capabilities relevant to an ICS evidence bundle.", "strength": "partial", "evidence": [ "MetricStream M7 integrated risk platform announcement, https://www.metricstream.com/pressNews/pr-956-MetricStream-launches-M7-integrated-risk-platform.htm [stale — older than 2024], accessed 2026-04-30", "MetricStream GRC Platform, https://www.metricstream.com/platform.htm, accessed 2026-04-30" ] }, { "source": "metricstream-oprisk", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public source supports operational-risk management capabilities relevant to operational-risk evidence.", "strength": "partial", "evidence": [ "MetricStream Operational Risk Management, https://www.metricstream.com/products/operational-risk-management.htm, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "metricstream-compliance", "target": "regulator-interaction-evidence", "type": "implements", "label": "Public sources support compliance mapping and regulatory compliance workflows relevant to supervisory evidence packs.", "strength": "partial", "evidence": [ "MetricStream Compliance Management, https://www.metricstream.com/products/compliance-management.htm, accessed 2026-04-30", "MetricStream Regulatory Compliance, https://www.metricstream.com/products/regulatory-compliance.htm, accessed 2026-04-30" ] }, { "source": "metricstream-compliance", "target": "ics-evidence-bundle", "type": "implements", "label": "Public sources support mapping regulations, controls and assessments relevant to ICS compliance evidence.", "strength": "partial", "evidence": [ "MetricStream Regulatory Compliance, https://www.metricstream.com/products/regulatory-compliance.htm, accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "metricstream-risk-cloud", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public risk-management evidence supports part of the operational-risk and resilience control bundle.", "strength": "partial", "evidence": [ "MetricStream Risk Management Software, https://www.metricstream.com/products/risk-management.htm, accessed 2026-04-30", "MetricStream GRC Platform, https://www.metricstream.com/platform.htm, accessed 2026-04-30" ] }, { "source": "metricstream-internal-audit", "target": "internal-audit-sod", "type": "implements", "label": "Public platform evidence supports audit programs, but direct internal-audit product evidence requires outreach.", "strength": "partial", "evidence": [ "MetricStream GRC Platform, https://www.metricstream.com/platform.htm, accessed 2026-04-30" ] }, { "source": "servicenow-irm-grc", "target": "ics-evidence-bundle", "type": "implements", "label": "Public sources support integrated risk and compliance workflows relevant to ICS evidence.", "strength": "partial", "evidence": [ "ServiceNow Integrated Risk Management, https://www.servicenow.com/products/integrated-risk-management.html, accessed 2026-04-30", "ServiceNow Governance, Risk and Compliance, https://www.servicenow.com/products/governance-risk-and-compliance.html, accessed 2026-04-30" ] }, { "source": "servicenow-irm-grc", "target": "regulator-interaction-evidence", "type": "implements", "label": "Public GRC sources support risk and compliance workflow evidence that can feed regulator-interaction packs.", "strength": "partial", "evidence": [ "ServiceNow Governance, Risk and Compliance, https://www.servicenow.com/products/governance-risk-and-compliance.html, accessed 2026-04-30", "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30" ] }, { "source": "servicenow-vendor-risk-management", "target": "outsourcing-register-materiality", "type": "implements", "label": "Public sources support vendor and third-party risk assessment, monitoring and remediation workflows.", "strength": "partial", "evidence": [ "ServiceNow Vendor Risk Management, https://www.servicenow.com/uk/products/vendor-risk-management.html, accessed 2026-04-30", "ServiceNow Third-Party Risk Management, https://www.servicenow.com/products/third-party-risk-management.html, accessed 2026-04-30", "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "servicenow-operational-risk-management", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public sources support operational-risk monitoring and dashboarding relevant to FINMA resilience evidence.", "strength": "partial", "evidence": [ "ServiceNow Operational Risk Management, https://www.servicenow.com/products/operational-risk-management.html, accessed 2026-04-30", "ServiceNow Operational Risk dashboard documentation, https://www.servicenow.com/docs/r/governance-risk-compliance/grc-risk-management-workspace/operational-risk-dashboard.html, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "archer-suite", "target": "ics-evidence-bundle", "type": "implements", "label": "Public sources support risk and compliance workflows across business functions relevant to ICS evidence.", "strength": "partial", "evidence": [ "Archer Suite documentation, https://help.archerirm.cloud/platform_2024_11/en-us/content/shared_topics/archer_suite.htm, accessed 2026-04-30", "Archer GRC solutions, https://www.archerirm.com/solutions, accessed 2026-04-30" ] }, { "source": "archer-suite", "target": "outsourcing-register-materiality", "type": "implements", "label": "Public sources support third-party ecosystem risk management relevant to outsourcing evidence.", "strength": "partial", "evidence": [ "Archer GRC solutions, https://www.archerirm.com/solutions, accessed 2026-04-30", "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "archer-suite", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public sources support enterprise and operational risk capabilities relevant to resilience evidence.", "strength": "partial", "evidence": [ "Archer website, https://www.archerirm.com/, accessed 2026-04-30", "Archer GRC solutions, https://www.archerirm.com/solutions, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "archer-insight", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public source supports risk quantification and prioritisation that can inform resilience evidence.", "strength": "partial", "evidence": [ "Archer Insight risk quantification, https://www.archerirm.com/archer-insight-risk-quantification, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "workiva-wdesk", "target": "ics-evidence-bundle", "type": "implements", "label": "Public Wdesk and Workiva sources support controls management and auditability relevant to ICS evidence.", "strength": "partial", "evidence": [ "Workiva Wdesk SOX Controls Management implementation guide, https://www.workiva.com/resources/implementation-guide-sox-controls-management [stale — older than 2024], accessed 2026-04-30", "Workiva Internal Controls Management, https://www.workiva.com/solutions/internal-controls-management, accessed 2026-04-30" ] }, { "source": "workiva-wdesk", "target": "internal-audit-sod", "type": "implements", "label": "Public Workiva sources support internal audit management and control-testing workflows.", "strength": "partial", "evidence": [ "Workiva Internal Audit Management, https://www.workiva.com/solutions/internal-audit-management, accessed 2026-04-30", "Workiva Internal Controls Management, https://www.workiva.com/solutions/internal-controls-management, accessed 2026-04-30" ] }, { "source": "workiva-reporting", "target": "regulator-interaction-evidence", "type": "implements", "label": "Public reporting sources support connected reporting that can feed supervisory evidence packs when configured.", "strength": "partial", "evidence": [ "Workiva Financial Reporting and Disclosure Management, https://www.workiva.com/resources/workiva-financial-reporting-and-disclosure-management, accessed 2026-04-30", "Workiva platform, https://www.workiva.com/platform, accessed 2026-04-30", "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30" ] }, { "source": "workiva-reporting", "target": "ics-evidence-bundle", "type": "implements", "label": "Public platform evidence supports built-in controls and auditability relevant to ICS reporting.", "strength": "partial", "evidence": [ "Workiva platform, https://www.workiva.com/platform, accessed 2026-04-30", "Workiva Internal Controls Management, https://www.workiva.com/solutions/internal-controls-management, accessed 2026-04-30" ] }, { "source": "auditboard-crosscomply", "target": "ics-evidence-bundle", "type": "implements", "label": "Public sources support compliance frameworks, controls and policies relevant to ICS compliance evidence.", "strength": "partial", "evidence": [ "AuditBoard announces CrossComply, https://auditboard.com/blog/auditboard-announces-crosscomply?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=, accessed 2026-04-30", "AuditBoard CrossComply Live, https://resources.optro.ai/auditboard-live-compliance.html?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=, accessed 2026-04-30" ] }, { "source": "auditboard-crosscomply", "target": "data-protection-evidence", "type": "implements", "label": "Public sources support framework-based compliance workflows that may contribute to privacy compliance evidence.", "strength": "partial", "evidence": [ "AuditBoard announces CrossComply, https://auditboard.com/blog/auditboard-announces-crosscomply?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=, accessed 2026-04-30", "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30" ] }, { "source": "auditboard-opsaudit", "target": "internal-audit-sod", "type": "implements", "label": "Public source supports audit planning, fieldwork and reporting workflows.", "strength": "partial", "evidence": [ "AuditBoard OpsAudit Live, https://resources.optro.ai/opsaudit-live-may.html?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=, accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "auditboard-riskoversight", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public Optro and AuditBoard sources support broad risk positioning, but direct RiskOversight product evidence is pending.", "strength": "indirect", "evidence": [ "Optro formerly AuditBoard website, https://optro.ai/, accessed 2026-04-30", "AuditBoard compliance solutions, https://auditboard.com/solutions/compliance?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=, accessed 2026-04-30" ] }, { "source": "logicgate-risk-cloud", "target": "ics-evidence-bundle", "type": "implements", "label": "Public platform sources support evidence monitoring, mitigation workflows and reports relevant to ICS evidence.", "strength": "partial", "evidence": [ "LogicGate Risk Cloud platform, https://www.logicgate.com/platform/, accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "logicgate-risk-cloud", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public platform sources list operational risk and operational resilience application suites.", "strength": "partial", "evidence": [ "LogicGate Risk Cloud platform, https://www.logicgate.com/platform/, accessed 2026-04-30", "LogicGate risk management team solutions, https://www.logicgate.com/solutions/team/risk-management/, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "logicgate-risk-cloud", "target": "outsourcing-register-materiality", "type": "implements", "label": "Public platform and risk-team sources support third-party and operational-risk use cases relevant to outsourcing evidence.", "strength": "partial", "evidence": [ "LogicGate Risk Cloud platform, https://www.logicgate.com/platform/, accessed 2026-04-30", "LogicGate risk management team solutions, https://www.logicgate.com/solutions/team/risk-management/, accessed 2026-04-30", "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "logicgate-rcm", "target": "regulator-interaction-evidence", "type": "implements", "label": "Public source supports regulatory compliance documentation, reporting and regulatory exam workflows.", "strength": "partial", "evidence": [ "LogicGate Regulatory Compliance Management, https://www.logicgate.com/solutions/regulatory-compliance-management/, accessed 2026-04-30", "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30" ] }, { "source": "logicgate-erm", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public ERM sources support risk assessments, mitigations and reporting relevant to operational-risk evidence.", "strength": "partial", "evidence": [ "LogicGate Enterprise Risk Management application, https://www.logicgate.com/platform/applications/enterprise-risk-management-application/, accessed 2026-04-30", "LogicGate Enterprise Risk Management solution, https://www.logicgate.com/solutions/enterprise-risk-management/, accessed 2026-04-30" ] }, { "source": "logicgate-it-risk", "target": "data-protection-evidence", "type": "implements", "label": "Public sources support IT/cyber risk use cases that can contribute to privacy and security evidence.", "strength": "partial", "evidence": [ "LogicGate risk management team solutions, https://www.logicgate.com/solutions/team/risk-management/, accessed 2026-04-30", "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30", "ISO/IEC 27001 information security management, https://www.iso.org/standard/27001 [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "resolver-risk", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public source supports enterprise risk assessment and action tracking relevant to operational-risk evidence.", "strength": "partial", "evidence": [ "Resolver Enterprise Risk Management Software, https://www.resolver.com/grc-software/risk-management/, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "resolver-risk", "target": "ics-evidence-bundle", "type": "implements", "label": "Public GRC sources support risk management workflows that can contribute to ICS evidence.", "strength": "partial", "evidence": [ "Resolver GRC software, https://www.resolver.com/grc-software/, accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "resolver-compliance", "target": "regulator-interaction-evidence", "type": "implements", "label": "Public source supports regulatory change, control testing and compliance dashboards relevant to supervisory evidence.", "strength": "partial", "evidence": [ "Resolver Compliance Management Software, https://www.resolver.com/grc-software/compliance-management/, accessed 2026-04-30", "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30" ] }, { "source": "resolver-compliance", "target": "ics-evidence-bundle", "type": "implements", "label": "Public source supports control testing and compliance workflows relevant to ICS evidence.", "strength": "partial", "evidence": [ "Resolver Compliance Management Software, https://www.resolver.com/grc-software/compliance-management/, accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "diligent-highbond", "target": "ics-evidence-bundle", "type": "implements", "label": "Public HighBond source supports GRC workflow, procedures, reporting and analytics relevant to ICS evidence.", "strength": "partial", "evidence": [ "Diligent HighBond platform product sheet, https://www.diligent.com/-/media/project/diligent/master/landing-pages/rsa-conference-2022/product-sheet--highbond-platform.pdf?hash=A93B6B2E3B646ECBEEE3904DC21813E8&rev=d7b454b0-e2c2-455d-92e0-94508fa8c2d4 [stale — older than 2024], accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "diligent-highbond", "target": "internal-audit-sod", "type": "implements", "label": "Public HighBond and Diligent One sources support audit and GRC activities relevant to internal audit evidence.", "strength": "partial", "evidence": [ "Diligent HighBond platform product sheet, https://www.diligent.com/-/media/project/diligent/master/landing-pages/rsa-conference-2022/product-sheet--highbond-platform.pdf?hash=A93B6B2E3B646ECBEEE3904DC21813E8&rev=d7b454b0-e2c2-455d-92e0-94508fa8c2d4 [stale — older than 2024], accessed 2026-04-30", "Diligent One Platform overview, https://help.diligentoneplatform.com/helpdocs/d1p/en-us/Content/diligent_one_platform_overview.htm, accessed 2026-04-30" ] }, { "source": "diligent-highbond", "target": "regulator-interaction-evidence", "type": "implements", "label": "Public sources support GRC reporting and API integration that can contribute to supervisory evidence packs.", "strength": "partial", "evidence": [ "Diligent HighBond platform product sheet, https://www.diligent.com/-/media/project/diligent/master/landing-pages/rsa-conference-2022/product-sheet--highbond-platform.pdf?hash=A93B6B2E3B646ECBEEE3904DC21813E8&rev=d7b454b0-e2c2-455d-92e0-94508fa8c2d4 [stale — older than 2024], accessed 2026-04-30", "Diligent HighBond API, https://developer.diligent.com/api/highbond, accessed 2026-04-30", "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30" ] }, { "source": "diligent-boards", "target": "regulator-interaction-evidence", "type": "implements", "label": "Public board-governance sources can support board-level approvals and supervisory issue oversight when linked to GRC evidence.", "strength": "indirect", "evidence": [ "Diligent board management software, https://www.diligent.com/lp/board-management-software-enterprise, accessed 2026-04-30", "Diligent One Platform, https://www.diligent.com/platform/diligent-one, accessed 2026-04-30" ] }, { "source": "onetrust-grc", "target": "ics-evidence-bundle", "type": "implements", "label": "Public Tech Risk and Compliance sources support assessments, compliance tracking and framework mapping relevant to ICS evidence.", "strength": "partial", "evidence": [ "OneTrust Tech Risk and Compliance, https://www.onetrust.com/solutions/tech-risk-and-compliance/, accessed 2026-04-30", "OneTrust GRC glossary, https://www.onetrust.com/glossary/governance-risk-and-compliance-grc/, accessed 2026-04-30" ] }, { "source": "onetrust-grc", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public IT-risk sources support dashboards and KRIs relevant to operational-risk evidence.", "strength": "partial", "evidence": [ "OneTrust IT Risk Management, https://www.onetrust.com/products/it-risk-management/, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "onetrust-privacy", "target": "data-protection-evidence", "type": "implements", "label": "Public source supports privacy operations including data activity visibility and records of processing.", "strength": "partial", "evidence": [ "OneTrust Privacy Operations, https://www.onetrust.com/products/privacy-operations/, accessed 2026-04-30", "Fedlex FADP/DSG, https://www.fedlex.admin.ch/eli/cc/2022/491/en, accessed 2026-04-30" ] }, { "source": "onetrust-third-party-risk", "target": "outsourcing-register-materiality", "type": "implements", "label": "Public sources support third-party inventory, automated assessments, monitoring and reporting relevant to outsourcing evidence.", "strength": "partial", "evidence": [ "OneTrust Third-Party Risk Management, https://www.onetrust.com/products/third-party-risk-management/, accessed 2026-04-30", "OneTrust Third-Party Management solutions, https://www.onetrust.com/solutions/third-party-management/, accessed 2026-04-30", "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "sai360-grc-platform", "target": "ics-evidence-bundle", "type": "implements", "label": "Public integrated GRC and compliance sources support controls and compliance workflows relevant to ICS evidence.", "strength": "partial", "evidence": [ "SAI360 Integrated GRC, https://www.sai360.com/solutions/integrated-grc, accessed 2026-04-30", "SAI360 Compliance use case, https://www.sai360.com/use-cases/compliance, accessed 2026-04-30" ] }, { "source": "sai360-grc-platform", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public sources support enterprise and operational risk management relevant to resilience evidence.", "strength": "partial", "evidence": [ "SAI360 Enterprise and Operational Risk Management, https://www.sai360.com/solutions/enterprise-operational-risk-management, accessed 2026-04-30", "SAI360 Risk Management use case, https://www.sai360.com/use-cases/risk-management, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "sai360-grc-platform", "target": "outsourcing-register-materiality", "type": "implements", "label": "Public TPRM source supports vendor data, assessments and monitoring relevant to outsourcing evidence.", "strength": "partial", "evidence": [ "SAI360 TPRM Vendor Risk Management, https://www.sai360.com/solutions/tprm-vendor-risk-management, accessed 2026-04-30", "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "sai360-grc-platform", "target": "internal-audit-sod", "type": "implements", "label": "Public internal-audit source supports audit-manager use cases relevant to independent assurance evidence.", "strength": "partial", "evidence": [ "SAI360 Internal Audit Managers, https://www.sai360.com/sai360-platform/internal-audit-managers, accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "ibm-openpages", "target": "ics-evidence-bundle", "type": "implements", "label": "Public source supports risk, compliance and audit functions in an integrated GRC solution relevant to ICS evidence.", "strength": "partial", "evidence": [ "IBM OpenPages, https://www.ibm.com/products/openpages, accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "ibm-openpages", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public source supports operational-risk management including controls, KRIs, loss events and issues/action plans.", "strength": "partial", "evidence": [ "IBM OpenPages Operational Risk, https://www.ibm.com/products/openpages/operational-risk, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "ibm-openpages", "target": "regulator-interaction-evidence", "type": "implements", "label": "Public regulatory compliance source supports breaking regulations into requirements and tasks for compliance response.", "strength": "partial", "evidence": [ "IBM OpenPages Regulatory Compliance, https://www.ibm.com/products/openpages/regulatory-compliance, accessed 2026-04-30", "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30" ] }, { "source": "ibm-openpages", "target": "outsourcing-register-materiality", "type": "implements", "label": "Public documentation lists third-party risk management as part of OpenPages GRC solutions.", "strength": "partial", "evidence": [ "IBM OpenPages GRC solutions documentation, https://www.ibm.com/docs/en/openpages/9.0.0?topic=guide-openpages-grc-solutions, accessed 2026-04-30", "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "ibm-openpages", "target": "internal-audit-sod", "type": "implements", "label": "Public sources support audit as part of OpenPages GRC functions.", "strength": "partial", "evidence": [ "IBM OpenPages, https://www.ibm.com/products/openpages, accessed 2026-04-30", "IBM OpenPages overview media, https://mediacenter.ibm.com/id/1_rkv5i2r0, accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "navex-lockpath-keylight", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public legacy Keylight evidence supports risk management platform capabilities, but the source is stale.", "strength": "indirect", "evidence": [ "NAVEX Global announces upgrade to Lockpath Keylight risk management platform, https://www.navex.com/en-us/company/press-room/navex-global-announces-upgrade-to-lockpath-risk-management-platform/ [stale — older than 2024], accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "navex-risk-manager", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public sources support operational-risk management and NAVEX One risk governance capabilities.", "strength": "partial", "evidence": [ "NAVEX Lockpath Operational Risk Management datasheet, https://www.navex.com/en-us/resources/datasheets/operational-risk-management/, accessed 2026-04-30", "NAVEX One Risk Governance and Compliance, https://www.navex.com/en-us/platform/risk-governance-irm/, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "navex-risk-manager", "target": "regulator-interaction-evidence", "type": "implements", "label": "Public financial-services compliance source supports regulatory compliance and risk management workflows.", "strength": "partial", "evidence": [ "NAVEX regulatory compliance and risk management for financial services, https://www.navex.com/en-us/resources/datasheets/regulatory-compliance-and-risk-management-financial-services/, accessed 2026-04-30", "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30" ] }, { "source": "navex-risk-manager", "target": "ics-evidence-bundle", "type": "implements", "label": "Public NAVEX One platform source supports compliance and risk workflows relevant to ICS evidence.", "strength": "partial", "evidence": [ "NAVEX One platform, https://www.navex.com/en-us/platform/, accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "finray-ordinis", "target": "ics-evidence-bundle", "type": "implements", "label": "Public Ordinis source supports controls as operational objects, evidence capture, tasks, control cycles and attestations.", "strength": "partial", "evidence": [ "Finray Ordinis, https://finray.tech/platforms/ordinis/, accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "finray-ordinis", "target": "internal-audit-sod", "type": "implements", "label": "Public Ordinis source supports approvals, attestations and audit evidence relevant to SoD and internal-audit evidence.", "strength": "partial", "evidence": [ "Finray Ordinis, https://finray.tech/platforms/ordinis/, accessed 2026-04-30", "FINMA Circular 2017/01 Corporate governance - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "finray-ordinis", "target": "regulator-interaction-evidence", "type": "implements", "label": "Public Ordinis source supports audit evidence and governance workflows that can feed supervisory packs.", "strength": "partial", "evidence": [ "Finray Ordinis, https://finray.tech/platforms/ordinis/, accessed 2026-04-30", "FINMA official website, https://www.finma.ch/en/, accessed 2026-04-30" ] }, { "source": "finray-ordinis", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public Ordinis source supports governance and risk workflows, but FINMA resilience-specific architecture requires outreach.", "strength": "partial", "evidence": [ "Finray Ordinis, https://finray.tech/platforms/ordinis/, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "swiss-grc-toolbox", "target": "ics-evidence-bundle", "type": "implements", "label": "Public Swiss GRC source supports internal-control software and ICS process automation.", "strength": "partial", "evidence": [ "Swiss GRC Internal Control Software ICS, https://swissgrc.com/en/internal-control-software-ics/, accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "swiss-grc-toolbox", "target": "operational-risk-resilience-evidence", "type": "implements", "label": "Public sources support risk management and operational resilience software relevant to resilience evidence.", "strength": "partial", "evidence": [ "Swiss GRC Risk Management Software, https://swissgrc.com/en/risk-management-software/, accessed 2026-04-30", "Swiss GRC Operational Resilience Software, https://swissgrc.com/en/operational-resilience-software/, accessed 2026-04-30", "FINMA Circular 2023/01 Operational risks and resilience - banks, https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "swiss-grc-toolbox", "target": "outsourcing-register-materiality", "type": "implements", "label": "Public source supports TPRM software relevant to outsourcing evidence.", "strength": "partial", "evidence": [ "Swiss GRC TPRM Software, https://swissgrc.com/en/tprm-software/, accessed 2026-04-30", "FINMA Circular 2018/03 Outsourcing, https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en [stale — older than 2024], accessed 2026-04-30" ] }, { "source": "swiss-grc-toolbox", "target": "internal-audit-sod", "type": "implements", "label": "Public source supports internal audit software relevant to assurance evidence.", "strength": "partial", "evidence": [ "Swiss GRC Internal Audit Software, https://swissgrc.com/en/internal-audit-software/, accessed 2026-04-30", "COSO Internal Control - Integrated Framework, https://www.coso.org/guidance-on-ic [stale — older than 2024], accessed 2026-04-30" ] } ], "legend": { "firm-segment": { "color": "#3B82F6", "shape": "round-rectangle", "note": "Buyer profile; entry edges use requires with null strength." }, "regulator": { "color": "#0F766E", "shape": "hexagon", "note": "Regulatory authority included as context, not a software evaluator." }, "regulation": { "color": "#DC2626", "shape": "diamond", "note": "Binding legal instrument, ordinance or FINMA circular." }, "standard": { "color": "#7C3AED", "shape": "triangle", "note": "Technical or methodological control reference." }, "control": { "color": "#F59E0B", "shape": "rectangle", "note": "Buyer-side RFP control or evidence bundle." }, "vendor": { "color": "#64748B", "shape": "ellipse", "note": "Software company or contracting counterparty." }, "product": { "color": "#16A34A", "shape": "octagon", "note": "Named product separated from vendor entity and connected by produced-by." } } }