# Swiss FINMA GRC and ICS software Swiss banks, securities firms and asset managers under FINMASA, FINMA Circulars 2008/24, 2017/01, 2018/03 and 2023/01, AMLA and FADP must select GRC/ICS software that evidences control ownership, outsourcing, AML, operational-risk and audit work. This decision graph maps 82 nodes and 180 edges across seven controls, 14 vendors and 34 product nodes. Ordinis recused from ranking. - Source: https://finray.tech/intelligence/swiss-finma-grc-ics/ - Cluster: Ordinis - Published: 2026-05-01 - Conflict of interest: Finray Technologies Ltd ships Ordinis. Ordinis is recused from any qualitative ranking on this page. - Publisher: Finray Technologies Ltd, Cyprus Companies Registry HE 445903 - Editorial principle: primary sources only; conflicts of interest disclosed inline --- The Swiss FINMA GRC and ICS software graph maps the decision a FINMA-supervised firm faces when assembling its governance, risk, compliance, and internal control stack: regulatory anchors (FINMASA, FINMA Circulars 08/24, 17/01, 18/03, 23/01, AMLA, FADP, plus DORA-equivalent operational-resilience expectations), the controls those anchors require (ICS framework, outsourcing register, AML monitoring, operational risk, audit evidence, data protection), and the vendor products that implement those controls today. The graph is vendor-neutral on every category in which Finray Technologies Ltd does not ship a product. **Ordinis is Finray's GRC/ICS platform; it is recused from any ranking, scoring, or "best of" recommendation and is included as a referenced product node only.** Every product node carries its primary-source URL with an accessed-date suffix; gaps are flagged as `[evidence pending — vendor outreach required]` rather than filled by inference. Click any node or edge to inspect its evidence. The legend, top-right of the canvas, maps node colour to type. Pan with click-drag; zoom with the wheel; reset with double-click on background. --- ## Reference index ### Regulators (3) - **FINMA** — https://www.finma.ch/en/ — Swiss Financial Market Supervisory Authority. - **FDPIC** — https://www.edoeb.admin.ch/en — Swiss Federal Data Protection and Information Commissioner. - **SNB** — https://www.snb.ch/en/the-snb/mandates-goals/financial-stability/swiss-banking-sector — Swiss National Bank financial-stability authority relevant to systemically important banks. ### Regulations (13) - **FINMASA** — https://www.fedlex.admin.ch/eli/cc/2008/736/en — Federal Act on the Swiss Financial Market Supervisory Authority. - **BankG** — https://www.fedlex.admin.ch/eli/cc/51/117_121_129/de — Swiss Banking Act. - **FINIG** — https://www.fedlex.admin.ch/eli/cc/2018/801/en — Swiss Financial Institutions Act. - **FINSA** — https://www.fedlex.admin.ch/eli/cc/2019/758/en — Swiss Financial Services Act. - **CISA** — https://www.fedlex.admin.ch/eli/cc/2006/822/en — Swiss Collective Investment Schemes Act. - **ISA** — https://www.fedlex.admin.ch/eli/cc/2005/734/de — Swiss Insurance Supervision Act. - **AMLA** — https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en — Swiss Anti-Money Laundering Act. - **AMLO** — https://www.fedlex.admin.ch/eli/cc/2015/791/en — Swiss Anti-Money Laundering Ordinance. - **FINMA Circular 2008/24 Supervision and internal control — banks** — https://www.finma.ch/en/documentation/archiv/rundschreiben/archiv-2008/ — Historical FINMA circular anchor for bank supervision and internal control. - **FINMA Circular 2017/01 Corporate governance — banks** — https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2017-01-20200101.pdf — Current bank corporate-governance and internal-control reference retrieved for this session. - **FINMA Circular 2018/03 Outsourcing — banks and insurers** — https://www.finma.ch/en/~/media/finma/dokumente/rundschreiben-archiv/2018/rs-18-03/finma-rs-2018-03---20170921.pdf?la=en — FINMA outsourcing circular for banks and insurers. - **FINMA Circular 2023/01 Operational risks and resilience — banks** — https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdf — FINMA operational-risk and resilience circular for banks, effective from 2024. - **Swiss FADP / DSG** — https://www.fedlex.admin.ch/eli/cc/2022/491/en — Revised Swiss Federal Act on Data Protection, in force from 1 September 2023. ### Standards (5) - **ISO/IEC 27001 / 27002** — https://www.iso.org/standard/27001 — Information-security management and control-reference standards. - **COSO 2013 Internal Control framework** — https://www.coso.org/guidance-on-ic — Internal-control reference architecture for control environment, risk assessment, control activities, information/communication and monitoring. - **NIST Cybersecurity Framework 2.0** — https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final — Cybersecurity framework commonly mapped to risk and resilience controls. - **ISAE 3402 / SOC 2** — https://www.iaasb.org/publications/staff-overview-international-standard-assurance-engagements-isae-3402-assurance-reports-controls — Assurance-report standards used in outsourcing and vendor-risk due diligence. - **BCBS 239** — https://www.bis.org/publ/bcbs239.htm — Basel principles for risk data aggregation and risk reporting. ### Controls (7) - **ICS evidence bundle** — Control register, testing, exceptions, attestations and remediation evidence for the internal control system. - **Outsourcing register and material-outsourcing assessment** — Register, materiality analysis, due diligence, audit rights, subcontracting, exit and concentration-risk evidence. - **Operational-risk and resilience evidence** — ICT risk, BCM, scenario testing, critical-function, incident and third-party concentration evidence. - **AML/CFT evidence** — KYC/CDD lifecycle, transaction-monitoring, investigations and suspicious-activity reporting evidence. - **Data-protection evidence** — DPIA, processing register, breach response, privacy incidents and data-protection governance evidence. - **Internal audit and SoD** — Internal audit workflows, 4-eyes controls, two-line/three-line ownership and periodic re-attestation evidence. - **Regulator interaction evidence** — FINMA audit reports, supervisory correspondence, ad-hoc notifications, action plans and supervisory disclosure packs. ### Vendors and products (14) - **MetricStream Inc.** — https://www.metricstream.com/ — MetricStream provides GRC and integrated risk management software. - MetricStream M7 platform (https://www.metricstream.com/pressNews/pr-956-MetricStream-launches-M7-integrated-risk-platform.htm): Legacy MetricStream integrated risk platform product name. - MetricStream Risk Cloud (https://www.metricstream.com/platform.htm): MetricStream risk management platform/product label to be verified. - MetricStream Operational Risk Management (https://www.metricstream.com/products/operational-risk-management.htm): MetricStream operational risk management product. - MetricStream Compliance Management (https://www.metricstream.com/products/compliance-management.htm): MetricStream compliance and regulatory compliance product. - MetricStream Internal Audit Management (https://www.metricstream.com/): MetricStream internal-audit product label requiring direct evidence confirmation. - **ServiceNow Inc.** — https://www.servicenow.com/ — ServiceNow provides integrated risk, operational-risk and vendor-risk products on the Now Platform. - ServiceNow IRM / GRC suite (https://www.servicenow.com/products/integrated-risk-management.html): ServiceNow integrated risk management and GRC suite. - ServiceNow Vendor Risk Management (https://www.servicenow.com/uk/products/vendor-risk-management.html): ServiceNow vendor or third-party risk management product. - ServiceNow Operational Risk Management (https://www.servicenow.com/products/operational-risk-management.html): ServiceNow operational risk management product. - **Archer Integrated Risk Management** — https://www.archerirm.com/ — Archer provides integrated risk management products and risk quantification. - Archer Suite (https://help.archerirm.cloud/platform_2024_11/en-us/content/shared_topics/archer_suite.htm): Archer integrated risk management suite. - Archer Insight (https://www.archerirm.com/archer-insight-risk-quantification): Archer risk quantification and prioritisation product. - **Workiva Inc.** — https://www.workiva.com/ — Workiva provides connected reporting, GRC, internal-control and audit-management software. - Workiva Wdesk (https://www.workiva.com/resources/implementation-guide-sox-controls-management): Legacy Workiva Wdesk label for connected controls and reporting workflows. - Workiva Reporting (https://www.workiva.com/resources/workiva-financial-reporting-and-disclosure-management): Workiva reporting and disclosure management capability. - **AuditBoard / Optro** — https://optro.ai/ — AuditBoard has rebranded as Optro and provides audit, risk and compliance software. - AuditBoard CrossComply (https://auditboard.com/blog/auditboard-announces-crosscomply?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=): AuditBoard CrossComply compliance product. - AuditBoard OpsAudit (https://resources.optro.ai/opsaudit-live-may.html?utm_campaign=&utm_content=&utm_medium=&utm_offer=%3Fwtime&utm_source=): AuditBoard OpsAudit internal audit product. - AuditBoard RiskOversight (https://optro.ai/): AuditBoard RiskOversight product label requiring current public evidence confirmation. - AuditBoard / Optro ESG (https://optro.ai/product/esg): Optro ESG product. - **LogicGate Inc.** — https://www.logicgate.com/ — LogicGate provides the Risk Cloud GRC platform and configurable risk/compliance applications. - LogicGate Risk Cloud (https://www.logicgate.com/platform/): LogicGate Risk Cloud GRC platform. - LogicGate Regulatory Compliance Management (https://www.logicgate.com/solutions/regulatory-compliance-management/): LogicGate regulatory compliance management solution. - LogicGate ERM (https://www.logicgate.com/platform/applications/enterprise-risk-management-application/): LogicGate enterprise risk management application. - LogicGate IT Risk (https://www.logicgate.com/solutions/team/risk-management/): LogicGate IT-risk-adjacent capability within Risk Cloud. - **Resolver / Kroll** — https://www.resolver.com/ — Resolver provides risk intelligence, risk management and compliance management software and is part of Kroll. - Resolver Risk (https://www.resolver.com/grc-software/risk-management/): Resolver risk management product. - Resolver Compliance (https://www.resolver.com/grc-software/compliance-management/): Resolver compliance management product. - **Diligent Corp.** — https://www.diligent.com/ — Diligent provides Diligent One, HighBond, ESG and board-governance products. - Diligent HighBond (https://www.diligent.com/-/media/project/diligent/master/landing-pages/rsa-conference-2022/product-sheet--highbond-platform.pdf?hash=A93B6B2E3B646ECBEEE3904DC21813E8&rev=d7b454b0-e2c2-455d-92e0-94508fa8c2d4): Diligent HighBond GRC platform. - Diligent ESG (https://www.diligent.com/products/diligent-esg): Diligent ESG reporting and governance product. - Diligent Boards (https://www.diligent.com/lp/board-management-software-enterprise): Diligent board management software. - **OneTrust LLC** — https://www.onetrust.com/ — OneTrust provides privacy, third-party risk, technology risk and GRC-related products. - OneTrust GRC / Tech Risk and Compliance (https://www.onetrust.com/solutions/tech-risk-and-compliance/): OneTrust technology risk and compliance/GRC capability. - OneTrust Privacy Operations (https://www.onetrust.com/products/privacy-operations/): OneTrust privacy operations product. - OneTrust Third-Party Risk Management (https://www.onetrust.com/products/third-party-risk-management/): OneTrust third-party risk management product. - **SAI360** — https://www.sai360.com/ — SAI360 provides integrated risk and compliance management software. - SAI360 GRC platform (https://www.sai360.com/solutions/integrated-grc): SAI360 integrated GRC platform. - **IBM** — https://www.ibm.com/products/openpages — IBM provides OpenPages as its GRC platform. - IBM OpenPages (https://www.ibm.com/products/openpages): IBM OpenPages GRC platform. - **NAVEX** — https://www.navex.com/en-us/ — NAVEX provides NAVEX One and legacy Lockpath risk/governance capabilities. - Lockpath Keylight (https://www.navex.com/en-us/company/press-room/navex-global-announces-upgrade-to-lockpath-risk-management-platform/): Legacy Lockpath Keylight risk management platform. - NAVEX One Risk & Governance / Risk Manager (https://www.navex.com/en-us/platform/risk-governance-irm/): NAVEX One risk governance and compliance capability. - **Finray Technologies Ltd** — https://finray.tech/ — Finray provides infrastructure and control systems for regulated financial institutions, including Ordinis. - Ordinis (https://finray.tech/platforms/ordinis/): Finray Ordinis is a governance, risk, compliance, approvals and audit-evidence product. - **Swiss GRC AG** — https://swissgrc.com/en/ — Swiss GRC provides GRC Toolbox software from Switzerland. - Swiss GRC Toolbox (https://swissgrc.com/en/): Swiss GRC Toolbox GRC platform.