Skip to content
In the news TRM Labs × Finray — audit-ready crypto transaction monitoring for banking
Finray
Book a briefing

Swiss FINMA GRC and ICS software

Swiss banks, securities firms and asset managers under FINMASA, FINMA Circulars 2008/24, 2017/01, 2018/03 and 2023/01, AMLA and FADP must select GRC/ICS software that evidences control ownership, outsourcing, AML, operational-risk and audit work. This decision graph maps 82 nodes and 180 edges across seven controls, 14 vendors and 34 product nodes. Ordinis recused from ranking.

Cluster
Ordinis
Published
Version
1.0.0
Disclosure
Finray product recused from ranking

Last reviewed   ·  Version 1.0.0  ·  Evidence cutoff 

The Swiss FINMA GRC and ICS software graph maps the decision a FINMA-supervised firm faces when assembling its governance, risk, compliance, and internal control stack: regulatory anchors (FINMASA, FINMA Circulars 08/24, 17/01, 18/03, 23/01, AMLA, FADP, plus DORA-equivalent operational-resilience expectations), the controls those anchors require (ICS framework, outsourcing register, AML monitoring, operational risk, audit evidence, data protection), and the vendor products that implement those controls today.

The graph is vendor-neutral on every category in which Finray Technologies Ltd does not ship a product. Ordinis is Finray’s GRC/ICS platform; it is recused from any ranking, scoring, or “best of” recommendation and is included as a referenced product node only. Every product node carries its primary-source URL with an accessed-date suffix; gaps are flagged as [evidence pending — vendor outreach required] rather than filled by inference.

Click any node or edge to inspect its evidence. The legend, top-right of the canvas, maps node colour to type. Pan with click-drag; zoom with the wheel; reset with double-click on background.

Layout
cose
Nodes
82
Edges
180
Last reviewed
2026-04-30
Evidence cutoff
2026-04-30
Pending outreach
48
  • firm-segment
  • regulator
  • regulation
  • standard
  • control
  • vendor
  • product
  • finray product (COI)

Reference index

The interactive decision graph above and the tables below cover the same data. The graph is for visual exploration; the tables index every regulation, standard, control, vendor and product in plain text with primary-source links — for search engines, citation tools and readers who prefer linear reading.

Regulators (3)

National Competent Authorities, supervisory authorities, and pan-EU European Supervisory Authorities indexed in this radar. Each row links to the regulator's primary-source URL with the date the source was last accessed. Listing is alphabetical by jurisdiction code; inclusion is editorial, not a directive. Volume of regulators per jurisdiction reflects the local supervisory architecture (single-supervisor vs sectoral split) and is not a quality signal.

Regulators indexed in this radar with their jurisdiction and primary-source URLs.
Regulator Jurisdiction Scope Primary source
FDPIC data-protection-supervisor Swiss Federal Data Protection and Information Commissioner. View source
FINMA financial-market-supervisor Swiss Financial Market Supervisory Authority. View source
SNB central-bank-financial-stability Swiss National Bank financial-stability authority relevant to systemically important banks. View source

Regulatory anchors and supervisory standards

The legal instruments and supervisory standards an institution in this segment must satisfy. Each row links to the primary source — official journal page, supervisor circular, or standards body — with the date the source was last accessed.

Regulatory anchors and supervisory standards covered in this radar, with primary-source links.
Anchor Scope Primary source
FINMASA Regulation Federal Act on the Swiss Financial Market Supervisory Authority. View source
BankG Regulation Swiss Banking Act. View source
FINIG Regulation Swiss Financial Institutions Act. View source
FINSA Regulation Swiss Financial Services Act. View source
CISA Regulation Swiss Collective Investment Schemes Act. View source
ISA Regulation Swiss Insurance Supervision Act. View source
AMLA Regulation Swiss Anti-Money Laundering Act. View source
AMLO Regulation Swiss Anti-Money Laundering Ordinance. View source
FINMA Circular 2008/24 Supervision and internal control — banks Regulation Historical FINMA circular anchor for bank supervision and internal control. View source
FINMA Circular 2017/01 Corporate governance — banks Regulation Current bank corporate-governance and internal-control reference retrieved for this session. View source
FINMA Circular 2018/03 Outsourcing — banks and insurers Regulation FINMA outsourcing circular for banks and insurers. View source
FINMA Circular 2023/01 Operational risks and resilience — banks Regulation FINMA operational-risk and resilience circular for banks, effective from 2024. View source
Swiss FADP / DSG Regulation Revised Swiss Federal Act on Data Protection, in force from 1 September 2023. View source
ISO/IEC 27001 / 27002 Standard Information-security management and control-reference standards. View source
COSO 2013 Internal Control framework Standard Internal-control reference architecture for control environment, risk assessment, control activities, information/communication and monitoring. View source
NIST Cybersecurity Framework 2.0 Standard Cybersecurity framework commonly mapped to risk and resilience controls. View source
ISAE 3402 / SOC 2 Standard Assurance-report standards used in outsourcing and vendor-risk due diligence. View source
BCBS 239 Standard Basel principles for risk data aggregation and risk reporting. View source

Controls

The control domains those regulatory anchors require. Each control sits at the intersection of one or more regulations and one or more vendor products that implement it.

Control domains required by the regulatory anchors above.
Control What it covers
ICS evidence bundle Control register, testing, exceptions, attestations and remediation evidence for the internal control system.
Outsourcing register and material-outsourcing assessment Register, materiality analysis, due diligence, audit rights, subcontracting, exit and concentration-risk evidence.
Operational-risk and resilience evidence ICT risk, BCM, scenario testing, critical-function, incident and third-party concentration evidence.
AML/CFT evidence KYC/CDD lifecycle, transaction-monitoring, investigations and suspicious-activity reporting evidence.
Data-protection evidence DPIA, processing register, breach response, privacy incidents and data-protection governance evidence.
Internal audit and SoD Internal audit workflows, 4-eyes controls, two-line/three-line ownership and periodic re-attestation evidence.
Regulator interaction evidence FINMA audit reports, supervisory correspondence, ad-hoc notifications, action plans and supervisory disclosure packs.

Vendors and products

Named vendors active in this control space and the specific products each ships. Listing is alphabetical within the graph's evidence set; inclusion is editorial, not commercial, and is not a recommendation. Finray Technologies Ltd ships products in this space and is recused from any ranking — see the methodology page for the conflict-of-interest framework.

Vendors and the specific products each ships into this control space.
Vendor Products Vendor source
MetricStream Inc. MetricStream provides GRC and integrated risk management software.
  • MetricStream M7 platform — Legacy MetricStream integrated risk platform product name. ( product page )
  • MetricStream Risk Cloud — MetricStream risk management platform/product label to be verified. ( product page )
  • MetricStream Operational Risk Management — MetricStream operational risk management product. ( product page )
  • MetricStream Compliance Management — MetricStream compliance and regulatory compliance product. ( product page )
  • MetricStream Internal Audit Management — MetricStream internal-audit product label requiring direct evidence confirmation. ( product page )
Vendor site
ServiceNow Inc. ServiceNow provides integrated risk, operational-risk and vendor-risk products on the Now Platform.
  • ServiceNow IRM / GRC suite — ServiceNow integrated risk management and GRC suite. ( product page )
  • ServiceNow Vendor Risk Management — ServiceNow vendor or third-party risk management product. ( product page )
  • ServiceNow Operational Risk Management — ServiceNow operational risk management product. ( product page )
Vendor site
Archer Integrated Risk Management Archer provides integrated risk management products and risk quantification.
  • Archer Suite — Archer integrated risk management suite. ( product page )
  • Archer Insight — Archer risk quantification and prioritisation product. ( product page )
Vendor site
Workiva Inc. Workiva provides connected reporting, GRC, internal-control and audit-management software.
  • Workiva Wdesk — Legacy Workiva Wdesk label for connected controls and reporting workflows. ( product page )
  • Workiva Reporting — Workiva reporting and disclosure management capability. ( product page )
Vendor site
AuditBoard / Optro AuditBoard has rebranded as Optro and provides audit, risk and compliance software.
  • AuditBoard CrossComply — AuditBoard CrossComply compliance product. ( product page )
  • AuditBoard OpsAudit — AuditBoard OpsAudit internal audit product. ( product page )
  • AuditBoard RiskOversight — AuditBoard RiskOversight product label requiring current public evidence confirmation. ( product page )
  • AuditBoard / Optro ESG — Optro ESG product. ( product page )
Vendor site
LogicGate Inc. LogicGate provides the Risk Cloud GRC platform and configurable risk/compliance applications.
  • LogicGate Risk Cloud — LogicGate Risk Cloud GRC platform. ( product page )
  • LogicGate Regulatory Compliance Management — LogicGate regulatory compliance management solution. ( product page )
  • LogicGate ERM — LogicGate enterprise risk management application. ( product page )
  • LogicGate IT Risk — LogicGate IT-risk-adjacent capability within Risk Cloud. ( product page )
Vendor site
Resolver / Kroll Resolver provides risk intelligence, risk management and compliance management software and is part of Kroll.
  • Resolver Risk — Resolver risk management product. ( product page )
  • Resolver Compliance — Resolver compliance management product. ( product page )
Vendor site
Diligent Corp. Diligent provides Diligent One, HighBond, ESG and board-governance products.
  • Diligent HighBond — Diligent HighBond GRC platform. ( product page )
  • Diligent ESG — Diligent ESG reporting and governance product. ( product page )
  • Diligent Boards — Diligent board management software. ( product page )
Vendor site
OneTrust LLC OneTrust provides privacy, third-party risk, technology risk and GRC-related products.
  • OneTrust GRC / Tech Risk and Compliance — OneTrust technology risk and compliance/GRC capability. ( product page )
  • OneTrust Privacy Operations — OneTrust privacy operations product. ( product page )
  • OneTrust Third-Party Risk Management — OneTrust third-party risk management product. ( product page )
Vendor site
SAI360 SAI360 provides integrated risk and compliance management software.
  • SAI360 GRC platform — SAI360 integrated GRC platform. ( product page )
Vendor site
IBM IBM provides OpenPages as its GRC platform. Vendor site
NAVEX NAVEX provides NAVEX One and legacy Lockpath risk/governance capabilities.
  • Lockpath Keylight — Legacy Lockpath Keylight risk management platform. ( product page )
  • NAVEX One Risk & Governance / Risk Manager — NAVEX One risk governance and compliance capability. ( product page )
Vendor site
Finray Technologies Ltd Finray provides infrastructure and control systems for regulated financial institutions, including Ordinis. Finray Technologies — recused from ranking
  • Ordinis — Finray Ordinis is a governance, risk, compliance, approvals and audit-evidence product. ( product page )
Vendor site
Swiss GRC AG Swiss GRC provides GRC Toolbox software from Switzerland.
  • Swiss GRC Toolbox — Swiss GRC Toolbox GRC platform. ( product page )
Vendor site

What changed

Cut-off 2026-04-30 — initial published snapshot. No prior snapshot to diff.

Primary source https://www.finma.ch/en/ · accessed 2026-04-30

Evidence register, not legal advice. Point-in-time, not real-time, not exhaustive. Reasons are not inferred — they live in the linked primary source.

Certificate of Registration NQA · UKAS Management Systems
ISO/IEC 27001:2022 Certificate of Registration issued by NQA to Finray Technologies Ltd, certificate number 215646, valid 21 October 2025 to 21 October 2028
Search
Type to search across Finray, products, company, and journal.

    Press Esc to close · to open the highlighted result.

    Book a briefing 01 / 03

    Step 01

    Identify the institution

    Who is requesting the briefing.