GRC — Governance, Risk & Compliance
GRC Module
Section titled “GRC Module”Islamic Open Finance™ includes a native Governance, Risk & Compliance (GRC) module that provides enterprise-grade risk management, audit tracking, evidence management, and Shariah governance capabilities.
Overview
Section titled “Overview”The GRC module covers seven regulatory frameworks out of the box:
| Framework | Standard | Controls |
|---|---|---|
| SOC2 Type II | AICPA Trust Services Criteria | 23 controls |
| GDPR | EU General Data Protection Regulation | 15 controls |
| PSD2 | EU Payment Services Directive | 9 controls |
| ISO 27001 | Information Security Management | 16 controls |
| ISO 20022 | Financial Messaging Standards | 7 controls |
| AAOIFI | Shariah Standards (SS-8 through GS-7) | 16 controls |
| IFSB | Prudential Standards (IFSB-1 through IFSB-19) | 9 controls |
Key Capabilities
Section titled “Key Capabilities”Risk Assessments (ISO 31000)
Section titled “Risk Assessments (ISO 31000)”5×5 risk matrix scoring with inherent and residual risk tracking:
- Severity levels: Critical, High, Medium, Low, Info
- Likelihood levels: Almost Certain, Likely, Possible, Unlikely, Rare
- Risk score: Severity × Likelihood (1–25)
- Risk bands: Critical (20–25), High (12–19), Medium (5–11), Low (1–4)
Audit Findings & Remediation
Section titled “Audit Findings & Remediation”Track audit findings from discovery through remediation:
- Finding severity: Critical, Major, Minor, Observation
- Remediation status: Open → In Progress → Resolved / Accepted / Deferred
- Link findings to specific controls and risk assessments
- Track remediation plans with due dates and owners
Evidence Management
Section titled “Evidence Management”Collect and track compliance evidence for controls:
- Evidence types: Documents, screenshots, log exports, config snapshots, test results, attestations, audit reports, policy documents, Shariah certificates
- Link evidence to controls with content hashes (SHA-256) for integrity
- Track evidence collection dates and expiry
Shariah Governance
Section titled “Shariah Governance”Dedicated Shariah governance capabilities for Islamic financial institutions:
- Board Decisions: Record fatwas, board resolutions, product approvals with vote tracking (For/Against/Abstain per member)
- Annual Shariah Audits: Track audit opinions (Compliant, Qualified, Adverse, Disclaimer, Partially Compliant)
- AAOIFI Standards: Map controls to specific Shariah Standards (SS-8 Murabaha, SS-9 Ijarah, etc.)
- IFSB Prudential: Capital adequacy, risk management, corporate governance standards
GRC Dashboard
Section titled “GRC Dashboard”Real-time compliance dashboard with metrics per framework:
- Overall compliance percentage
- Per-framework implementation status (controls implemented, effective, failed, not started)
- Risk summary (critical/high/medium/low counts, average residual score)
- Open findings and overdue remediations
- Shariah governance status (pending decisions, latest audit opinion)
API Endpoints
Section titled “API Endpoints”All GRC endpoints are under /api/v1/grc/:
| Method | Endpoint | Description |
|---|---|---|
| GET | /grc/risks | List risk assessments |
| POST | /grc/risks | Create risk assessment |
| GET | /grc/risks/:id | Get risk assessment |
| GET | /grc/findings | List audit findings |
| POST | /grc/findings | Create audit finding |
| GET | /grc/remediations | List remediation plans |
| POST | /grc/remediations | Create remediation plan |
| PATCH | /grc/remediations/:id | Update remediation plan |
| GET | /grc/evidence | List evidence items |
| POST | /grc/evidence | Upload evidence metadata |
| GET | /grc/evidence/control/:controlId | Evidence for a control |
| GET | /grc/shariah/decisions | List Shariah board decisions |
| POST | /grc/shariah/decisions | Record Shariah board decision |
| GET | /grc/shariah/audits | List annual Shariah audits |
| POST | /grc/shariah/audits | Record annual Shariah audit |
| GET | /grc/dashboard | GRC dashboard metrics |
| GET | /grc/frameworks | List framework templates (public) |
Architecture
Section titled “Architecture”@iof/grc-core (package)├── types/ — TypeScript type definitions├── schemas/ — Zod validation schemas├── services/ — Framework registry with 95 reference controls└── utils/ — Risk scoring, compliance percentage calculation
services/rail-api/src/routes/grc.ts (API routes)└── Hono routes mounted at /api/v1/grc/*
packages/db-core/prisma/schema.prisma (database)└── 14 GRC tables with proper indexes and relationsCompliance Explorer
Section titled “Compliance Explorer”The Compliance Explorer app (apps/compliance-explorer) provides a visual dashboard for the GRC module at /grc:
- Framework compliance overview with progress bars
- Risk assessment list with severity badges
- Audit findings timeline
- Shariah governance decision log
Package
Section titled “Package”Install via workspace: @iof/grc-core
import { calculateRiskScore, classifyRiskScore, getAllFrameworks, type RiskAssessment, type GrcDashboard,} from "@iof/grc-core";