GRC & ERM — risk & compliance
Risk assessment and compliance — embedded in your program data, not bolted on.
eBRP Suite integrates GRC and ERM natively into the BCM program architecture. Risk assessments live on each entity record. Regulatory mandates map to the processes and applications they govern. eRMA connects compliance gaps to operational impact — automatically.
Risk assessment methodology — per entity
01
Threat identification
What could disrupt this entity? Cyber, physical, supply chain, regulatory, weather, human
↓
02
Vulnerability assessment
How exposed is this entity to the identified threat? Current controls evaluated
↓
03
Impact rating
Financial · operational · regulatory · reputational impact if disruption occurs
↓
04
Likelihood scoring
Probability of the threat materializing given current vulnerability and controls
↓
05
Mitigation & status
Treatment defined and tracked: Open · Work in progress · Closed
↓
Risk status dashboard
Aggregated across all entities · Live · CRO and executive reporting ready
Entity-embedded risk model
Risk where it belongs — on the entity, not in a separate register.
In eBRP Suite, risk assessments live directly on each PPTDFS entity record — Process, Application, Location, or Team. Risk is always in context, always current, and always connected to the dependency chain that feeds plans, dashboards, and eRMA intelligence.
Processes & functions
Each business process carries its own threat assessment, impact ratings, RTO, and mitigation status — directly linked to plans and BIA data.
Regulatory compliance mapped here
Applications & IT services
Technology entities carry cyber risk assessments, availability commitments, dependency chain exposure, and linked DR plans.
Compliance mandates mapped here
Sites & locations
Physical locations assessed for geographic, physical security, and access threats — geo-positioned on the GIS map for spatial risk visualization.
Storm, geo & physical risk
People & teams
Teams assessed for key-person dependency, skill concentration, and availability risk — linked to staff availability dashboards and response plans.
Key-person & succession risk
Suppliers & vendors
Third-party dependencies assessed for concentration, contract, and geopolitical risk — linked to supply chain continuity plans.
Third-party & concentration risk
Data & systems
Data repositories and information systems assessed for confidentiality, integrity, and recoverability — linked to data protection and DR plans.
Data integrity & cyber risk
Risk status dashboard
All entity risk assessments aggregate in real time into the Risk Status Dashboard — Open, WIP, Closed — filtered by entity type, owner, or department.
Live · CRO-ready reporting
Risk propagation chain
A high-risk supplier or technology entity propagates its risk posture forward through dependent Processes and Services — cascading exposure surfaces automatically.
PPTDFS dependency chain
Regulatory compliance mapping
Compliance mandates mapped to the operations they govern.
Regulatory frameworks are mapped directly to the Process and Application entity records they apply to — creating a traceable, auditable compliance-to-operations linkage at the source of truth, not in a spreadsheet overlay.
Financial services compliance
DORA, FFIEC, Basel III, and SOX mandates mapped to payment, trading, and operational processes — with eRMA cascade analysis identifying service impact of any compliance gap.
Federal & government
COOP, FISMA, NIST SP 800-34, and CISA mandates mapped to mission-critical processes and IT systems — with full audit trail for regulatory evidence submission.
Healthcare
HIPAA, HITECH, and Joint Commission standards mapped to clinical processes, EMR systems, and patient-facing applications — with BIA-driven recovery prioritization by criticality.
Utilities & energy
NERC CIP and FERC standards mapped to grid control, OT systems, and critical infrastructure processes — with GIS-enabled geographic scope analysis for regulatory jurisdictions.
International standards
ISO 22301 Business Continuity Management and ISO 27001 Information Security mapped across all entity types — supporting global program alignment and certification readiness.
Environmental & safety
EH&S mandates, occupational safety requirements, and environmental regulations mapped to facility and operational process entities — with life-safety plan types built in Toolkit.
eRMA compliance cascade intelligence
From compliance gap to operational impact — in seconds.
eRMA connects the dots between regulatory requirements and operational reality. A compliance gap on a Process or Application entity traces forward through the PPTDFS dependency chain to identify every Service affected — automatically.
Compliance mandate identified
DORA Article 11 maps to Payment Processing (Process) and Core Banking System (Application) entities in Toolkit
↓ eRMA queries the PPTDFS dependency chain ↓
Risk & gap status surfaced
3 open mitigations on the Core Banking System entity flagged. 1 compliance control assessed as WIP. Exposure quantified.
↓ dependency chain traced forward ↓
Impacted services identified
eRMA identifies 4 downstream Services affected if this compliance gap results in a disruption event — ranked by criticality tier
↓ response path recommended ↓
Action and evidence produced
Remediation priority recommended. Compliance evidence package generated for regulatory submission. All traceable to entity-level audit log.
Example eRMA compliance queries
“What services are affected if we’re non-compliant with DORA Article 11?”
“Which processes have open compliance gaps vs. ISO 22301?”
“Generate compliance evidence package for FFIEC audit”
“Show risk status for all Tier-1 processes with open mitigations”
GRC outputs available
Risk posture reports by entity type · Compliance mandate coverage matrix · Open mitigation tracking · Audit evidence packages · RTO compliance vs. regulatory commitments · eRMA cascade analysis reports
Supported frameworks
eBRP Suite aligns to the mandates your program is governed by.
Compliance mandates are mapped to entity records — not maintained as a separate compliance module — ensuring alignment is always live and always in context.
| Framework | Relevance to eBRP | Sector |
|---|---|---|
| DORA | EU Digital Operational Resilience Act — ICT risk management, incident reporting, resilience testing, third-party dependency. eBRP maps DORA Article-level requirements to Process and Application entities, with eRMA cascade impact analysis. | Financial services |
| ISO 22301 | International BCM standard — full program lifecycle alignment. eBRP Suite is structured around ISO 22301 phases: Context → BIA → Strategy → Planning → Testing → Review. Audit evidence generated via eRMA. | All sectors |
| NIST SP 800-34 | US Federal contingency planning standard — COOP, IT recovery, and continuity plan requirements. eBRP on-premises deployment meets data handling requirements for Federal agencies. | Federal |
| FFIEC BCP | US financial institution business continuity guidelines — BIA, risk assessment, testing, and board oversight requirements. eBRP generates FFIEC-aligned reports and compliance evidence packages. | Financial services |
| HIPAA | Health information privacy and security — contingency plan, disaster recovery, and emergency access requirements mapped to clinical processes and EMR systems in eBRP Toolkit. | Healthcare |
| NERC CIP | North American electric reliability standards — critical infrastructure protection requirements mapped to grid, OT, and IT system entities. GIS capability supports geographic scope analysis. | Utilities |
| FISMA | Federal Information Security Management Act — security controls and continuity requirements. eBRP on-premises deployment and SSO/PKI authentication meet FISMA-aligned infosec requirements. | Federal |
See how eBRP connects your compliance mandates to operational risk.
Request a demo and watch eRMA trace a compliance gap from a regulatory mandate through the PPTDFS dependency chain to impacted services — using your industry as the context.