# ️ GRC Process - Full Lifecycle Analysis

## Executive summary

This notebook consolidates the current GRC platform state, identifies readiness gaps, and provides an actionable roadmap to reach a regulator-ready operating cadence for Saudi Arabia (KSA).

**Current state (from service inventory):** core Onboarding, Framework, Planning, Evidence, Reporting, and Attestation are complete; Assessment, Control, Risk, Compliance, and Resilience require incremental hardening to close the lifecycle.

**Immediate priorities:** (1) eliminate any mock/placeholder persistence paths, (2) close security exposures on risk data, (3) complete workflow methods so items can move end‑to‑end, and (4) standardize scoring to avoid inconsistent risk/compliance outcomes.


## 1) Purpose, scope, and definitions

**Purpose**
- Provide a single, auditable reference for how the platform supports a full GRC lifecycle.
- Translate the lifecycle into concrete operating procedures and an implementation backlog.

**Scope**
- KSA regulator-aligned GRC operations: framework selection, assessments, evidence, risk, controls, compliance reporting, and attestation.
- Platform configuration and data-population requirements.

**Key definitions**
- **Framework requirement**: a control/requirement statement sourced from a regulator or standard.
- **Control**: an organizational safeguard mapped to one or more framework requirements.
- **Evidence**: an artifact proving control design/operation; lifecycle-managed and approval-gated.
- **Risk**: a quantified exposure (likelihood/impact) mapped to assets, controls, and mitigations.


## 2) Business purpose and regulatory business cycle (KSA)

```text
┌─────────────────────────────────────────────────────────────────────────────────┐
│                     KSA GRC COMPLIANCE BUSINESS CYCLE                           │
├─────────────────────────────────────────────────────────────────────────────────┤
│                                                                                 │
│   REGULATORS           YOUR ORGANIZATION           OUTCOME                      │
│   ──────────           ─────────────────           ───────                      │
│   NCA (ECC/CSCC)  ──▶  Framework Selection  ──▶   Compliance Certificate       │
│   SAMA (CSF)      ──▶  Control Assessment   ──▶   Regulator Reports            │
│   SDAIA (PDPL)    ──▶  Evidence Collection  ──▶   Risk Reduction               │
│   CST (Telecom)   ──▶  Gap Remediation      ──▶   Business Continuity          │
│   MOH (Health)    ──▶  Continuous Monitor   ──▶   Market Trust                 │
│                                                                                 │
└─────────────────────────────────────────────────────────────────────────────────┘
```

Operating intent:
1. Select and maintain the right frameworks per regulator and business scope.
2. Assess and score compliance gaps.
3. Collect evidence and demonstrate control effectiveness.
4. Quantify and treat risks with clear ownership and workflow.
5. Produce repeatable regulator-ready reports and attestations.


## 3) Platform module inventory and maturity

| Unit | Services (interfaces) | Status |
| --- | --- | --- |
| 1. Onboarding | IOnboardingService, IOnboardingWizardService, ISmartOnboardingService | ✅ Complete |
| 2. Framework | IFrameworkManagementService, IExpertFrameworkMappingService, ICatalogDataService | ✅ Complete |
| 3. Plan | IPlanService | ✅ Complete |
| 4. Assessment | IAssessmentService, IAssessmentExecutionService | ⚠️ 80% |
| 5. Evidence | IEvidenceService, IEvidenceLifecycleService, IEvidenceWorkflowService | ✅ Complete |
| 6. Control | IControlService | ⚠️ 70% |
| 7. Risk | IRiskService, IRiskWorkflowService | ⚠️ 60% |
| 8. Compliance | IComplianceCalendarService, IRegulatoryCalendarService | ⚠️ 50% |
| 9. Resilience | IResilienceService | ⚠️ 40% |
| 10. Reporting | IReportService, IDashboardService | ✅ Complete |
| 11. Attestation | IAttestationService | ✅ Complete |


Interpretation:
- **✅ Complete**: module supports end-to-end flow including persistence, workflows (where applicable), and reporting.
- **⚠️ %**: module exists and is partially functional but requires hardening to be audit/regulator-ready.


## 4) End-to-end lifecycle view

```text
│                        COMPLETE GRC PROCESS LIFECYCLE                                       │
├─────────────────────────────────────────────────────────────────────────────────────────────┤
│                                                                                             │
│  STAGE 1          STAGE 2       STAGE 3        STAGE 4        STAGE 5        STAGE 6       │
│  ────────         ────────      ────────       ────────       ────────       ────────       │
│                                                                                             │
│  ┌──────────┐    ┌────────┐   ┌──────────┐   ┌──────────┐   ┌──────────┐   ┌────────────┐  │
│  │ASSESSMENT│───▶│  RISK  │───▶│COMPLIANCE│───▶│RESILIENCE│───▶│EXCELLENCE│───▶│SUSTAINABIL.│  │
│  │EXPLORATION│   │ANALYSIS│   │MONITORING│   │ BUILDING │   │BENCHMARKS│   │CONTINUOUS  │  │
│  └──────────┘    └────────┘   └──────────┘   └──────────┘   └──────────┘   └────────────┘  │
│       │              │             │              │              │              │          │
│    ✅ 85%         ⚠️ 60%        ⚠️ 50%         ⚠️ 70%         ✅ 90%         ✅ 85%       │
│                                                                                             │
│  "Where are we?"  "What can   "Are we       "Can we       "How do we    "How do we       │
│                    go wrong?"  compliant?"   recover?"     compare?"     keep improving?" │
│                                                                                             │
```

**Lifecycle acceptance criteria (high level)**
- Every object (assessment, evidence, risk, control, compliance item) has: owner, status, timestamps, immutable audit trail.
- Workflows are enforceable: draft → review → approve → publish/close (with role-based gates).
- Reporting is reproducible (same inputs yield same scores and findings), versioned, and exportable.


## 5) Gaps, risks, and priorities

**Identified missing capabilities:** Missing: Gap remediation workflow, validation, certification tracking

| Fix category | Business impact |
| --- | --- |
| Mock APIs returning fake data | ❌ Risk data NOT saved = No audit trail = Regulatory failure |
| [AllowAnonymous] on risk data | ❌ Security breach = Confidential risk data exposed |
| Missing workflow methods | ❌ Cannot complete risk lifecycle = Stuck in limbo |
| Inconsistent scoring | ❌ Wrong risk levels = Poor decisions = Compliance violations |


### Priority backlog (actionable)

**P0 — Regulatory blockers / security (complete first)**
- Replace any mock/placeholder endpoints with persisted, audited data paths.
- Remove anonymous access to risk/compliance data; enforce RBAC and least privilege.
- Validate audit trail completeness: every create/update/approve action must be logged immutably.

**P1 — Workflow completion (close the lifecycle)**
- Implement missing workflow methods so items can transition across states with approvals.
- Add *gap remediation* workflow: assign remediation actions, due dates, evidence links, and closure checks.

**P2 — Scoring and methodology standardization**
- Standardize likelihood/impact scales and mapping rules.
- Standardize compliance scoring per framework requirement and aggregation logic.
- Add validation rules (required fields, ranges, cross-entity integrity).

**P3 — Certification and continuous operations**
- Add certification/attestation tracking by period/framework/scope.
- Add recurring compliance calendar and KPI cadence.

### What is already working well (protect from churn)
- Onboarding (enhanced today)
- Framework Management
- Evidence Lifecycle
- Attestation


## 6) Operating model and governance (RACI-lite)

Define clear ownership to make the workflows executable:

- **GRC Owner (Business)**: accountable for scope, cadence, and regulator engagement.
- **Compliance Officer**: responsible for framework mapping, requirement scoring oversight, and reporting.
- **Risk Owner**: responsible for risk register quality, treatment plans, and residual risk acceptance.
- **Control Owner**: responsible for control design/operation and evidence production.
- **Evidence Custodian**: responsible for evidence quality, metadata, and lifecycle progression.
- **Approvers**: Manager (L1), Compliance (L2), Executive/Production sign-off (L3).
- **Platform Admin/SecOps**: responsible for RBAC, audit logs, integrations, backups, and configuration.

Recommended governance artifacts:
- Risk appetite statement and scoring rubric.
- Evidence quality rubric (including the 70% threshold noted below).
- Monthly GRC steering meeting with published minutes and action register.


## 7) Data population checklist (minimum viable for evaluation)

To evaluate credibly, the platform must be populated with consistent reference data:

1. **Organization & scope**: business units, locations, systems, critical services, third parties.
2. **Frameworks**: selected frameworks + versions + requirement imports.
3. **Domains / assessment areas**: mapped to business scope and regulator expectations.
4. **Controls**: control library, owners, frequency, and mappings to requirements.
5. **Evidence**: evidence types, collection cadence, metadata, and lifecycle states.
6. **Risks**: risk register, assets, threats, controls, treatments, due dates, residual risk.
7. **Compliance calendar**: reporting periods, internal checkpoints, audit windows.
8. **Users & roles**: RBAC mappings aligned to approval workflow roles.


## 8) Evaluation methods using built-in capabilities

### 8.1 Maturity assessment
- Use maturity assessment to benchmark capability by domain and track improvement over time.

### 8.2 Assessment-based evaluation
- Create assessments linked to a framework code (e.g., SAMA-CSF, NCA-ECC).
- Score each requirement and produce a compliance report.

### 8.3 Risk-control effectiveness evaluation
- Ensure every high-risk item maps to: affected assets, mitigating controls, and evidence.
- Track treatment progress and residual risk acceptance.

### 8.4 Evidence-based compliance evaluation
- Evidence must be uploaded, scored, and approved before it can support compliance claims.
- Maintain evidence-to-control-to-requirement traceability.

### 8.5 Workflow-based evaluation
- Enforce the 3-level workflow: Manager → Compliance Officer → Executive (production).


## 9) Reporting and KPIs

Recommended minimum reporting set:

- **Compliance report**: requirement status, scores, gaps, remediation actions.
- **Risk report**: heat map, top risks, treatments, overdue actions, residual risk.
- **Audit report**: findings, evidence links, approvals, recommendations.
- **Assessment report**: domain progress and overall score.

Suggested KPIs (monthly):
- % requirements with approved evidence
- # open critical/high gaps and average age
- Risk treatment on-time completion rate
- Control testing completion rate
- Rejected evidence rate (quality signal)


## 10) 30/60/90-day execution plan (recommended)

### Days 0–30: Make it auditable and secure (P0)
- Remove mock persistence paths; confirm DB writes and audit logs.
- Close all anonymous endpoints for sensitive data; implement RBAC checks.
- Define scoring rubrics (risk + compliance) and lock the methodology.
- Populate foundational reference data (scope, frameworks, controls, roles).

### Days 31–60: Close lifecycle workflows (P1–P2)
- Complete missing workflow methods; ensure state transitions are enforced.
- Implement gap remediation workflow with owners, due dates, evidence links.
- Add validation rules and automated checks for data integrity.

### Days 61–90: Operationalize continuous compliance (P3)
- Implement certification/attestation tracking by period and framework.
- Establish compliance calendar and monthly reporting cadence.
- Run two full monthly cycles and perform a lessons-learned retro.


## Appendix A) Built-in capability coverage (as-is)

| Capability | Status | How to use |
| --- | --- | --- |
| Maturity Assessment | ✅ Built-in | Populate data, view dashboard |
| Risk Scoring | ✅ Built-in | Enter likelihood/impact, link controls |
| Control Effectiveness | ✅ Built-in | Test controls, update effectiveness % |
| Evidence Management | ✅ Built-in | Upload, score (70% threshold), approve |
| Compliance Scoring | ✅ Built-in | Score requirements, calculate averages |
| Framework Compliance | ✅ Built-in | Link to framework codes |
| Approval Workflows | ✅ Built-in | Submit through 3-level workflow |
| Dashboards/Reports | ✅ Built-in | View metrics, generate reports |
| Audit Trail | ✅ Automatic | All actions logged immutably |
| Policy Enforcement | ✅ Configurable | Edit YAML policy file |


Notes:
- Evidence lifecycle should enforce quality thresholds (e.g., 70%) and approvals before evidence is admissible.
- Policy enforcement should be treated as configuration-as-code (reviewed, versioned, and change-controlled).


## Appendix B) KSA regulator and framework mapping (validate for your scope)

- **NCA**: Essential Cybersecurity Controls (ECC) and related guidance.
- **SAMA**: Cybersecurity Framework (CSF) (financial sector scope).
- **SDAIA / NDMO**: PDPL and data management/personal data protection policies.
- **CST**: communications/space/technology regulatory requirements (telecom/ICT scope).
- **MOH**: health sector requirements where applicable.

Operational guidance: explicitly record **which regulator(s)** apply to each business unit and system, and keep the mapping versioned.
