A GRC engine that runs alongside your operations, not after them. Risk register, controls library, controls testing, audit evidence — all native to the platform that is generating the transactions in the first place.
Most GRC tools sit outside the operational systems they are meant to govern. They ask the auditor or the controls owner to gather evidence after the fact — exports from one system, screenshots from another, manual sign-offs in a third. The evidence is incomplete, the testing is sample-based, and the audit becomes a forensic exercise.
Retail ViVA GRC works the other way. Because the platform is the operational system, controls are tested where the transactions live. Evidence is generated continuously, not manually. The audit becomes a review of what already happened, not a reconstruction of what might have.
Operational, financial, compliance, IT, and strategic risks tracked in one register. Likelihood, impact, owner, mitigation status — all reviewable.
Standard controls per risk category — authorisation, segregation of duties, reconciliation, system controls — mapped to the operational modules they govern.
Configurable rule-based testing runs continuously against transactions. Failed tests escalated to controls owners and surfaced in management dashboards.
Every transaction, every approval, every system change logged immutably with timestamp, user, and before/after state. Auditors get full evidence, not samples.
Policy documents versioned, employee acknowledgement tracked, training completion linked. Compliance with internal policy proven, not assumed.
Statutory reporting templates per market — SOX-style, ITGC, PCI-DSS, GDPR/DPDP. Generation automated where the data is structured; workflow-driven where it is not.
This module is not "integrated" with the rest of Retail ViVA — it is the rest of Retail ViVA, expressed at one functional surface.
That means data flows in and out without configuration, without API contracts, and without the failure modes that come from stitching software together.