Documentation

Comprehensive guides and resources for the Oreno GRC platform

Quick Navigation

Getting Started

Welcome to Oreno GRC

Oreno GRC is a comprehensive enterprise platform designed to streamline governance, risk, and compliance management for organizations of all sizes. Our unified platform integrates audit management, risk assessment, compliance tracking, legal case management, contract lifecycle management, document management, AI governance, and administrative controls.

Platform Overview

Audit Management

Complete audit lifecycle management with workplans, engagements, objectives, procedures, issues, and follow-up actions.

  • Audit workplans and engagement planning
  • Risk-based audit objectives and procedures
  • Issue tracking with recommendations
  • Follow-up action management
  • Working papers and evidence collection
Risk Management

Comprehensive risk management with COBIT and NIST frameworks integration.

  • Risk registers and risk matrices
  • Key Risk Indicators (KRIs)
  • Risk assessments and controls
  • COBIT domains, processes, and capabilities
  • NIST Cybersecurity Framework
Compliance Management

Multi-framework compliance with ISO 27001, GDPR, SOX, and custom frameworks.

  • Compliance frameworks and requirements
  • Policy document management
  • Obligation tracking and evidence
  • ISO 27001 ISMS management
  • GDPR data subject rights
  • SOX financial controls
Legal Management

Complete legal case and matter management system.

  • Legal case tracking and management
  • Party management (plaintiffs, defendants, witnesses)
  • Legal task management with deadlines
  • Document management and versioning
  • Case archiving with retention policies
Contracts Management

End-to-end contract lifecycle management.

  • Contract types and templates
  • Party management and relationships
  • Contract milestones and renewals
  • Compliance obligation linking
  • Financial terms and payment tracking
Document Management

Secure document request and management system.

  • Document request workflows
  • Secure upload links with expiration
  • Version control and access management
  • Integration with all GRC modules
  • Audit trail and compliance tracking
AI Governance

Comprehensive AI model governance and testing framework.

  • Model and dataset asset management
  • Test plans and execution tracking
  • Performance and fairness testing
  • Compliance mapping to frameworks
  • Evidence artifact management
  • Webhook integration for CI/CD
Administration

Complete organizational administration and user management.

  • Multi-tenant organization management
  • Role-based access control
  • User activation and password policies
  • Data export and backup management
  • System configuration and settings

Quick Start Guide

1. Organization Setup

Configure your organization settings, create user roles, and set up initial users with appropriate permissions.

2. Risk Framework

Set up your risk register, configure risk matrices, and establish COBIT/NIST frameworks for your industry.

3. Compliance Setup

Define compliance frameworks, upload policy documents, and create compliance obligations with due dates.

4. Audit Planning

Create your first audit workplan, define engagements, and link audit objectives to identified risks.

Platform Integration Benefits

🔄
Unified Workflow

Seamless integration between audit, risk, compliance, and legal processes.

📊
Real-time Reporting

Comprehensive dashboards and reports across all GRC functions.

🔒
Enterprise Security

Multi-tenant architecture with role-based access control and audit trails.

âš¡
AI-Powered

Built-in AI governance and automated compliance testing capabilities.

Audit Management

Audit Management Overview

The Audit Management module provides comprehensive audit lifecycle management from planning to execution and follow-up. It supports risk-based auditing with full integration to the Risk Management module.

Audit Workplans

Strategic audit planning with annual workplans, resource allocation, and approval workflows.

Engagements

Individual audit engagements with objectives, procedures, and execution tracking.

Issues & Recommendations

Issue identification, tracking, and recommendation management with follow-up actions.

Working Papers

Evidence collection, working papers, and audit documentation management.

Creating Your First Audit Engagement

1

Create Workplan

Start with an annual audit workplan to define your audit strategy and resource allocation.

2

Define Engagement

Create audit engagements with specific objectives, scope, and timeline.

3

Link to Risks

Connect audit objectives to specific risks from your risk register for risk-based auditing.

4

Execute Procedures

Define and execute audit procedures with working papers and evidence collection.

Best Practice: Use the risk-based audit approach to link your audit objectives to specific organizational risks for more targeted and effective audits. This ensures your audit efforts focus on the areas of highest risk.

Advanced Audit Features

Issue Management

  • Issue identification and categorization
  • Risk linking and impact assessment
  • Recommendation generation and tracking
  • Follow-up action management
  • Issue retesting and validation

Approval Workflows

  • Multi-level approval processes
  • Workplan and engagement approvals
  • Issue and recommendation approvals
  • Automated notification system
  • Approval history tracking

Reporting & Analytics

  • Real-time audit dashboards
  • Engagement status tracking
  • Issue trend analysis
  • Risk-based audit reports
  • Export capabilities (Excel, PDF)

Integration Features

  • Risk register integration
  • Compliance obligation linking
  • Document management integration
  • Legal case cross-referencing
  • Contract compliance tracking

Risk Management

Risk Management Overview

The Risk Management module provides comprehensive risk identification, assessment, and mitigation capabilities with built-in support for COBIT and NIST frameworks. It integrates seamlessly with audit and compliance modules for enterprise-wide risk governance.

Risk Registers

Centralized risk repositories with categorization, assessment, and treatment tracking.

Risk Matrices

Configurable risk assessment matrices with impact and likelihood scales.

Key Risk Indicators

KRIs for ongoing risk monitoring and early warning systems.

Controls Management

Risk control frameworks with effectiveness testing and monitoring.

Setting Up Your Risk Register

The risk management module allows you to create and maintain comprehensive risk registers tailored to your organization's needs with support for industry-standard frameworks.

1

Create Risk Register

Set up your organization's risk register with appropriate categories and frameworks.

2

Identify Risks

Document and categorize risks using industry-standard frameworks like COSO and ISO 31000.

3

Assess & Treat

Evaluate risk impact and likelihood, then develop appropriate treatment strategies.

4

Monitor & Report

Set up KRIs, conduct regular assessments, and generate risk reports for stakeholders.

COBIT and NIST Framework Integration

COBIT Framework

  • COBIT domains and processes
  • Capability maturity assessments
  • Governance and management objectives
  • Control framework integration
  • Maturity level tracking

NIST Cybersecurity Framework

  • NIST functions and categories
  • Subcategory implementation tracking
  • Threat identification and management
  • Incident response planning
  • Cybersecurity risk assessment

Advanced Risk Management Features

Risk Assessment Tools

  • Quantitative and qualitative assessments
  • Risk heat maps and visualizations
  • Scenario analysis and stress testing
  • Risk appetite and tolerance setting
  • Risk aggregation and correlation

Control Management

  • Control design and implementation
  • Control effectiveness testing
  • Control deficiency management
  • Remediation planning and tracking
  • Control monitoring and reporting

Risk Analytics

  • Risk trend analysis and forecasting
  • KRI dashboards and alerts
  • Risk concentration analysis
  • Emerging risk identification
  • Risk-adjusted performance metrics

Integration & Reporting

  • Audit integration for risk-based auditing
  • Compliance obligation risk linking
  • Legal case risk assessment
  • Contract risk evaluation
  • Executive risk reporting

Compliance Management

Compliance Management Overview

The Compliance Management module provides comprehensive multi-framework compliance capabilities including ISO 27001, GDPR, SOX, and custom regulatory frameworks. It enables organizations to manage compliance obligations, track evidence, and maintain regulatory adherence.

Compliance Frameworks

ISO 27001, GDPR, SOX, and custom regulatory framework management.

Policy Management

Policy document management with version control and AI processing.

Obligation Tracking

Compliance obligation management with due dates and evidence tracking.

Evidence Management

Compliance evidence collection and validation with audit trails.

Setting Up Compliance Programs

1

Define Frameworks

Set up compliance frameworks (ISO 27001, GDPR, SOX) and define requirements.

2

Upload Policies

Upload policy documents with AI-powered processing and version control.

3

Create Obligations

Define compliance obligations with owners, due dates, and evidence requirements.

4

Track Evidence

Collect and validate compliance evidence with automated tracking and reporting.

Framework-Specific Features

ISO 27001 ISMS

  • Information Security Management System
  • Information asset classification
  • Security incident management
  • Certification status tracking
  • Audit and review scheduling

GDPR Compliance

  • Data subject rights management
  • Data processing activity records
  • Data breach notification tracking
  • Privacy framework management
  • Consent and legal basis tracking

SOX Financial Controls

  • Financial control framework
  • Control testing and validation
  • Segregation of duties matrix
  • Financial process documentation
  • Exception and remediation tracking

Advanced Compliance Features

AI-Powered Processing

  • Automated policy document processing
  • PII detection and masking
  • Compliance requirement extraction
  • Risk assessment automation
  • Confidence scoring and validation

Obligation Management

  • Automated due date tracking
  • Overdue obligation alerts
  • Owner assignment and notifications
  • Priority and status management
  • Evidence requirement validation

Integration & Reporting

  • Risk register integration
  • Audit engagement linking
  • Contract compliance tracking
  • Legal case cross-referencing
  • Executive compliance dashboards

Reports

Standard Reports

Access engagement details, issues with recommendations, risk registers, compliance status, and contract summaries. Reports are optimized for compact pagination.

Contracts Management

Key Capabilities

  • Templates, clauses, and versions
  • Renewals and expiries tracking
  • Obligations and approvals workflow
  • Document attachments and audit trail

Document Management

Document Management Overview

The Document Management module provides secure document request and management capabilities with integration across all GRC modules. It enables organizations to request, collect, and manage documents with secure upload links and comprehensive audit trails.

Document Requests

Secure document request workflows with automated notifications and tracking.

Secure Uploads

Secure upload links with expiration dates and no-login-required access.

Version Control

Document versioning and access management with audit trails.

GRC Integration

Seamless integration with audit, risk, compliance, and legal modules.

Libraries & Evidence

Centralized document libraries with evidence linking capabilities across all GRC modules.

Document Request Workflow

  • Request creation with due dates
  • Automated email notifications
  • Secure upload token generation
  • Request status tracking
  • Reminder and escalation management

Security & Access Control

  • Secure upload links with expiration
  • No-login-required external access
  • File validation and size limits
  • Access logging and audit trails
  • Document encryption and storage

Version & Lifecycle Management

  • Document versioning and history
  • Upload tracking and metadata
  • Document lifecycle management
  • Retention policy enforcement
  • Archive and deletion workflows

GRC Module Integration

  • Audit evidence collection
  • Risk assessment documentation
  • Compliance obligation evidence
  • Legal case document management
  • Contract supporting documentation

Advanced Document Management Features

Request Management

  • Requestee identification and contact
  • Request categorization and tagging
  • Due date management and alerts
  • Request status and progress tracking
  • Bulk request operations

Upload & Processing

  • Multiple file format support
  • File size and type validation
  • Upload progress tracking
  • Error handling and retry mechanisms
  • Metadata extraction and indexing

Reporting & Analytics

  • Request completion dashboards
  • Upload statistics and trends
  • Document usage analytics
  • Compliance reporting integration
  • Audit trail and logging reports

Administration & User Management

Administration Overview

The Administration module provides comprehensive organizational administration and user management capabilities. It enables organizations to manage users, roles, system settings, and data exports with full audit trails and security controls.

User Management

Complete user lifecycle management with role-based access control and activation workflows.

Organization Settings

Multi-tenant organization configuration with custom settings and branding.

Data Management

Data export, backup, and migration capabilities with audit logging.

Security & Compliance

Password policies, security settings, and compliance monitoring.

Role-Based Access Control

Comprehensive role-based access control system with hierarchical permissions and organization-specific role management.

Administrative Roles

  • Admin: Full organization administration and role assignment
  • Head of Unit: Department-level management and oversight
  • Manager: Team management and operational oversight
  • Staff: Standard operational capabilities
  • Risk Champion: Specialized risk management role

Permission Management

  • Module-specific access controls
  • Data creation, read, update, delete permissions
  • Approval workflow permissions
  • Reporting and export capabilities
  • System configuration access

Security Note: Role changes are restricted to Admin users within each organization. This ensures proper access control and prevents unauthorized privilege escalation.

User Management Features

User Lifecycle Management

  • User registration and activation
  • Admin-created user accounts
  • First-time setup workflows
  • User deactivation and deletion
  • Bulk user operations

Authentication & Security

  • OTP-based email verification
  • Password policy enforcement
  • Password expiration management
  • Account lockout and recovery
  • Multi-factor authentication support

Organization Management

  • Multi-tenant organization setup
  • Organization settings configuration
  • Custom branding and themes
  • Domain and subscription management
  • Organization user limits

Data Export & Backup

  • Comprehensive data export capabilities
  • Module-specific data exports
  • Custom data selection and filtering
  • Export format options (Excel, CSV, JSON, PDF)
  • Audit trail and compliance logging

Advanced Administration Features

System Configuration

  • Email notification settings
  • System-wide configuration options
  • Integration and API settings
  • Backup and retention policies
  • Performance monitoring settings

Audit & Compliance

  • Comprehensive audit logging
  • User activity tracking
  • Data access monitoring
  • Compliance reporting
  • Security incident tracking

Integration & Automation

  • LDAP and Active Directory integration
  • SSO and SAML configuration
  • API key management
  • Webhook configuration
  • Automated user provisioning

AI Governance

AI Governance Overview

The AI Governance module provides comprehensive AI model governance and testing capabilities with support for EU AI Act, OECD, and NIST AI RMF frameworks. It enables organizations to manage AI model lifecycles, conduct compliance testing, and ensure responsible AI practices.

Model & Dataset Assets

AI model and dataset asset management with security classification and PII detection.

Test Plans & Execution

Comprehensive test plan management with automated execution and result tracking.

Compliance Frameworks

EU AI Act, OECD, and NIST AI RMF framework integration with clause mapping.

Evidence & Artifacts

Evidence artifact management with security classification and retention policies.

Model Lifecycle & Testing

Comprehensive AI model lifecycle management with automated testing, performance monitoring, and compliance validation.

Model & Dataset Management

  • Model asset registration and versioning
  • Dataset asset management with schema tracking
  • PII detection and data classification
  • Security classification and encryption
  • Retention policy enforcement

Test Plan & Execution

  • Test plan configuration and management
  • Automated test execution and monitoring
  • Performance and fairness testing
  • Security and robustness validation
  • Test result tracking and reporting

Compliance & Governance

  • Framework clause mapping and validation
  • Compliance evidence collection
  • Approval workflow management
  • Risk assessment and mitigation
  • Audit trail and documentation

Integration & Automation

  • MLflow and S3 connector integration
  • Webhook subscriptions for CI/CD
  • Automated threshold monitoring
  • Real-time alerting and notifications
  • API integration capabilities

AI Governance Frameworks

EU AI Act Compliance

  • Risk-based AI system classification
  • High-risk AI system requirements
  • Conformity assessment procedures
  • Transparency and documentation
  • Post-market monitoring

OECD AI Principles

  • Inclusive growth and human-centered values
  • Transparency and explainability
  • Robustness and security
  • Accountability and responsibility
  • Fairness and non-discrimination

NIST AI RMF

  • AI risk management framework
  • Governance and risk assessment
  • AI system lifecycle management
  • Trustworthy AI characteristics
  • Risk mitigation strategies

Advanced AI Governance Features

Security & Privacy

  • PII detection and masking
  • Data classification and encryption
  • Access control and permissions
  • Audit logging and monitoring
  • Data retention and deletion

Performance & Monitoring

  • Model performance tracking
  • Fairness and bias monitoring
  • Drift detection and alerting
  • SLO and SLA monitoring
  • Performance degradation alerts

Integration & Automation

  • MLflow and cloud storage integration
  • CI/CD pipeline integration
  • Webhook event subscriptions
  • Automated testing workflows
  • API and connector management

Troubleshooting

Common Issues

  • Migrations in multi-tenant setups: use migrate_schemas and idempotent migrations
  • Rich text editors in modals: ensure { form.media } is included
  • Role changes blocked: confirm admin role

API Reference

REST API Documentation

Oreno GRC provides a comprehensive REST API for integrating with external systems and building custom applications.

Base URL

https://oreno.tech/api/

Available Endpoints

GET /api/audit/engagements/

Retrieve list of audit engagements

POST /api/risk/risks/

Create a new risk entry

Need Help?

Can't find what you're looking for? Our support team is here to help.