Skip to main content

Architecture

This document provides a comprehensive overview of the BCMLogic Next ecosystem, based on the Headless GRC roadmap. The architecture is divided into functional layers to ensure modularity and scalability.

architecture

1. Business Logic Domains (The GRC Engine)

These domains handle the core regulatory and operational logic of the platform.

  • Risk Management: The central engine for risk identification, assessment (Inherent, Residual, Target), and continuous monitoring.
  • Internal Control: Framework for managing control activities, testing their effectiveness, and tracking remediation plans.
  • Business Continuity (BCM): Management of BIA (Business Impact Analysis), recovery strategies, and the lifecycle of BCP/DR plans.
  • Vendor Management (TPRM): A comprehensive domain for third-party risk, covering the full lifecycle from onboarding to offboarding (DORA/NIS2 compliant).
  • Incidents & Events: Tracking and classification of operational incidents, security breaches, and loss events.
  • Compliance & Audit: Mapping legal and regulatory requirements (Regulatory Library) to internal processes and managing audit missions.

2. Supporting & Foundation Domains

Common services that provide data and structure to the business modules.

  • Organization: Management of the legal and functional hierarchy (Legal Entities, Departments, Business Units).
  • Assets & Inventory: A unified registry for all asset classes: IT Systems, Infrastructure, People, and Data Sets.
  • Methodology: Configuration of scoring models, impact scales, risk matrices, and assessment templates.
  • Dictionaries & Taxonomies: Centralized management of system-wide tags, categories, and localized lists.
  • Playbooks: A workflow orchestration engine for automated responses and standardized operating procedures.

3. Connectivity & headless layer

The interfaces that allow BCMLogic Next to act as a "Headless" engine for other systems.

  • API Gateway (headless interface): The primary entry point (REST/GraphQL) for external frontends, mobile apps, and 3rd party integrations.
  • DataHub: An ETL and integration layer designed for automated data ingestion from external sources (SQL, SFTP, Webhooks).
  • VendorHub: A specialized external-facing portal for seamless collaboration, evidence collection, and automated vendor assessments.

4. Intelligence & insights Layer

Advanced capabilities providing data-driven decision support.

  • AI Engine: Powered by LLMs for automated risk mapping, predictive analytics, and "Next Best Action" recommendations for GRC officers.
  • Analytics & Reporting: High-performance data processing for real-time dashboards and automated regulatory report generation.

Last Update: February 2026