Core Concepts
Omnitrex GRC organises your governance, risk, and compliance data into a universal node-based model. Every piece of data — an organisation unit, a risk, a vendor, a policy — is a node in a specific domain.
Domains
A domain is a category of GRC data. Omnitrex ships with 15 domains:
| Code | Domain | Purpose |
|---|---|---|
| ORG | Organisation | Legal entities, departments, teams |
| PROC | Processes | Business processes and workflows |
| ASST | Assets | IT systems, applications, infrastructure |
| VNDR | Vendors | Third-party suppliers and partners |
| RISK | Risks | Risk register with assessment and scoring |
| CTRL | Controls | Control framework with testing schedules |
| INCD | Incidents | Security and operational incidents |
| AUDT | Audits | Audit programs and findings |
| PLCY | Policies | Policies, procedures, and standards |
| TRNG | Training | Training programs and completion tracking |
| PRTF | Portfolio | Programs, projects, and tasks |
| PROD | Products | Product and service catalogue |
| CUST | Customers | CRM pipeline and customer records |
| DATA | Data | Data asset catalogue and classification |
| CNST | Consent | Consent records and cookie management |
Nodes
A node is a single record in a domain. Every node has:
- Name and description
- Status: LIVE, PLANNED, PILOT, or INACTIVE
- Layer: Position in the domain hierarchy (e.g., Entity > Department > Team in ORG)
- Head: Responsible person
- Assignee: Person working on it
- Extensions: Domain-specific metadata (e.g., risk scores for RISK nodes, contract dates for VNDR nodes)
Hierarchies
Each domain defines a hierarchy of layers. For example:
Organisation (ORG): Holding > Entity > Department > Team > Role Risks (RISK): Category > Domain > Risk Portfolio (PRTF): Portfolio > Program > Project > Task
Child nodes inherit context from their parent, making it easy to drill down from a broad category to a specific record.
Cross-Domain Links
The real power of Omnitrex is linking nodes across domains. Examples:
- A Risk linked to the Controls that mitigate it
- A Vendor linked to the Assets they supply
- A Process linked to the Data it handles
- An Incident linked to the Risk it materialised from
Central Command Viewer
The CCV is an interactive force-directed graph that visualises all your nodes and their cross-domain relationships. Click any node to see its details, links, and audit trail.
Use the CCV to:
- Spot orphan nodes (risks without controls, vendors without assessments)
- Trace impact paths (which processes are affected if a vendor fails?)
- Validate completeness (does every risk have at least one control?)
Working with Nodes
Creating Nodes
Navigate to any domain table and click + New Node. Select the layer, fill in the required fields, and save. The node appears immediately in the table and the CCV.
Linking Nodes
From a node's detail panel, click Add Link and search for the target node by name or ID. Links are bidirectional — both nodes will show the relationship.
Status Management
Nodes progress through statuses:
- PLANNED — Documented but not yet active
- PILOT — In trial or testing phase
- LIVE — Active and in production
- INACTIVE — Retired or superseded
Extensions
Each domain has a dedicated extension panel for domain-specific fields:
- RISK: Likelihood, impact, risk score, risk appetite, treatment strategy
- CTRL: Control type (preventive/detective/corrective), test frequency, last test date, effectiveness
- VNDR: Contract start/end, tier classification, SLA terms
- PLCY: Review cycle, approval status, version, effective date
Compliance Frameworks
Omnitrex maps your data against major compliance frameworks:
- GDPR — Data processing, consent, DPIA support
- DORA — ICT risk management, incident reporting, third-party oversight
- NIS2 — Network and information security measures
- ISO 27001 — Information security management system
- AI Act — AI system classification, risk assessment, transparency
Risk-Control Matrix
The risk-control matrix shows every risk alongside its linked controls, highlighting:
- Controlled risks — At least one active control linked
- Uncontrolled risks — No controls linked (gaps)
- Coverage percentage — Ratio of controlled to total risks
Reports
Generate reports in XLSX, PPTX, or PDF format:
- Portfolio Report — Project status, task completion, timeline
- Risk Report — Risk register with scores, controls, and gaps
- Compliance Report — Framework coverage and gap analysis
- Vendor Report — Vendor tiers, contract status, risk assessments
- Incident Report — Incident timeline, root causes, lessons learned
- Audit Report — Audit findings, remediation status
Next Steps
- Getting Started — Deploy the platform with Docker Compose
- Developer Guide — Set up CLI, MCP servers, and API access
- Integrations — Connect n8n, Microsoft 365, and AI workflows