Case Studies
Practice deeper decision-making and communication through real-world GRC case studies. Read the scenario, then answer the questions to test your understanding.
Govern a Firewall Logging Exception with a Compensating Control
Northbridge BioSupply, a fictional healthcare supplier, is preparing for its annual internal controls review. During a control walkthrough, the security compliance manager discovers that a legacy ware...
Rationalize Overlapping Operational Controls in a Shared Services Environment
Northbridge Fulfillment Group, a fictional distribution company, is preparing for an internal GRC review of its control inventory for operations. Over the past three years, the company expanded throug...
Rationalize a Global Control Library After a Merger
Northbridge BioServices, a fictional life sciences company, recently merged with a regional diagnostics firm. The combined organization now has three separate control libraries: one maintained by Inte...
Operating Risk Appetite Limits During a Rapid Expansion
Northbridge Mutual, a fictional regional insurer, recently entered two new markets and launched a broker portal to accelerate growth. At the start of the year, the board approved an enterprise risk ap...
Recurring Vendor Due Diligence Failures and Weak Root Cause Governance
Northbridge Mutual, a fictional insurance firm, tracks compliance issues in a central issue management system. Over the last two quarters, Internal Audit and the third-party risk team both identified ...
Corrective Action Governance After a Recurring Access Review Failure
Northbridge Biologics, a fictional pharmaceutical manufacturer, identified a control deficiency during an internal audit of its GRC program. The audit found that quarterly privileged access reviews fo...
Human Oversight Gaps in a Claims Triage AI Rollout
NorthBridge Mutual, a fictional regional insurer, deploys an AI model to prioritize incoming property insurance claims for adjuster review after storms. The model assigns each claim a severity score a...
Upgrade required β
Board Oversight of Cyber Risk After a Cloud Control Failure
NorthBridge Transit Holdings is a fictional regional transportation company that relies on a cloud-based platform to manage customer ticketing, fleet maintenance records, and vendor invoices. During a...
Upgrade required β
Critical Process Mapping for a Regional Pharmacy Distributor
Northbridge Rx, a fictional regional pharmacy distributor, is preparing for its annual resilience planning cycle after several near-miss service disruptions. The COO asks the GRC team to perform a bus...
Upgrade required β
Cyber Insurance Readiness and Renewal Governance for a Manufacturing Group
NorthRiver Components, a fictional mid-sized manufacturer, is preparing for renewal of its cyber insurance policy in 45 days. The broker has warned the company that underwriters are asking more detail...
Upgrade required β
Repair Governance Gaps in a Product Analytics Data Domain
Northstar Biologics, a fictional multinational life sciences company, recently centralized product analytics data from regional research, sales, and patient support teams into a cloud data platform. T...
Upgrade required β
Quarterly Access Review for a Clinical Research Platform
Northbridge Biolabs, a fictional mid-sized life sciences company, uses a cloud-based clinical research platform to manage study documents, participant scheduling, and regulated project data. The compa...
Upgrade required β
Internal Control Deficiency Evaluation and CAPA Governance at Northbridge Fulfillment
Northbridge Fulfillment, a fictional regional logistics company, is preparing for its annual internal controls review. During testing of procurement and vendor payment controls, Internal Audit found t...
Upgrade required β
Cyber Due Diligence and Integration Governance for a Manufacturing Acquisition
Northbridge Industrial Group is acquiring Riveton Robotics, a midsize manufacturer that supplies automation components to critical infrastructure customers. The deal team has six weeks before signing ...
Upgrade required β
Escalating Governance Gaps in a Vendor Credit Model Program
NorthBridge Consumer Finance uses a third-party credit risk model to support loan approval decisions for a new unsecured lending product. The model was introduced quickly to meet growth targets, and t...
Upgrade required β
Escalating Governance Gaps in a Credit Decision Model Program
NorthBridge Consumer Finance uses a machine learning model to support unsecured loan approvals and credit limit recommendations. The model was developed by the analytics team and is used by lending op...
Upgrade required β
Open Source Release Governance and SBOM Assurance for a Telehealth Platform
Northstar Health Apps, a fictional telehealth software company, is preparing to release a new patient messaging service used by hospitals and clinics. The engineering team builds the service from seve...
Upgrade required β
Govern Impact Tolerances for a Retail Broker's Trade Confirmation Service
NorthBridge Markets, a fictional mid-sized retail brokerage, is preparing for an operational resilience steering committee meeting. The board previously identified the Trade Confirmation Service as an...
Upgrade required β
Policy Exception and Risk Acceptance Governance for Legacy Vendor Access
Northbridge BioSystems is a fictional medical device company preparing for an internal audit of its governance program. A critical laboratory scheduling application still relies on a legacy integratio...
Upgrade required β
Policy Exception and Waiver Operations for Legacy Endpoint Encryption
Northbridge Biologics is preparing for an internal governance review after several business units requested temporary relief from a newly approved endpoint encryption policy. The policy requires full-...
Upgrade required β
Freeze the Right Records During a Product Safety Lawsuit
Northpine Home Systems, a fictional manufacturer of smart air purifiers, is facing a lawsuit after several customers alleged that a firmware defect caused overheating in one device line. The legal dep...
Upgrade required β
Governing New Regulatory Obligations After a Cross-Border Product Launch
Northstar Biologics, a fictional medical device distributor, is expanding its remote patient monitoring service into two new countries. The company already maintains a general compliance register for ...
Upgrade required β
Update Regulatory Obligations After a Cross-Border Product Expansion
Northstar Mutual, a fictional regional insurance administrator, launches a new online claims portal for small-business customers in two additional countries. The product team focused on speed to marke...
Upgrade required β
Govern a Firewall Logging Exception with Compensating Controls
NorthBridge BioServices, a fictional healthcare analytics company, is preparing for an internal controls review after a regional acquisition. During a control attestation, the security engineering tea...
Upgrade required β
Executive KRI Governance for a Rapidly Expanding SaaS Business
Northstar Atlas, a fictional B2B SaaS company, has grown through two acquisitions and now operates across North America and Europe. The board risk committee has asked the CISO, CFO, and Head of Enterp...
Upgrade required β
Segregation of Duties Governance for Enterprise Business Processes
Northbridge Foods, a fictional global manufacturer, is preparing for an internal audit of segregation of duties (SoD) across its procure-to-pay and order-to-cash processes. During a recent ERP moderni...
Upgrade required β
Segregation of Duties Governance for Grant-Funded Procurement
Northbridge Community Health, a fictional regional nonprofit, receives several government and foundation grants that are not subject to SOX but do require strong internal control over spending, confli...
Upgrade required β
Quarter-End Management Review Governance Breakdown
NorthBridge Home Systems, a fictional public manufacturer of smart building controls, is preparing for its year-end Sarbanes-Oxley testing. The company relies on entity-level controls to support finan...
Upgrade required β
Govern Retired Engineering Assets After a Data Center Exit
Northbridge BioSystems, a fictional mid-sized research software company, is closing a small regional data center after moving most workloads to a cloud platform. During the transition, the governance ...
Upgrade required β
Protecting Speak-Up Integrity During a Procurement Investigation
Northbridge BioSupply, a fictional medical distributor, receives an anonymous hotline report alleging that a regional procurement director pressured staff to bypass vendor due diligence and approve in...
Upgrade required β
Govern KMS Key Rotation and Retirement for Regulated Analytics Workloads
Northstar Biologics, a fictional pharmaceutical research company, uses a centralized key management service (KMS) to protect sensitive research datasets, manufacturing batch records, and regulated bac...
Upgrade required β
Cyber Insurance Readiness and Renewal Governance for a Mid-Market Manufacturer
Northforge Components, a fictional mid-market manufacturer, is preparing for its annual cyber insurance renewal. Last year, the company obtained coverage after answering a long security questionnaire,...
Upgrade required β
Govern Data Retention and Disposition for Claims Operations
Northpine Mutual, a fictional regional insurer, is preparing for an internal audit of its records management program. The claims division stores customer claim files across a document management platf...
Upgrade required β
Classify and Escalate a Payment Platform Outage Under DORA
Northbridge Mutual, a fictional EU-based insurer, relies on a cloud-hosted policy administration platform and an external payment gateway to collect customer premiums. On Monday at 09:12 CET, the oper...
Upgrade required β
Stabilize Critical Data Quality Controls for a Master Data Governance Program
Northstar Mutual, a fictional regional insurer, has launched an enterprise data governance program after executives found conflicting customer and policy data across finance, underwriting, and claims ...
Upgrade required β
Operating an Enterprise Risk Appetite, Tolerance, and Limit Framework
Northbridge Utility Services, a fictional regional energy distributor, recently expanded into smart-grid services and digital customer billing. After several quarters of inconsistent risk reporting, t...
Upgrade required β
Coordinate EU AI Act Compliance for a High-Risk Hiring System
Northstar Talent Systems, a fictional HR technology provider, sells an AI-based candidate screening platform to large employers in the EU. The platform ranks applicants, recommends shortlists, and fla...
Upgrade required β
Contain a Vendor Oversight Gap for a HIPAA Business Associate
North River Health Network, a fictional regional provider group, uses MedTranscribe Cloud, an external medical transcription vendor, to convert recorded physician notes into structured documents for t...
Upgrade required β
Cyber Due Diligence and Integration Governance for a Planned Acquisition
NorthBridge Health Systems, a regional healthcare technology company, is preparing to acquire MedAxis Analytics, a smaller SaaS provider that supports hospital reporting workflows. The deal team wants...
Upgrade required β
Coordinate NIS2 Governance and Incident Reporting for a Cross-Border SaaS Provider
AltoMere Cloud is a fictional B2B software provider that delivers identity and workflow services to mid-sized energy and transport customers across Germany, France, and the Netherlands. Because severa...
Upgrade required β
Coordinate NIS2 Governance and Incident Reporting for a Cross-Border Logistics Provider
BlueHarbor Grid Services is a fictional EU-based logistics technology provider that supports warehouse routing, customs data exchange, and delivery scheduling for several medium-sized transport operat...
Upgrade required β
Coordinate NIS2 Governance and Incident Reporting After a Supplier-Linked Outage
Northstrand Ferries, a fictional regional transport operator in the EU, recently updated its cyber governance program to align with NIS2 expectations. The board approved a policy requiring significant...
Upgrade required β
Classifying a Significant Cyber Event Under NIS2 Governance
Northbridge Water Services, a fictional regional drinking water operator in the EU, falls under NIS2 as an essential entity. On a Tuesday morning, the security operations team detects unusual outbound...
Upgrade required β
Cross-border Outage at an MSP: NIS2 Operational Readiness and Reporting
Novalytix Cloud Ltd. is a managed service provider (MSP) with its main establishment in Germany and customers across multiple EU Member States, including Germany and Poland. The company has classified...
Upgrade required β
Stabilizing SBOM Assurance for an Open Source Release Pipeline
Northstar Health Systems, a fictional digital healthcare SaaS provider, is preparing to sign a large public-sector customer that requires stronger open source software governance and SBOM assurance. T...
Upgrade required β
Governing Remote Vendor Access for a Water Treatment OT Environment
North Valley Water Authority operates a fictional regional water treatment plant with an OT environment that includes programmable logic controllers, human-machine interfaces, engineering workstations...
Upgrade required β
Govern Third-Party Access and Incident Escalation for an Open Banking Payment Initiation Service
NorthVale Pay is a fictional UK-based payment initiation service provider preparing for expanded supervision under PSD2 and the proposed PSR framework. The firm offers account-to-account payments for ...
Upgrade required β
Launching the Semiannual RCSA Cycle at Harborview Credit Union
Harborview Credit Unionβs Operational Risk team is kicking off the semiannual Risk and Control Self-Assessment (RCSA) cycle for Q2. Scope includes the Consumer Lending and Collections processes, plus ...
Upgrade required β
Legal Hold Breakdown During a Cross-Border Records Disposal Freeze
Northbridge Biologics, a fictional pharmaceutical company, receives notice of a product liability lawsuit involving a discontinued infusion pump accessory sold in the US, Germany, and Canada. The asso...
Upgrade required β
Stabilize Sanctions Governance After Screening Alert Backlogs
NorthRiver Trade Finance, a fictional regional lender, supports cross-border invoice financing for small exporters. Over the last two months, its sanctions screening vendor updated matching logic and ...
Upgrade required β
Govern DevSecOps Controls for a Regulated Product Release
Northbridge Health Systems, a fictional SaaS provider for regional clinics, is preparing a major release of its patient scheduling platform. The company adopted DevSecOps practices last year, but inte...
Upgrade required β
Architecture Review Board Escalation for an Unapproved Customer Analytics Integration
Northbridge Mutual, a fictional insurance company, uses a Security Architecture Review Board (ARB) to govern technology changes that may affect security, compliance, or enterprise architecture standar...
Upgrade required β
Stabilize Baseline Drift in a Regional Lending Platform
Northbridge Lending, a fictional regional finance company, runs its loan servicing platform across 120 Windows servers, 40 Linux servers, and a growing fleet of cloud-hosted application instances. Ove...
Upgrade required β
Segregation of Duties Governance Beyond SOX in a Global ERP Program
A fictional manufacturing company, Northbridge Components, has expanded through acquisitions and now runs finance, procurement, payroll, and plant maintenance processes across a shared ERP platform. T...
Upgrade required β
Software Licensing Compliance and Audit Response Governance at Northbridge Analytics
Northbridge Analytics, a fictional data services company with 1,200 employees, uses a mix of engineering tools, database platforms, and desktop productivity software purchased through reseller agreeme...
Upgrade required β
Strengthening SOX Entity-Level Controls and Management Review Governance at Alder Ridge Health
Alder Ridge Health is a fictional regional healthcare services company preparing for its year-end SOX assessment after rapid growth through two acquisitions. The CFO is concerned that several entity-l...
Upgrade required β
Strengthening Management Review Governance for Quarterly SOX Certifications
Northbridge Biologics, a fictional public company, is preparing for year-end SOX testing after a difficult second quarter close. Internal Audit found that several entity-level controls were described ...
Upgrade required β
Stabilize Management Review Governance for Quarter-End SOX Certification
NorthBridge Home Systems, a fictional public manufacturer of smart building equipment, is preparing for its year-end SOX testing. Internal Audit has raised concerns about entity-level controls tied to...
Upgrade required β
Prioritize Intelligence-Led Risk Action After Vendor Credential Abuse
Northbridge BioSupply, a fictional pharmaceutical logistics company, runs a threat intelligence governance program led by the CISO, enterprise risk team, and security operations manager. On Monday, th...
Upgrade required β
Govern ICS2 Shipment Data and Supplier Attestations Before EU Filing
NorthStar Components, a fictional electronics distributor, is preparing for the next phase of ICS2 filing obligations for goods moving into the EU. The trade compliance team discovers that entry summa...
Upgrade required β
Govern a New Vulnerability Disclosure Program After an Uncoordinated Researcher Report
Northbridge Health Systems, a fictional regional healthcare software provider, recently received a public social media post from an independent security researcher claiming the company's patient porta...
Upgrade required β
Scaling an Ethics Hotline: Intake SLAs, Escalations, and Independence
NorthRiver Components, a 1,800βemployee manufacturer operating in the US and Mexico, has rolled out a thirdβparty 24/7 multilingual ethics hotline (phone, web portal, and mobile app). The Compliance O...
Upgrade required β
Repair Governance Gaps in a Global Speak-Up Program
Northpine Biologics, a fictional pharmaceutical manufacturer, operates a whistleblower and speak-up hotline across 18 countries. The program is owned by the ethics office, while case intake is handled...
Upgrade required β
ARB Governance for a Regional CRM Modernization
Northbridge Mutual, a fictional insurance provider, is replacing several regional customer relationship management (CRM) tools with a single enterprise platform. Because the new platform will integrat...
Upgrade required β
Vendor Bank Detail Change Controls After a Suspected CEO Spoof
Northbridge Habitat Group, a fictional regional property developer, is preparing to release a $486,000 progress payment to a long-standing electrical subcontractor. On Tuesday morning, an accounts pay...
Upgrade required β
Rationalize Overlapping Controls Across Three Frameworks
Northbridge BioSolutions, a fictional mid-sized healthcare analytics company, is preparing for a combined internal audit covering ISO 27001, NIST CSF, and a customer-driven controls catalog based on H...
Upgrade required β
Executive Escalation During a Product Safety Recall
Northshore Nutraceuticals, a fictional consumer health company, discovers that a labeling error may have affected one batch of childrenβs vitamin gummies distributed to three regional markets. The iss...
Upgrade required β
Prepare Claim-Ready Governance After a Ransomware Near Miss
Northbridge BioSupply, a fictional regional medical distributor, is renewing its cyber insurance policy after a ransomware near miss disrupted warehouse operations for six hours. Although no claim was...
Upgrade required β
Stabilize Data Classification and Handling Operations After a Product Launch
Northbridge Biologics, a fictional mid-sized life sciences company, recently launched a partner portal for research collaborators, clinical operations staff, and selected vendors. Two weeks after laun...
Upgrade required β
Tracing Revenue Recognition Data Across Policy Systems
Northstar Mutual, a fictional regional insurer, is preparing for an internal audit of its data governance program after a finance reporting issue delayed quarter-end close. The audit team wants proof ...
Upgrade required β
Align the Retention Schedule with Legal Hold Governance
Northbridge BioSystems, a fictional global medical device manufacturer, is preparing for an internal GRC review after a regulator questioned inconsistent retention practices across business units. The...
Upgrade required β
Govern WCAG Compliance for a Multi-Department Public Services Portal
Northbridge Civic Services, a fictional regional agency, runs a public web portal used for permit applications, bill payments, and appointment booking. After several complaints from screen reader user...
Upgrade required β
Governance Gaps in Sustainability Disclosure Readiness
Northbridge Components, a fictional global manufacturer, is preparing for its first investor-facing sustainability report that will include greenhouse gas emissions, workplace safety metrics, and supp...
Upgrade required β
Identity and Access Review Governance for JML and Privileged Access Oversight
NorthBridge BioServices, a fictional clinical research company, is preparing for an internal governance review after several audit findings related to identity lifecycle controls. The company uses a h...
Upgrade required β
Overdue Corrective Actions After a Vendor Risk Review
Northbridge Health Services runs a quarterly governance review of open issues from internal audits, risk assessments, and third-party oversight activities. During the latest review, the GRC manager fi...
Upgrade required β
Cyber Due Diligence and Integration Governance for a Cross-Border Acquisition
NorthBridge Industrial, a publicly traded manufacturing company, is acquiring VelaGrid Analytics, a smaller software firm that provides predictive maintenance platforms to energy clients. The deal tea...
Upgrade required β
Govern a Materiality Assessment for Enterprise Risk and Disclosure
NorthBridge Industrial Systems, a fictional publicly listed manufacturer, is preparing its annual enterprise risk report and sustainability disclosure. The general counsel, chief risk officer, finance...
Upgrade required β
Governing Open Source License Obligations Before a Public Sector Release
Northbridge Transit Solutions, a fictional company that builds scheduling software for regional bus operators, is preparing to release a new customer portal for a government-owned transit authority. D...
Upgrade required β
Payment Outage Scenario Testing and Impact Tolerance Breach Governance
Northbank Mutual, a fictional mid-sized retail bank, has identified the customer payments service as an important business service. The board-approved impact tolerance states that the service must not...
Upgrade required β
Refresh the RCSA Program for Third-Party Claims Operations
HarborShield Mutual, a fictional regional insurer, is preparing for its annual enterprise risk committee review. The Chief Risk Officer has asked the operational risk team to refresh the Risk and Cont...
Upgrade required β
Control the Lifecycle of Regulated Research Records
Northpine Biologics, a fictional life sciences company, is preparing for an internal audit after rapid growth in its research division. The company stores laboratory study records, quality approvals, ...
Upgrade required β
Coordinating a State Regulator Examination Response
HarborStone Community Bank receives notice of a targeted examination from its state banking regulator focused on consumer complaint handling, third-party oversight, and issue remediation governance. T...
Upgrade required β
Triage Rules for a Public Vulnerability Reporting Channel
Northbridge Health Systems, a fictional regional healthcare software provider, launches a public security.txt file and a dedicated email address for external vulnerability reports after several custom...
Upgrade required β
Stabilize Sanctions Screening Governance After Alert Backlogs
NorthRiver Industrial Components, a fictional manufacturer of navigation parts for commercial shipping firms, sells through regional distributors in Eastern Europe, Central Asia, and the Middle East. ...
Upgrade required β
Govern SBOM Quality for a Critical Vendor Release
Northstar Health Systems is preparing to deploy a new patient scheduling platform from a software vendor, AlderBridge Apps. Because the platform will connect to internal identity services and handle o...
Upgrade required β
Govern a Time-Bound Security Exception for Vendor Access
Northbridge BioAnalytics, a fictional research services company, is preparing for an internal audit of its security exception process. A laboratory operations platform used by external instrument vend...
Upgrade required β
Map Fourth-Party Exposure in a Critical Claims Processing Chain
HarborNorth Mutual, a fictional regional insurer, uses ClaimOrbit, a third-party SaaS provider, to process auto claims intake and adjuster workflows. During the annual vendor risk review, the operatio...
Upgrade required β
Whistleblower Hotline Governance and Investigation Triage at Northstar Biologics
Northstar Biologics, a fictional mid-sized pharmaceutical manufacturer, operates a global whistleblower hotline managed by an external intake vendor. Reports are routed into the company's case managem...
Upgrade required β
Escalating KYC Gaps in a High-Risk SME Onboarding Queue
NorthRiver Trust, a fictional digital payments firm, onboarded a small import-export customer called Blue Fern Trading Ltd. The customer was initially approved through the standard business onboarding...
Upgrade required β
Stabilize Digital Accessibility Compliance Operations After a Public Portal Rollout
Northbridge Benefits Exchange, a fictional regional public-services contractor, launched a redesigned citizen self-service portal for benefit applications, appointment scheduling, and document uploads...
Upgrade required β
Classify and Escalate an ICT Disruption at a Cross-Border Investment Platform
Northstar Transfer Services, a fictional EU investment services firm, relies on a cloud-hosted order routing platform to receive client trade instructions and send them to market venues. On Tuesday at...
Upgrade required β
Business Associate Oversight for a Cloud Transcription Vendor
Riverview Specialty Clinic relies on several outside vendors to support operations involving protected health information (PHI). One vendor, EchoScribe Health, provides cloud-based medical transcripti...
Upgrade required β
Coordinate NIS2 Governance and Early Incident Reporting for a Regional Energy Operator
NordVale Grid Services is a fictional medium-sized electricity distribution operator serving two EU member states. The company recently expanded its governance program to align with NIS2 obligations. ...
Upgrade required β
Open Source Software Governance and SBOM Compliance During a Product Release
Northstar Health Systems, a fictional software company, is preparing a quarterly release of its patient scheduling platform for hospital customers. The company has recently adopted an internal open so...
Upgrade required β
Preserve HR and Procurement Records During a Cross-Border Vendor Dispute
Northbridge Biologics, a fictional pharmaceutical manufacturer, receives notice of a likely lawsuit from a former regional distributor alleging wrongful termination of a supply agreement and destructi...
Upgrade required β
Commercial Open Source Governance During an Enterprise Analytics Launch
Northbeam Metrics, a fictional B2B analytics company, is preparing to launch a new enterprise reporting module sold under annual contracts. The product team accelerated development by combining propri...
Upgrade required β
Escalate a Distributor Screening and Export Classification Conflict
Northstar Photonics, a fictional U.S.-based manufacturer of industrial imaging modules, is preparing a shipment of thermal sensing assemblies to a long-standing distributor in the United Arab Emirates...
Upgrade required β
Triage and Escalation in a Regional Whistleblower Investigation
Northbridge Care Services, a fictional healthcare services company, operates a whistleblower hotline managed by its ethics and compliance team. A report is submitted anonymously alleging that a region...
Upgrade required β