Walk into most mid-sized organisations and ask the GRC team to show you their control library. You will likely see several. One for ISO 27001. One for SOC 2. One for the pieces of NIST 800-53 they need for a federal customer. One for HIPAA. One for whatever auditor showed up most recently. Each register has its own controls, its own evidence, its own ownership. The same control implemented in operations gets evidenced four times in four different formats. This is not a programme. It is administrative overhead with a compliance label.
What "Unified" Actually Means
A unified GRC operating model has one master control library. Every control implemented in operations is recorded once. Every framework the organisation is in scope for maps to that library — a single control might satisfy ISO 27001 A.5.15, SOC 2 CC6.1, and NIST 800-53 AC-3 simultaneously. The mapping is documented; the control is implemented once; the evidence is collected once and reused across all relevant reports.
The unification is not just at the control level. It runs through the whole programme: one risk register that serves multiple frameworks, one obligation register, one set of issue and corrective action workflows, one evidence repository, one cadence for management review. Frameworks are projected onto this shared infrastructure rather than each maintaining its own.
The Operating Model Components
- Master control library — the canonical source, with framework mappings as attributes, not as separate libraries
- Risk register — risks classified by domain (info sec, privacy, AI, operational, third-party) but in a single artefact
- Obligation register — laws, regulations, contracts, standards, mapped to the controls that satisfy them
- Evidence repository — collected once, indexed for reuse across audits
- Issue and exception management — single workflow for control deficiencies regardless of which framework surfaced them
- Audit programme — internal audits scoped against the master control library, not against individual frameworks
The hardest cultural shift is convincing each framework owner that their framework is not getting demoted. ISO 27001 still gets certified. SOC 2 still gets attested. GDPR compliance still gets demonstrated. What changes is that the work is shared, not parallel. The certification or attestation report is generated from the unified infrastructure rather than from a framework-specific silo.
How to Get There Without a 12-Month Programme
Start with one new framework adoption and use it as the forcing function. The next time the organisation needs to add a framework — perhaps ISO 42001, perhaps a new regulator requirement — refuse to spin up a new register. Map the new framework onto the existing library, identify the gaps, implement them as additions to the existing control set. The framework gets adopted, the unified model gets one step further, and nobody has to fund a separate transformation programme.
For organisations that are already deeply siloed, the consolidation is harder. Start with the largest control library you have and use it as the seed. Map other frameworks onto it incrementally, retiring duplicates as you confirm equivalence. The first two consolidations are slow. The next ten are fast. The work compounds.
What Tooling Helps and What Does Not
GRC tooling is plentiful and mostly disappointing. The tools work well in proportion to how clean your underlying operating model is. Buying a sophisticated GRC platform before defining the unified model produces an expensive container for the same fragmentation you had on spreadsheets. Define the model first, then choose tooling that supports it. The right tool with the wrong model is worse than the wrong tool with the right model.