Finray platform · The control plane
Ordinis
Governance, risk, compliance, approvals, and audit evidence — in one operating system.
Controls propagate. Approvals are routed. Evidence is captured as work happens.
The problem
Compliance today is mostly document management with a workflow layer bolted on. Evidence is gathered only when an audit is imminent. Ordinis treats controls as first-class operational objects — so evidence is produced as a by-product of running the business.
A look at the dashboard
What a risk officer sees when they open Ordinis.
Representative UI preview · values synthetic · not a live customer environment
One real workflow
From access request to audit trail — in one system.
What a second-line team usually spreads across a ticketing tool, a compliance sheet, and a mailbox, Ordinis runs as a single traceable flow.
- 01
Initiate
Access request filed
An operator requests a permission or scope change. Context, business justification, and linked entities are captured at the source.
- 02
Validate
SoD + policy check
Segregation-of-duties validators run before anything is approved. Conflicts block the request with a traceable reason.
- 03
Assist
AI suggestion (not decision)
Ordinis suggests routing, flags adjacent risk, and surfaces prior approvals. The suggestion is an audit row — it never mutates state.
- 04
Approve
Human sign-off
The accountable approver accepts or rejects with a reason. Dual-control and escalation rules apply where the policy requires them.
- 05
Record
Evidence + audit chain
Decision, supporting evidence (hash-pinned), and downstream notifications land in an append-only audit trail that auditors can read directly.
The same pattern runs incidents, change requests, policy attestations, and risk recalculation proposals. Event propagation, evidence handling, and the audit chain are shared — no parallel ledgers.
Three flow maps · interactive
Three views of how Ordinis works.
Switch tabs to follow risk through its lifecycle, see how the AI pipeline stays inside your tenant, or trace a single human-in-loop approval. Click any node to read its role.
Business context informs risks. Controls and KRIs monitor them. Incidents loop back into re-scoring. Policies and attestations close the loop into one audit chain.
Swipe the diagram sideways to see the full flow.
Your business process map is the canvas
Risks, controls and KRIs all tie back to a process and a business unit. Change a process and every dependent control re-evaluates automatically — no manual cross-reference, no drift between the org chart and the risk register.
Board structure shapes every approval
Committees, charters and delegation rules are first-class objects. Approval thresholds and review escalations derive from your governance map, not from hard-coded constants in a workflow tool.
Outsourcing is part of the risk picture
Significant third parties (FINMA Circular 2018/3) sit alongside internal processes. Their risks, controls and incident exposure are reviewed on the same cadence as in-house functions.
One risk register, one source of truth
Risks live in one register, not in three SaaS tools. Inherent and residual scores are visible side-by-side with the controls and assumptions that explain the delta between them.
Controls reduce risk — and are evidenced
Each control has an owner, a frequency and an evidence requirement. Re-review queues automatically when the underlying risk or the linked policy changes. Owners are not asked to chase the change manually.
Indicators surface emerging issues early
Threshold breaches generate signals — not noise. Suppression windows and dedup rules prevent the same condition from firing twice in a quiet hour, so reviewers see the breach once with full context.
Incidents loop back into risk
Operational incidents and ICT events (FINMA Circular 2023/1) re-score affected risks and trigger lessons-learned attestations against the same audit chain. Nothing is filed and forgotten.
Policies are versioned and signed
Policy changes propagate to every linked control and attestation. Old signatures stay immutable — you see the new signature happen, never overwrite the old, so the auditor can reconstruct who knew what when.
Attestations are the human audit trail
Owners and reviewers sign off on policies, control effectiveness and remediation. Reminders, escalations and expirations are workflow primitives — not an email chain that lives outside the platform.
Everything lands in one audit chain
Every change, approval, attestation and incident is recorded as an append-only row with integrity hashes. The Prüfgesellschaft does not have to reconstruct the flow from four different ledgers.
Click any node to read its role · tab between maps for different views
These visualisations simplify the live engine for clarity. Full rule definitions, model inputs and audit-chain contracts are shared under NDA during the evaluation window.
What Ordinis does
Capabilities
-
Control inventory
Each control has an owner, version, and query surface — not a shared drive.
-
Policy propagation
Change a policy once; downstream controls update with a written approval record.
-
Approval routing
Multi-party approvals expressed as state machines, not form fields.
-
Evidence capture
Recorded as work happens, not reconstructed before the audit.
-
Workflow surface
Tasks, control cycles, and attestations as structured objects.
Why it is different
- Controls are data, not documents.
- Policy propagation is written down, not delivered by email.
- The work you do running the business is the evidence you show the auditor.
Applied on Ordinis
Solutions built on Ordinis
-
Pync
Applied compliance workflow — tasks, approvals, and controls for compliance operations teams.
Editorial — Finray Intelligence
Vendor-neutral buyer guides and regulator-side trackers for the categories Ordinis competes in.
Finray Intelligence publishes evidence-disciplined buyer guides for the regulated-software categories Ordinis ships in, plus regulator-side trackers of the DORA and topology-alignment supervisory pathways institutions running an Ordinis-class evidence platform must satisfy. Where Ordinis appears in the buyer guides it is recused from any qualitative ranking; every claim is sourced to a regulator page, vendor page or official journal with an accessed-date. See the editorial methodology for the full principles.
-
Buyer guide
Swiss FINMA GRC and ICS software
Decision graph for Swiss banks, securities firms and asset managers selecting GRC and ICS software under FINMASA, FINMA Circulars 08/24, 17/01, 18/03, 23/01, AMLA and FADP. 13 vendors mapped to the regulatory anchors. Ordinis recused from ranking.
Read methodology -
Tracker
DORA Article 28 ICT third-party Register of Information tracker
Quarterly-refreshed tracker of the DORA Article 28 Register of Information supervisory pathway across every EU and EEA national competent authority, plus the EBA / ESMA / EIOPA consolidation layer. Submission portal status, 2026-cycle deadline and filing schema reference per regulator. Cross-cluster reference: lives in the Authority cluster on the Intelligence hub but drives the GRC and ICS evidence cadence Ordinis customers run against.
Open the tracker -
Buyer guide
Core banking deployment topology and regulatory alignment
Buyer guide comparing multi-tenant SaaS, single-tenant in customer-cloud-account, and on-premise hybrid topologies for regulated financial institutions under DORA Articles 28-31, EBA outsourcing guidelines, PRA SS2/21, FCA SYSC 8 / FG16/5 and FINMA Circular 2018/3. Cross-cluster reference: lives in the Corebanq cluster on the Intelligence hub but the operational-risk control architecture is the same surface Ordinis customers manage as ICT third-party register evidence.
Read methodology
FAQ
Frequently asked questions.
-
What is Ordinis?
Ordinis is a governance, risk, compliance and internal-control evidence platform. It captures policy approvals, risk ownership, exception handling, vendor and AI inventory, and board/audit evidence at the moment of action — not in the run-up to an audit.
-
Does Ordinis replace existing GRC tools?
Ordinis can replace assembled GRC stacks of spreadsheets, document management systems, and shared drives where evidence is reconstructed before audit. It can also be adopted alongside enterprise GRC platforms for the surfaces those platforms underserve — control evidence at the moment of action, policy propagation with written approval records, and structured exception workflow.
-
How are controls modeled?
Controls are first-class operational objects, not documents. Each control has an owner, version, and query surface. Changes to a control or its parent policy carry a written approval record forward.
-
How is audit evidence captured?
Evidence is captured as work happens, not reconstructed before the audit. The work the institution does running the business is the evidence it shows the auditor — Ordinis treats evidence capture as a by-product of operations, not as a separate workstream.
-
How are policy changes propagated?
A policy change in Ordinis propagates to downstream controls with a written approval record at each step. Whether the change reached every applicable control is queryable, not assumed. Stale controls do not silently persist after the parent policy moves.
-
Who is Ordinis built for?
Ordinis is built for regulated financial institutions whose internal controls must withstand external supervision — Swiss FINMA-supervised firms, EU/EEA PIs and EMIs, MiCA-authorised CASPs, UK FCA-authorised firms, and Canadian RPAA-regulated PSPs and FINTRAC-registered MSBs. The applied compliance solution Pync is built on Ordinis.
-
Who is behind Ordinis?
Ordinis is built by Finray Technologies Limited, an EU-incorporated fintech firm with operations in Limassol, Cyprus and engineering in Zürich. The team is distributed across the EU and beyond.
Book a briefing
Book a briefing.
Bring one operating problem. We will map it to ledger state, risk decisions, control evidence, and deployment constraints.