Systems Live · v1.11.1

Rycode GRC

A full governance, risk, and compliance platform — four interconnected registers, an executive enterprise profile, and a live 5×5 risk heat map. Built from scratch in one week of evenings and pre-dawn hours. No framework. No backend. Just the browser.

Open the live app View on GitHub

0 Versions shipped

0 Pages

0 Register modules

The problem

GRC tools are heavy, slow, and rented.

Enterprise GRC platforms solve real problems, but they solve them behind six-figure license fees, multi-quarter implementations, and rigid data models. For small teams, nonprofits, and internal training — a sandbox you can pull up in a browser is often more useful than the real thing.

Rycode GRC is that sandbox. It demonstrates the full shape of an ERM program — risks, controls, business units, issues, a heat map, an executive profile — in a self-contained, zero-install environment.

The approach

Vanilla everything. localStorage as the database.

Every design choice came from the same constraint: keep the stack small enough that one person can hold it entirely in their head. That ruled out frameworks, build tools, and hosted backends from day one.

Data lives in the browser's localStorage. Each record has an ID, a set of foreign keys to other records, and a migration path that runs at page load. Filters, charts, and cross-register lookups are all pure JavaScript over those in-memory arrays. It's not a production architecture — it's a pedagogical one, and that's the point.

What it does

Nine pages, four registers, one shared data model.

Risk Register

Full CRUD over risk records with inherent/residual scoring, status lifecycle (Emerging → Monitored → Closed), and click-to-filter charts.

Control Register

Controls with effectiveness ratings, mapped to risks via reverse lookup. Powers a coverage heat map.

Business Unit Tree

Hierarchical BU model with drill-through from BU → risk register, filtered by owner.

Issue Register

Severity, status, and ownership tracking for open items arising from the risk and control reviews.

Enterprise Profile

Nine-section executive rollup — posture, heat map, composition, controls, treatment impact, BU hotspots, watch list, top risks, open issues.

Risk Heat Map

Full 5×5 grid with per-cell drill-through to the filtered risk list. Color-coded by the standard scoring formula.

Stack

Everything is a flat file.

HTML5 — nine static pages, semantic where it matters.
CSS3 — one stylesheet, custom properties for the "Modern Navy" palette, no preprocessor.
JavaScript (ES6+) — one app.js shared across pages, plus per-page init blocks.
Chart.js 4.4 — via CDN, no bundler.
localStorage — five keys (rycode_risks, rycode_controls, rycode_business_units, rycode_issues, rycode_unlocked), each with an idempotent migration block.
Netlify — deploy target, manual publish for deliberate releases.
Git on main only — commit messages serve as the change log.

Version history

Eleven releases, in order.

v1.7.0Modern Navy palette + entrance animations.

v1.8.0Click-to-filter charts on all four registers.

v1.8.3Soft privacy — robots noindex and client-side password gate.

v1.9.0Risk status lifecycle with localStorage migration.

v1.10.0Enterprise Profile — posture, heat map, composition, controls, top 10.

v1.10.1Enterprise Profile phase two — treatment impact, BU hotspots, watch list, issues.

v1.11.0CSV export across all registers; centralized escapeHtml.

v1.11.1Terminology cleanup (BU → Business Unit); enum constants extracted.

What's next

Saved views, policies, coverage.

Next up: named filter combinations (Saved Views), a Policies module that closes the classic Policy → Control → Risk triangle, and a coverage heat map that shows which risks are covered versus naked.

The end goal is a full demo-ready GRC triangle that anyone — trainer, auditor, risk analyst learning the shape of the work — can open in a browser and play with for an afternoon.

Open the live app See other systems