The real work of compliance is not writing — it is re-stitching the same web of connections by hand every cycle, because the tools teams use do not keep the links intact.
The Web Most Teams Maintain by Hand
A single control — say, access review — sits at the centre of a web. The policy defines who needs access. The risk register says what happens if access is not reviewed. The evidence folder holds the quarterly attestation logs. The vendor record ties it to a specific supplier. Three different frameworks (SOC 2, ISO 27001, PCI DSS) each ask about it in slightly different language.
To produce a quarterly report, a compliance manager traces each thread by hand: open the policy document, cross-reference the risk ID, find the evidence folder, check which frameworks care. The next quarter, another team member does the same work from scratch, because nothing held the links.
Teams track 60+ standards and field 300+ vendor assessments a year (practitioner-cited, illustrative). Every interaction requires re-tracing the same connections. The web is real. The links are invisible. The tools most teams use keep it that way.
Why Spreadsheets Sever the Links
Spreadsheets are excellent for computation and tabular layout. They are terrible at representing relationships between distinct things.
A row in a risk register has no native way to say: this risk is mitigated by this control, which is defined in this policy, evidenced by these quarterly attestations, and asked about in SOC 2 CC6.1 and ISO 27001 A.9. You can type that information into a cell — a text note, a reference ID, a hyperlink — but nothing in the spreadsheet enforces or preserves the connection. If the control changes, the risk row stays the same until someone remembers to update it. If the framework matrix moves to a new version, every cross-reference must be re-entered manually.
The structural gap is fundamental: spreadsheets store values in cells, not relationships between cells. A formula can sum a column, but it cannot keep a policy linked to the risk register row that references it, to the evidence folder that supports it, to every questionnaire answer that draws on it. Those links exist only in the team's institutional memory. When the person who holds that memory leaves, the links leave with them.
| What teams maintain | How spreadsheets handle it | What breaks |
|---|---|---|
| Policy ↔ Control | Manual cell reference, text note | No enforced link; updates in one do not propagate |
| Risk ↔ Control | Risk ID in a column | ID becomes stale; cross-reference breaks |
| Control ↔ Evidence | Folder path in a cell | Path changes are not tracked |
| Control ↔ Framework | Separate matrix sheet | Framework updates require full re-entry |
| Vendor ↔ Control | Multiple sheets or files | Vendor changes orphan control assignments |
Every gap adds a manual reconciliation step before any output — a report, a questionnaire, an audit request — can be trusted.
What "One Connected Record" Changes
The alternative is straightforward in concept: a workspace where every artifact — policy, risk, control, evidence item, vendor record, framework obligation — is connected to every other one it relates to. Change one and the connected items reflect the change. Add a control and the frameworks that ask about it show the new entry. Archive a vendor and the controls assigned to it surface for reassignment.
This is not a new idea. Structured data systems have worked this way for decades. But compliance tooling has largely avoided it, partly because the domain is messy (controls overlap, frameworks diverge, evidence varies by auditor) and partly because most tools were built to collect or report, not to hold the fabric together.
A connected record changes the daily experience:
- Drafting a policy update: the agent reads the current policy, checks which controls reference it, reviews the risk register for related entries, and produces a cited proposal — all from the same workspace.
- Filling a questionnaire: each answer draws on the evidence base directly. If the evidence exists, the answer cites it. If it does not, the gap is surfaced instead of papered over.
- Scoping a new framework: the existing evidence base maps across automatically. Every control already linked to SOC 2 is available for ISO 27001 or NIST CSF without re-entering the evidence.
The difference is not faster typing. It is no longer needing to re-trace the web by hand.
The Re-Stitching Tax Per Cycle
The cost of severed links is hard to see because it is distributed across every task. A report takes 45 minutes — not because the content is complex, but because finding and verifying each cross-reference takes most of that time. A vendor decision proposal stretches to three days (practitioner-cited, illustrative) because the same context must be gathered, verified, and linked for each new review. A questionnaire response re-explains a control that the team has already documented, because the link between the answer and the source evidence was severed when the last report was filed.
The re-stitching tax is the sum of these small, repeated searches for connections that should have stayed intact. It compounds every cycle because each new turn starts from the last output, not from a workspace that remembers what was linked before.
A connected record breaks this pattern: every PDCA phase — Plan, Do, Check, Act — reads from the same evidence base. Nothing gets re-entered or re-explained. The work accumulates rather than resets.
Compass Close
Compass by Truvara is built around this connected-record idea. The workspace holds policies, risks, controls, evidence, vendors, and framework mappings as linked artifacts — change one and the rest surface the change. Every PDCA phase draws on the same fabric. The agent reads from it, cites from it, and proposes updates within it. It does not auto-accept a change's downstream impact — review and approval remain the human's job, because the links are surfaced, not severed, and someone still needs to decide. Watch Compass propose a connected record in practice at Compass by Truvara.
FAQ
Why do teams not just use a database instead of spreadsheets for GRC?
Many do — but a database alone does not solve the problem if it is just a structured version of the same risk register, with the same manual cross-references entered as foreign keys. The issue is not storage format; it is whether the tool surfaces and preserves the relationships between artifacts across every workflow phase, or expects the user to re-enter them each time.
Does a connected record mean every framework maps perfectly to every control?
No. Frameworks legitimately diverge — SOC 2 CC6.1 is not identical to ISO 27001 A.9, even when they address similar concepts. A connected record shows where the overlap is and where it is not — much like the cross-framework crosswalk described above — so the team can decide how to handle each difference rather than rediscovering it every cycle.
What happens when a framework updates?
The existing evidence still links to the old framework requirements. A connected record surfaces which controls need re-mapping, which evidence still applies, and where the new version introduces gaps — without requiring a full rebuild of the evidence base.
Does a connected record require a single tool across every team?
Not necessarily. A connected workspace works at the team level — the compliance or GRC function that owns the evidence, controls, and framework mappings. Wider organisational connections (engineering logs, HR records, legal contracts) can be imported as evidence artifacts rather than live-linked.