How Blauwtrust Groep centralized its control framework in CERRIX GRC Platform
“CERRIX has given us overview, insights and structure. It allows us to demonstrate control in a way that is consistent and efficient, and it supports the way our governance framework continues to evolve.”
.jpg)
Blauwtrust Groep is a financial service provider in the Dutch residential mortgage market, acting as the bridge between investors and consumers and connecting supply and demand for mortgage funding. Through its entities Quion, DMPM and ROMEO, the group manages more than €117 billion in mortgages and has built a solid position in the industry over the past two decades.
Because Blauwtrust Groep serves a wide range of financial institutions, including banks, insurers and pension funds, the organisation operates within a complex regulatory environment. Each client brings its own regulatory expectations, audit and assurance requirements, making a reliable and transparent internal control framework essential.
An evolving assurance landscape and the need for centralisation
As Blauwtrust Groep expands its institutional client base, assurance requirements became increasingly complex. Clients such as banks, insurers and pension funds require greater transparency, consistency and traceability across multiple internal control and assurance frameworks. Supporting standards such as ISAE 3402, SOC 2 and the ISO frameworks highlighted the need to bring risks, controls and test results together in one central environment.
“We had the right controls in place,” the team explains. “What we needed was a central environment that brought everything together and provided one unified view as a single source of truth.” Karin Nadels, Senior Risk Manager, Blauwtrust Groep.
Implementing risk and control frameworks in a GRC platform
Blauwtrust Groep decided to implement a central GRC platform and chose CERRIX to support this approach. A key factor was that the tool allowed the organisation to configure and manage its framework itself, rather than relying on a predefined model or extensive external support.
The internal team:
- uploaded and cleaned existing control framework
- structured risks, controls and testing internally
- gradually onboarded departments and users
- expanded scope as new frameworks were added
“We did most of the implementation ourselves,” says Risk Manager at Blauwtrust Groep.
“We were already on top of our control framework, so we could build it up step by step in CERRIX.”
CERRIX supported this by providing a central environment where risks, controls, tests, findings and evidence could be linked and maintained consistently.
Test once, comply with many frameworks
By consolidating risks, controls and testing in one environment, Blauwtrust Groep aligns a single internal control framework with multiple external standards such as ISAE 3402, SOC 2 and ISO.
This allows controls to be tested once and reused across different assurance requirements, without losing traceability.
“Instead of running similar tests several times for different frameworks, we now perform them once and use them across multiple obligations,” Karin Nadels, Senior Risk Manager, Blauwtrust Groep notes. “It saves time and improves quality.”
This approach does not necessarily reduce the total number of hours spent on control testing. In fact, Blauwtrust Groep now tests more controls than before. What has changed is howthat effort is spent: testing is more structured, results are clearer, and reporting and follow-up are more consistent.
“If you look at it with a stopwatch, we probably spend more time,” the team reflects.
“But we’re doing more testing, with better reporting and better follow-up. Overall, it’s more effective and more efficient.“
Driving adoption: consistent engagement at every level
A decisive factor in the success of the roll-out was the combination of top-down endorsement and bottom-up engagement.
Executive endorsement
From the outset, the board viewed CERRIX as a strategic investment in operational integrity Blauwtrust already uphold. This endorsement is further strengthened by having board members accountable for findings that are registered in the application, reinforcing board members involvement and the management of governance responsibilities.
Engagement with managers and the first line
Blauwtrust Groep organised information sessions for managers to explain why the tool was being introduced and what it would mean for their teams. Numerous hands-on training sessions followed for first-line users, supported by a dedicated Teams channel for questions and best practices. The risk team prioritized timely, personal guidance to ensure users remained confident and engaged.
Alignment with auditors
Both the internal and external auditors aligned with Blauwtrust Groep’s approach of centralising risks, controls and testing in CERRIX. Sampling and testing are supported based on the information registered in the platform, reinforcing the principle that control-related activities are captured centrally and can be traced consistently.
A cultural shift after one year
Within a year, CERRIX has become the central reference point for risk and control at Blauwtrust Groep. More than 130 first-line users now work with the platform, and control activities are handled in a consistent and structured way.
What is most notably today is the cultural shift: CERRIX is no longer viewed as an “implementation project” but as a standard part of the organisation’s governance infrastructure. “People refer to it in meetings, ask questions about it and use it as part of their day-to-day responsibilities.” Karin Nadels, Senior Risk Manager, Blauwtrust Groep.
The outcomes: clarity, consistency and ownership
Blauwtrust Groep has strengthened its control environment and now benefits from:
· one auditable source of truth for risks, controls, tests and findings
· a more coordinated approach to overlapping external frameworks
· increased control testing with clearer reporting in similar timeframes
· more consistent evidence collection and follow-up
· stronger ownership and in-house expertise
“Because we configured it ourselves, we know exactly how our environment works. That gives us speed, autonomy and clarity.” Risk Manager, Blauwtrust Groep
Looking ahead
With a stable central framework in place, Blauwtrust Groep continues to expand its use of CERRIX: plans are in place to introduce data management, KRIs and audit management over time.
The foundation remains the same: in-house ownership, supported by a tool that enables structure, insights and scalability.
“CERRIX has given us overview, insights and structure. It allows us to demonstrate control in a way that is consistent and efficient, and it supports the way our governance framework continues to evolve.” Risk Manager, Blauwtrust Groep.
Accessible popup
Welcome to Finsweet's accessible modal component for Webflow Libraries. This modal uses custom code to open and close. It is accessible through custom attributes and custom JavaScript added in the embed block of the component. If you're interested in how this is built, check out the Attributes documentation page for this modal component.
