Stats
Actions
Tags
From grc-reporter
Patterns for synthesizing findings across multiple frameworks into one readable portfolio view. Use when a /report:* command is pulling from more than one framework plugin and needs to avoid drowning the reader in control IDs.
How this skill is triggered — by the user, by Claude, or both
Slash command
/grc-reporter:program-portfolio-compositionThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Most GRC programs run 3 to 8 frameworks. Presenting each one in full is how leadership reports get ignored. The job is to show the portfolio, not every control.
Most GRC programs run 3 to 8 frameworks. Presenting each one in full is how leadership reports get ignored. The job is to show the portfolio, not every control.
Most "different" controls across frameworks map back to the same SCF control. SCF IAC-01 shows up as SOC 2 CC6.1, NIST AC-2, ISO A.9.2, CMMC AC.L2-3.1.1, and more. When you report the portfolio, collapse down to SCF first, then expand back to frameworks for the appendix.
A 15-framework program is usually a 400 SCF control program. That's the denominator that matters.
1. Coverage table (one row per framework)
| Framework | Coverage | 30-day delta | Top gap | Owner |
|---|---|---|---|---|
| SOC 2 | 82% | +3 pp | Access reviews | IAM |
Five columns. Never more. If you need more, split into a second table with a clear break (e.g., "priority frameworks" vs "monitored frameworks").
2. Leverage list (cross-framework patterns)
Controls that fail in 3+ frameworks. Fix one, close many. This is the board-friendly version of "we are investing in the right things."
Example: "SCF IAC-15 (account-recertification) fails in SOC 2, FedRAMP, and ISO 27001. One automation project closes all three. Scoped for Q2."
3. Watch list (at-risk items)
Controls or frameworks trending down. Specifically name what could slip, why, and what prevents it.
If the portfolio view is more than 2 pages, it has become the detailed report.
If the leverage list is empty, either you haven't mapped through SCF yet, or the program has no compounding work in flight. The first is a tooling fix. The second is a program problem worth naming.
If every framework shows identical coverage week over week, the pipeline isn't producing fresh findings. Flag this in the report rather than reporting stale numbers as if they were current.
npx claudepluginhub rifh2000/claude-grc-engineering. --plugin grc-reporterCreates, edits, and optimizes skills for Claude Code, including drafting, evaluating with test prompts, iterating on performance, and improving skill descriptions for better triggering accuracy.