BDO LLP

BDO Rhiza risk and assurance platform

Rhiza is your dynamic online solution for Enterprise Risk Management, transforming risk tracking into strategic advantage with its comprehensive risk registers, control libraries, action plans, incident logs, and Key Risk Indicators. Rhiza is the tool that transforms risk management from a chore into a strategic asset.

Features

• Capture and evaluate risks with ease
• Create control libraries and link them to risks
• Monitor the effectiveness of risk controls and assurance activities
• Real time status and progress/dashboards
• Clear and concise reports
• Record /monitor actions needed to reduce risks and improve controls
• Proactive notifications to users
• Dive into the details with options for KRIs/Incident Logging
• Identify and rank “Top risks” for the organisation

Benefits

• Real time information on risk to support agile decision making
• Build and administer an effective risk management process
• Straightforward and simple to use - but not simplistic
• Weave risk management into the fabric of your day-to-day operations
• Boost stakeholder confidence with proactive risk management
• Ease the administrative overheads of coordinating and managing risk registers
• Proven blend of technology and subject matter expertise
• Enhances accountability and keep everyone focused on risk and control
• Robust audit trail to evidence changes made and actions taken
• With Rhiza, you're not just managing risks you're mastering them.

£10,000 to £25,000 a licence a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at publicsectorsales@bdo.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

366253217608329

Contact

Diego Fajardo
+44 (0) 207 8933 356
publicsectorsales@bdo.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: None. Limited to browsers stated below.
• System requirements: Web browser (Chrome, Firefox, Edge)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Emails are responded to within 4 working hours of receipt during standard UK working days ( (9 - 5.30pm)
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We offer one level of support which uses different staff within the Rhiza team depending on the enquiry you are raising. All operational support enquiries are included within the annual licence fee.; ; All clients are also assigned to a named account manager.; ; Normal Support Hours are Monday to Friday 9.30am-5.30pm GMT, excluding bank holidays.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Our fee includes initial consultancy advise to ensure the system is configured correctly for your first use, along with "train the trainer" session(s) for your administrators and key users. We can offer training for all your users at additional cost if required.; User documentation is provided in the form of user guides and in-application context relevant help screens.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: All data is returned securely by our helpdesk in CSV format.
• End-of-contract process: We will return client data within 28 days of the end of the contract. No additional costs apply.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: By our helpdesk:; * configuration data (eg risk and and control assessment levels); * key terminology (eg "mitigation" instead of "control"); * functional areas (eg activating additional areas of risk data to be recorded); By the client administrator:; * data structures and categories; * reports; * users and groups; By end users:; * data & report grid columns

Scaling

• Independence of resources: We use a scalable, hosted solution from Microsoft Azure.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Data can be exported by via custom reports (created by client administrators). These reports can be based on a wide variety of queries and can include almost all data fields within the application.
• Data export formats: Other
• Other data export formats: Excel
• Data import formats:
  • CSV
  • Other
• Other data import formats: Excel

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Internal firewalls and data is encrypted at rest

Availability and resilience

• Guaranteed availability: BDO does not guarantee that the Service will be available at all times but does agree that the Services will be available to the Customer for 99% on a 24/7/365 basis. This service level allows for unplanned outages totalling not more than 3 days and 15 hours each year from the Renewal Anniversary or contract start date whichever occurs first.; If an unplanned outage has occurred, BDO will aim to restore the availability of the Services within one (1) Working Day. If BDO is unable to restore the Service within this time frame BDO will extend, free of charge, the Renewal Anniversary by two (2) weeks.
• Approach to resilience: Available on request
• Outage reporting: Email alerts to clients

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Access to client data and live hosting infrastructure is limited to a minimal set of trusted staff of manager grade or above.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 29/03/2017
• What the ISO/IEC 27001 doesn’t cover: All parts of the service are covered
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials Plus

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: BDO is committed to the delivery of exceptional client service. This includes ensuring that client information is fully secure when in our care. Information Security is a part of the operation of any business; for us, it is essential to achieve our ambition of exceptional service. It is vital that we are aware of our responsibility to maintain the confidentiality, integrity and availability of the information that we hold on behalf of our clients. ; We have an established security organisation with our Information Security Manager, (who reports to our Partner for Risk Management) and a comprehensive suite of Risk Management and Information Security policies in use across the firm.; • We expect all our people to take personal responsibility for information security and comply with these policies as part of their annual declarations.; • We are ISO27001:2013 certified (certificate IS 573148) and use the risk based standard for designing and implementing our information security management systems so that we can consistently:; • Deploy appropriate security controls across all business units; • Define our requirements for security in all third party contracts and agreements; • Benchmark ourselves against other organisations; • Ensure that our security policies are implemented effectively.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Available on request
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Available on request
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Available on request
• Incident management type: Supplier-defined controls
• Incident management approach: Available on request

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Wellbeing

  Fighting climate change

  We are committed to achieving Net-Zero by 2050 and we have had our targets validated by the Science Based Targets Initiative (SBTi).; We know the road to Net-Zero will be complex and our transition to Net-Zero is overseen by our Decarbonisation Steering Committee. We are tackling three core areas to achieve Net-Zero:; 1. The ways in which we work; 2. The ways in which we travel; 3. The goods and services we buy; We monitor progress on our transition through our annual carbon emissions and our latest progress can be found in our Environmental Report.; Short term; We will have our absolute scope 1 and 2 GHG emissions by FY2030, against our baseline FY2020.; Engage with suppliers to ensure 80% of them by emissions have a science based target by FY2027.; Long term; Reduce our absolute scope 1 and 2 GHG emissions by 90% by 2050 or sooner.; Reduce our scope 3 GHG emissions by 97% per FTE by 2050 or sooner.; To demonstrate our commitment to supporting the local environment we have the following credentials and certifications:; Certified to the international standards for Environmental Management (ISO 14001) and Energy Management (ISO 5000`). These proving the foundations for embedding environmental and energy considerations into our operations and ensure future progress.; Submit a return to Ecovadis, a sustainability ratings service that evaluates companies on environmental, labour, human rights, ethics and procurement impacts.; Take part in the Carbon Disclosure Projects (CDP) annual return and currently have a ‘D’ rating.

  Tackling economic inequality

  BDO is committed to identifying & tackling inequality .; We believe that a diverse workforce will benefit the overall culture of the organisation and how we interact and deliver our services to our clients. We are serious about creating, maintaining and demonstrating equality and fairness within our organisation. We do not just ‘talk the talk’, but, we ‘walk the walk’. We have a defined Equality and Diversity Policy which further links into other key policies such as the Discrimination Policy helping to ensure equality is embedded within our business as usual and underpinned by core values.; We do not believe that individuals should be restricted in the opportunities available to them based on where they live or the society they come from, we believe in treating everyone as equal. To support this further, we also have a Social Mobility Strategy in place and several initiatives to bridge the gap between those from more affluent backgrounds to those from low / intermediate socio-economic backgrounds.; Key Metrics:; 30% female partners by end of 2030 (As signatory to the Women in Finance Charter, we had an ambition of 20% female partners by the end of 2022. This was achieved in November 2021); 10% BAME partners by end of 2026 (we are a signatory to the Race At Work Charter); Pay gap reporting - We support the annual publication of Gender PayGap and Ethnicity Pay Gap data – for partners, as well as for employees.; Increase in employee sentiment on Social Impact.

  Wellbeing

  Improving health and wellbeing internally, for our suppliers and for clients. Our staff: We have specific wellbeing support for our staff we have our “5 Ways of Wellbeing Framework”. This consists of “Take Notice” (our commitment to mental health), “Connect” (with one of our mental health first aiders), “Be Active” (supported by our healthcare provider Aviva), “Give” (using our 5+5 CSR days) and “Learn” (our online e-learning offerings). We look to recognise the needs of our own workforce to ensure they have the tools they need to succeed here at BDO. To ensure we nurture what is special about BDO’s culture, we have three strategic priorities as mentioned below. Wellbeing, Be Yourself and Citizenship. Few initiatives to note: We have a long-established commitment to wellbeing and have been awarded Gold in the Mind Workplace Wellbeing Index and have an established agile working programme to give people flexibility and choice in their working pattern in a post-COVID world. ; Supporting our clients’ well-being; We do not email clients out of hours unless there is a genuine need (i.e. sickness, absence). Agreed contract to support on clarity of expectations from the outset. Timeliness and planning to ensure that software implementation takes place in a transparent manner. We measure our impact to clients via our post service surveys, and regular catch ups with our key liaison at our clients.

Pricing

• Price: £10,000 to £25,000 a licence a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: We will make a dedicated standard trial version available for two weeks. To do this we will need some basic information from you to configure the trial instance.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at publicsectorsales@bdo.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.