RISKONNECT ACTIVE RISK LIMITED

Active Risk Manager

Active Risk Manager (ARM) is a web-based Project, Programme and Enterprise risk management solution that delivers a configurable range of solutions (Including Risk, Incidents, Controls, Dashboard, Bowtie and Reporting) that supports effective business decision making whilst satisfying requirements across all market sectors.

ARM deployment is offered via cloud or on-premise.

Features

• Support for both Threat, Opportunity, Incident and Audit management
• Web based custom report builder and Rest API
• Qualitative and Quantitative analysis of risks
• Integrated Bowtie for Cause/Effect Analysis
• Full ISO 31000, Orange MoR and COSO compatibility
• Realtime message alerting
• Dynamic filtering of information for reporting and dashboarding purposes
• Financial and non-financial risk aggregation of any type of risk
• Support for multiple risk processes
• Schedule Risk Analysis Capability; integrations with Primavera P6, MS Project.

Benefits

• Promotes collaborative working
• Real-time data in a single location
• Simplistic, configurable and repeatable reporting of risk management data
• Increased confidence by executives that governance is being performed
• Increased ability to deliver organisational objectives with certainty
• Intuitive integrated interfaces – designed by risk professionals
• Configurable to fit your existing risk management processes
• Quick time to value due to short deployment time
• Ability to control security/access to the risk registers with ARM
• Full data history for all records in ARM

£19,258 an instance a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Suraj.Sugunan@riskonnect.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

498136049146238

Contact

Suraj Sugunan
01628 582500
Suraj.Sugunan@riskonnect.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Client machines must match the pre-requisites documented for the version of ARM they are using
• System requirements:
  • Microsoft Windows 10, 11
  • Internet Explorer 11, Edge, Chrome, or Firefox

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Critical issues - 2 hours; High - 4 hours; Medium - 8 hours; Low - 48 hours; 24/7 support available at extra cost.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Software support - bugs/issues/queries; Hosting support - Service Pack installation, OS patches
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Full project initiation and structured implementation walk through of installation, process mapping, configuration, data migration and training is including in the service proposals.
• Service documentation: No
• End-of-contract data extraction: A database back-up will be provided on request, or customers can export their data out using the tools provided in the software.
• End-of-contract process: Database backup will be provided if required, and the service will be disabled. After an agreed period of time, the service will be deleted

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Mobile devices access Risk Express, which is a light touch version of the Desktop ARM.; ; We also have a mobile Incident Capture app and a separate app for Control Verification and Job Safety Analysis (JSA)
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: Replicate the read and write functionality of the ARM software via our oData Rest API Standard.
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Admin users can configure which fields are available to read/write/are mandatory. ; Field labels are customisable. ; Custom field workflow available for certain functional areas. ; Customisable email alerts on events; Custom reporting available

Scaling

• Independence of resources: We use Amazon Web Services Elastic Cloud Computing (EC2). Customers each have their own dedicated application server, and a dedicated instance on a SQL database server. The number of instances is limited, to ensure no one server will be affected by user demand.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data can be exported into MS Excel, or custom reports can be generated using MS Reporting Services technologies.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: “Service Credit” means a sum as provided below expressed as a % of 1/12th of the annual Hosting Fees (under the hosting services agreement) or as a % of 1/12th of sums allocated to hosting within the Charges under the Software Term Licence, Support, Hosting and Services agreement: ; ; Greater than 99.5% Uptime NO CREDIT DUE ; Less than or equal to 99.5% and greater than 98.5% 1% ; Less than or equal to 98.5% and greater than 97.5% 2% ; Less than or equal to 97.5% and greater than 96.5% 4% ; Less than or equal to 96.5% and greater than 95.5% 6% ; Less than or equal to 95.5% and greater than 95.0% 10% ; Less than or equal to 95.0% 15%
• Approach to resilience: Available on request
• Outage reporting: Automatic email alerts to support desk, who will contact affected customers individually.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Only dedicated members of the support team have access to hosted servers, and the AWS management console requires multi-factor authentication for access. Development, QA, and support environments are hosted on completely separate AWS accounts, so user cannot access areas they do not have permissions for.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: LRQA
• ISO/IEC 27001 accreditation date: 19/12/2023
• What the ISO/IEC 27001 doesn’t cover: The marketing and finance aspects of our organisation
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We follow ISO 27001 standards and requirements. Allocated Information Security Manager is a VP of the company, and Information Security Officer reports directly to him. Where possible, physical or logical controls are in place to ensure policy compliance, and regular training and checks are made for ongoing compliance. Additionally there are regular internal audits, as well as six monthly Surveillance Visits from independent auditors.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All changes to hosted infrastructure or configuration must go though our change management process, which is a required control in our ISO 27001 implementation. A change request must be submitted and approved before a change can be made. The change control system requires details of the change, a risk assessment of the impact of the change, rollback and testing details, and communication requirements. The person raising the change cannot approve their own change.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Weekly vulnerability scans are performed using Tenable.io. Any critical patches are applied immediately (out of hours), and all servers are patched monthly to resolve any other issues.; We receive regular industry feeds from suppliers and independent providers.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Amazon Web Services monitor the environment for attack. We will be also be implementing additional, more focused monitoring this calendar year.
• Incident management type: Supplier-defined controls
• Incident management approach: The support desk handles all incidents initially, and users report incidents directly to them. Any security incident will be escalated to VP Customer Services and Support, who will liaise with the customer on resolution, and also inform them of any breach and corrective actions, and investigation results. Incident reports will be generated on an "as required" basis

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Wellbeing

  Wellbeing

  Providing a platform for users to collaborate across risk management activities to help the organization make informed, risk based decisions.

Pricing

• Price: £19,258 an instance a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Suraj.Sugunan@riskonnect.com. Tell them what format you need. It will help if you say what assistive technology you use.