Corporate Governance Risk Ltd

CGR Foundation

CGR Foundation (CGRF) allows users to clearly and visually integrate risk, compliance and other business processes (including incidents and issues). This activity is connected through real-time action management and communicated through concise reporting - including cost/benefit analysis. The resulting live and collaborative picture enhances decision-making whilst also delivering efficiency benefit.

Features

• Active management of objectives, linking to performance indicators/other records.
• Real-time action management (with notifications) across all modules.
• Intuitive bowtie visualisation (aligned with ISO/IEC31010) supporting focus on controls.
• User-configurable audit capability with management summary and risk integration.
• HSE modules including safety assessments, hazards, observations and incidents.
• Reporting suite including dashboards, client logos/templates, and personally customisable filters.
• Fully auditable history of changes in all modules.
• Use 'in the field' through CGRF Mobile (iOS and Android).
• Strong integration between modules/records - easily entered and assimilated.
• AI features: bow-tie builder available now, more to follow FY24-25.

Benefits

• Decision-support with clear picture integrating risk, business intelligence and objectives.
• Efficiencies through reduction in overheads associated with standard office tools.
• Transparency of action management supports accountability and drives positive behaviours.
• Live status of records (including actions) reduces time on communications/prompts.
• Integration of actions/evidence to risk and compliance increases review/audit efficiency.
• Notifications to user email addresses integrates with Business as Usual.
• Automatic report delivery against user-defined filters and schedules supports governance.
• Inherent ease-of-use supports acceptance and data-input whilst minimising training requirements.
• Integrated Cost Benefit Analysis (through risks/controls) supports resource prioritisation.
• Ease of configuration enables self-service - reducing vendor-dependency.

£5.25 to £19.50 a user a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pat.parker@corpgovrisk.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

692826412055548

Contact

Patrick Parker
07780986929
pat.parker@corpgovrisk.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: CGRF supports all standards-compliant browsers, including IE, Chrome, and Firefox.; ; CGRF Mobile is used by many clients, and is available for iOS and Android.
• System requirements: Standards-compliant web browser.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Commitment for response times to technical support questions are contained in our Terms and Conditions document - they are based on business hours and range from 1 hour to 2 days based on severity level.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Support Levels are outlined in our Terms and Conditions document (Part E). Levels 1 and 2 are generally associated with user account management and permissions which we expect client helpdesk/system champions to manage. Level 3 would be other queries escalated in the first instance to the CGR account manager through our ticketing system - these may often be resolved by the account manager but technical issues may be further escalated within CGR for resolution. Response times vary according to severity level as described elsewhere in this service (and in our Terms and Conditions document). Technical support is included within the license cost provided in our Pricing document.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: CGR provides full project roll-out and structured implementation of installation, process mapping, configuration, data migration and training.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: CGRF allows export of data at all times, using the "Export CSV" functionality.; ; Additionally, the CGR Terms and Conditions document includes: "Within 30 days after the date of termination or expiry of this Agreement, the Licensor must, at its cost, return all Licensee Data to the Licensee in a form that means the Licensee Data is readily usable without the Software or other non-generic application. For clarity, the Licensor must provide the Licensee with a single flat file in CSV format, containing all Licensee Data."
• End-of-contract process: Within the contractual timelines associated with client termination of service, CGR will initiate termination of the client server which permanently destroys all data contained within it. Please note that the CGR backup procedure retains database copies for 35 days on a first-in first-out basis, meaning that the last backup will expire 35 days after the termination of the server. CGR will provide a certificate of destruction after this 35-day period.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: CGRF Mobile provides a subset of CGR Foundation functionality but does not fully replicate it. Designed to work "on site", modules such as incidents, actions, and observations can be accessed for creation of new records or revision/update of existing records. The audits module can be accessed such that pre-assigned audits can be executed. Data entered on CGRF Mobile is immediately accessible by users operating on the core system. CGRF Mobile can be used offline, with data synchronising once mobile connection is re-established.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: The CGR Foundation API enables complex push and/or pull interfacing to a range of key systems. These have included SharePoint, 1SAP, and other enterprise systems.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: CGRF is highly configurable in forms, fields, workflows and notifications. We expect to provide initial configuration for clients, aligned to their requirements, during deployment of CGRF - the user interface for this configuration activity is so straightforward that we do much of that activity live in-session with the clients. Thereafter, although we can continue to provide configuration support, the highly intuitive nature of the system interface allows designated admin users to add and adjust as required without having to come back to CGR. This reduces client dependency and increases agility - helping client use to remain in-step with changing business requirements. ; ; CGR also provides customisation for clients within the contract terms - for instance, in generating bespoke reports (output in pdf, word or excel file types) that may be required above and beyond the existing report library.

Scaling

• Independence of resources: Clients are hosted in their own environment (resources are not shared).; ; Additionally, hosting through AWS allows rapid elasticity of resources.

Analytics

• Service usage metrics: Yes
• Metrics types: CGRF provides "last login", "all active users" and other service usage metrics in the Reporting module.
• Reporting types:
  • API access
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can export individual records or entire registers in PDF/XLSX/DOCX formats through a simple 'Export' menu. Additionally, users can manage the search and export of multiple records across any registers through a Reports module - here the data can be presented in customised graphical dashboards tailored to client requirements (including formats and logo) or subject to data-mining request against filters based on any of the record input fields. Reports can be automatically scheduled for delivery to user email address at user-nominated frequency/date/time. Finally, users can review the interactive data dashboards and export a dashboard image in PDF.
• Data export formats:
  • CSV
  • Other
• Other data export formats: JPEG/PNG/GIF etc (for attachments)
• Data import formats:
  • CSV
  • Other
• Other data import formats: CGRF data import template (CSV) only

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Supported by the Amazon Web Services SLA, CGR provides a 99.95% uptime target which is routinely exceeded due to redundant servers for all clients (i.e. multiple instances, staged upgrade deployments to one instance at a time). Over the last 5 years, CGR has operated above 99.99% availability. ; ; There are no rebates for downtime.
• Approach to resilience: Information on AWS datacentre resilience is provided at this link: https://aws.amazon.com/compliance/data-center/data-centers/
• Outage reporting: Email alerts in line with CGR's ‘Information Security Incident Response Plan’.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: CGR uses 2FA internally for all management interfaces.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Compass Assurance Services
• ISO/IEC 27001 accreditation date: 23/01/2023
• What the ISO/IEC 27001 doesn’t cover: Outsourced development - identified in Statement of Applicability as out of scope because CGR does not outsource any development.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: CSA CAIQ

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Alongside our ISO27001 certification, CGR is certified to Cyber Essentials. Our cloud services provider, Amazon Web Services, is certified to a range of international standards as identified as this link: https://aws.amazon.com/compliance/programs/
• Information security policies and processes: CGR has achieved ISO 27001 certification, demonstrating our commitment to maintaining best practice information security. Our security policies and processes are in strict alignment with ISO 27001 requirements. We ensure compliance through regular internal audits, continuous staff training, and an enforced reporting structure that escalates security issues directly to our security team and ultimately our CTO. This structured approach ensures that our information security practices maintained and continuously improved. We align with further security frameworks such as SOC2, and are planning for SOC2 certification.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: CGR uses internal tools including enterprise-grade version control systems to manage all configuration and change management.; ; CM processes are aligned with client requirements.; ; All CM is passed through internal CGR quality assurance team, before being made available via a staging environment for client review and sign-off.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: CGR has continuous monitoring of vulnerabilities through CVE. https://cve.mitre.org/; ; All servers have vulnerability management tools.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: CGR maintains logs on all servers. These are managed via SIEM.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: CGR uses its own SaaS platform (CGRF) to log incidents in line with best practice.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  CGR has undergone a carbon audit across Scope 1-3 emissions and is willing to disclose the results on request. Our headline performance figure is a carbon footprint of 69 tCO2e across our global business June 22-June 23. Our disclosure includes a full report that includes our action plan for reductions by 2030 as part of our route to Net Zero. We understand the importance to buyers of understanding the footprint in their supply chain for their own carbon performance and disclosure, and CGR's forward-leaning approach assists our clients in this area.

  Covid-19 recovery

  We recognise that many organisations have not (yet) reverted to pre-Covid norms for working patterns. Our product support flexible working from work or home locations, from business devices - including mobile devices where managed by MS Intune.

  Tackling economic inequality

  CGR itself is an SME, and we recognise the importance of innovation and new methods to modernise productivity and delivery. Our application supports this through high levels of configurability and self-help, reducing vendor dependency which can be time-consuming and expensive with other products. Our application also supports this through increasing leverage of AI which, for example, allows organisations to accelerate their risk identification and analysis process. This supports smaller organisations which may not have dedicated risk teams, and also provides an efficiency and value-add benefit to larger organisations.

  Equal opportunity

  CGR can demonstrate significant diversity, especially for its size. Our employees range from early 20s to late 70s. One third of our employees are female (well above the UK national average of 25% for software companies according to TechUK research) and spread across different roles and seniority. Our staff come from a range of cultural backgrounds, between us bringing fluency in 6 global languages.

  Wellbeing

  CGR Foundation is a powerful process tool. It takes on the heavy lifting that would otherwise require users to fight with data across MS tools. From our own former experience, we know this legacy way of working can be inefficient and demoralising because the picture is out of data and incomplete. CGR Foundation releases staff time to think about the ‘so what’ rather than just the ‘what’, which allows them to add more value based on a better picture delivered with less struggle. This is positive for mental health.

Pricing

• Price: £5.25 to £19.50 a user a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Following an in-person presentation and signed confidentiality agreement, CGR may choose to provide a demonstration environment to a potential client. This will be for a defined time period, and supported by a system introduction and training session.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pat.parker@corpgovrisk.com. Tell them what format you need. It will help if you say what assistive technology you use.