RiskFlag Digital Risk Management Software with Safety Case and Bowtie
RiskFlag's modular risk management solution manages safety cases and risk information. The user-friendly interface serves as a single source of truth and offers full safety case management, with bowtie module integration and repeatable reporting functions. The safety case follows the Claim, Argument, Evidence framework creating an auditable and repeatable report.
Features
- Active safety case management with simple structured report preparation
- Bowtie risk management for problem identification and modular connections
- Safety case report function with automated safety case report generation
- Custom safety case key building information and report templates
- Embedded word processor for collaborative safety case report creation
- Reporting dashboard with integrated configurable management dashboard management dashboard reporting
- Mandatory occurrence reporting, incident reporting, occurrence reporting and investigation
- Evidence database connection, evidence database connectivity, cloud evidence storage
- Integrated activity logging tool, audit integration, integrated auditing tool
- Collaborative working, built in commenting, task management. Workflow management
Benefits
- Version control, automated updates, real time collaboration, live working
- Audit activity with change recording, interaction auditing and action tracking
- Manage risk exposure, with risk tracking and complex risk visualisation
- Safety management, safety case records, safety information and overview reports
- Consistent reporting with compliance management, safety reporting, and compliance reporting
- Collaborative document management, co-authoring, real-time working and document collaboration
- Safety case improvement information, visual representation, safety case operation information.
- Safety case replication, template cloning, document cloning, templates
- Structured arguments, structured evidence, minimise risk, compliance forecasting, forecast reporting
- Real time data, live reporting, report export, barrier effectiveness
Pricing
£660 a licence a year
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
7 1 4 5 4 5 6 0 2 6 2 3 4 7 7
Contact
RISKFLAG LTD
Mark Keeble
Telephone: 07979604749
Email: mkeeble@riskflag.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Private cloud
- Service constraints
-
Users require an internet enabled browser and internet enabled device.
Licensing is on a per-building basis. Access to the system is via a web application and is available 24/7, subject to planned maintenance and upgrades. - System requirements
-
- Users need a computer with a web browser
- Users need a reliable internet connection
- If enabled, users need a suitable 2-factor authentication app.
- Users need a .pdf viewer to review system reports
- MS Office or similar is needed to review some output
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
Mon – Fri, 0900-1700
Critical
•Complete loss of service or a critical functionality, impacting all users.
•Acknowledgment - 2 hours.
•Resolution or workaround - 1 working day.
High
•Major functionality is impacted, affecting a significant number of users.
•Acknowledgment - 4 hours.
•Resolution or workaround - 2 working days.
Medium
•Noncritical functionality is impacted, affecting a limited number of users.
•Acknowledgment - 3 days.
•Resolution or workaround - 1 working week.
Low
•Minor issues that do not significantly impact functionality.
•Acknowledgment - 4 working days.
•Resolution or workaround - proportionate timeframe. - User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
-
1.Technical Support (including in the subscription fee)
- Email support during business hours (9 AM to 5 PM, Monday to Friday).
- Access to a knowledge base.
2. Remote expert support - £95 per hour.
Answer questions around methodology, theory and best practice
3. Additional client on-boarding is available at £180.
4. Workshops are also available from £2,500 plus travel and subsistence.
Refer to pricing document for more detail. - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
Users receive an initial 90 minute virtual on-boarding session from a member of the support team. This is backed-up with a series of videos documents describing how to use the system.
Onsite training is available on a case by case basis, at an extra cost as detailed in the pricing document - Service documentation
- Yes
- Documentation formats
-
- HTML
- Other
- Other documentation formats
- Documentation and support videos are also available within the system
- End-of-contract data extraction
-
Upon termination, provided that the Customer has, at that time, paid all fees and charges outstanding RiskFlag will deliver the back-up of customer data to the Customer within 30 days of the contract ending.
Data can be extracted by the customer in the form of a Word or PDF export at any time during the contract. - End-of-contract process
- Following data handover all user data is deleted from the live system and access is removed for any departing registered users.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Opera
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- Interaction with the system is via web browsers in all cases. Whilst the system is responsive to viewing window dimensions, some functionality, such as report writing, is easier to operate using a laptop or desktop screen with a keyboard.
- Service interface
- Yes
- User support accessibility
- None or don’t know
- Description of service interface
- Interaction with the system is via a web application with an intuitive graphical user interface.
- Accessibility standards
- None or don’t know
- Description of accessibility
-
The application has been assessed using an automated tool against WCAG 2.1 AA standards and achieved a score of 76%. The areas for improvement are largely based around colour schemes and contrast. We have a plan in place for making the suggested improvements which will mean improved accessibility for users with vision impairments.
We consider alt-text an essential inclusion because it assists people with visual impairments in understanding the documents. All images/diagrams should in our Service Definition have clear sentence captions/alt-text. - Accessibility testing
- None
- API
- Yes
- What users can and can't do using the API
-
The API allows organisations to remotely and automatically monitor and audit system activity and create system user logs.
Users set up the API via their organisation's administrative interface within RiskFlag to retrieve client ID and secret token. - API documentation
- Yes
- API documentation formats
- Other
- API sandbox or test environment
- No
- Customisation available
- Yes
- Description of customisation
-
Terminology - this can be changed via a simple menu, by administrators only.
Safety case scoring - the RAG scoring and word pictures are configurable, with any number of scoring levels and associated colour codes easily defined.
User roles - this can be changed via a simple menu, by administrators only.
Templates - report export templates can be changed via an options menu, by administrators only.
Safety case structures, Bowtie arrangements and metadata, and a range of other features across the system are highly configurable and adaptable to different use cases.
Scaling
- Independence of resources
- The software uses load balancing and auto-scaling to ensure that times of high demand do not change responsiveness.
Analytics
- Service usage metrics
- No
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- No
- Datacentre security standards
- Managed by a third party
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
- Protecting data at rest
-
- Physical access control, complying with another standard
- Other
- Other data at rest protection approach
-
RiskFlag uses an IONOS VPS hosted at the VIRTUS data centre to host the SaaS platform. IONOS and VIRTUS are both ISO 27001 accredited organisations and provide:
• 24/7 on-site security team,
• 3 metre high perimeter fence,
• Car parks fitted with Vehicle Traps,
• Internal and External IP CCTV with complete site coverage,
• Full authentication and access policy control,
• Security bollards at building perimeter,
• Biometric entry system, - Data sanitisation process
- No
- Equipment disposal approach
- A third-party destruction service
Data importing and exporting
- Data export approach
- The software supports a series of customisable and exportable reports in both pdf and docx format. .csv or xlsx files are also available on request.
- Data export formats
- Other
- Other data export formats
-
- Docx
- Data import formats
-
- CSV
- ODF
- Other
- Other data import formats
-
- DOCX
- XLS
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- TLS (version 1.2 or above)
- Other
- Other protection between networks
-
Traffic in transit is encrypted using SSL/TLS (PKCS #1 SHA-256 With RSA Encryption)
Industry standard salting & hashing algorithms are used to protect authentication information.
Vulnerability scanning is automated and takes place within our system. Scanning takes place during the build pipeline of the app, and on a weekly basis. - Data protection within supplier network
-
- TLS (version 1.2 or above)
- Other
- Other protection within supplier network
-
RiskFlag hardens all network services and firewalls.
Continuous compliance monitoring for changes are run to secure configurations.
Segregation principles are used at multiple levels for security, redundancy and performance.
RiskFlag provides guidance on the safe methods of information transfer and trains users on the risks.
Availability and resilience
- Guaranteed availability
-
RiskFlag uses commercially reasonable endeavours to make the Services available 24 hours a day, seven days a week, except for:
(a) planned maintenance carried out during the maintenance window of 10.00 pm to 2.00 am UK time; and
(b) unscheduled maintenance performed outside Normal Business Hours, provided that the Supplier has used reasonable endeavours to give the Customer at least 6 Normal Business Hours' notice in advance. - Approach to resilience
-
RiskFlag has a documented Business Continuity Plan and defined recovery procedures.
The Business Continuity Plan and recovery procedures are tested twice annually, at a minimum, and all learnings are incorporated into the Plan.
Redundancy is ensconced as an engineering principle, including self-healing features built-in to the platform to automatically adjust to outages wherever possible.
A cyber risk assessment has been conducted and is reviewed annually. - Outage reporting
- Our service monitors for outages but does not publish the detail publicly
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Username or password
- Access restrictions in management interfaces and support channels
- Users can be assigned as either organisation administrators or, for RiskFlag staff, RiskFlag system administrators. These statuses give users access to various admin-only features, with more powerful configuration settings, user administration controls and other management-level functions. RiskFlag system administrators also require higher security protection, including mandatory 2FA.
- Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Dedicated link (for example VPN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- No
- Security governance approach
-
RiskFlag has implemented a risk-based approach to information security aligned with ISO 27001 and security is considered in all projects the company undertakes.
The CTO sponsors information security at the RiskFlag Board and is also responsible for directing information security and data protection activities.
The company has trained and experienced staff developing and operating information systems.
RiskFlag has implemented segregation of duties where applicable to protect critical functions. - Information security policies and processes
- RiskFlag maintains a formal cybersecurity programme structured around the ISO 27001 framework. This document provides an overview of the firm’s approach to information security and cybersecurity, and its practices to secure data, systems and services. While information security and cybersecurity measures will naturally change over time and may differ across the range of RiskFlag’s services, this document provides an overview of our security practices.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
-
Changes to systems within the development life-cycle shall be controlled by the use of formal change control procedures.
Significant code changes must be reviewed and approved by at least one other Riskflag employee before being merged into any production branch.
All Riskflag software is version controlled and synced between contributors (developers). All code is written, tested, and saved in a temporary git branch before being synced to the main branch
Modifications to third-party business application packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. - Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
-
A dedicated DevOps team monitors and manages the production platform. RiskFlag deploys malware controls to reduce the chance and impact of infections.
Audit and event logs are captured, protected and regularly reviewed.
RiskFlag regularly takes and tests backups and builds multiple layers of redundancy into the company’s platform.
The deployment process makes it impossible to install software on live production systems.
RiskFlag runs a vulnerability management program based off the CVSS - Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Suspicious events (login to servers, unusual outbound activity) is detected and alerts sent to senior staff. Incident response procedure is laid out in a separate document.
- Incident management type
- Supplier-defined controls
- Incident management approach
- Suspicious events (login to servers, unusual outbound activity) is detected and alerts sent to senior staff. Incident response procedure is laid out in a separate document.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
-
Social Value
- Fighting climate change
- Tackling economic inequality
- Wellbeing
Fighting climate change
RiskFlag respects our relationship with the natural environment and its ecosystems. We acknowledge the adverse impacts that human activity can impose and take actions to prevent degradation of those natural systems. RiskFlag Ltd commits to the following principles and practices:
• Monitoring and managing our environmental performance and working towards targets set to reduce adverse impacts.
• Complying with relevant UK National and Local environmental policy, practices, regulations and legislation, and industry-specific legislation.
• Reducing the consumption of natural resources in daily operations, including water, paper and energy.
• Maximising the recycling of resources.
• Disposing of waste appropriately, including e-waste at designated e-waste centres.
• Committing to the principles of preventing pollution to the environment and continual improvement.
• Minimising pollution by taking steps to limit carbon emissions resulting from vehicle and air travel.
• Where possible, encouraging suppliers to meet high standards of environmental performance.
• Communicating this policy to all employees, contractors and other stakeholders, as well as making this policy available to the general public.
Specifically, we have chosen to work with a start-up that is making renewable powered aviation a reality, for a reduced fee. We are part of the Everyday Plastic project that aims to limit plastic use and especially single use plastics, which we promote with our staff.
We sponsor the Yellowstone to Yukon conservation initiative.Tackling economic inequality
As a micro organisation we are not yet in a position to provide apprenticeships or training schemes, however we are sponsoring a software developer with her university thesis, the subject of which is the role of AI in risk management.Wellbeing
We are a Micro organisation with aspirations to grow, and as part of that growth we aim to be involved in social value projects. Currently, our employees are based in some less well-off areas of the country including Cornwall and Sheffield and we aim to have an impact in these regions in the future. For example we already sponsor a local youth rugby team and have plans to open an IT hub in Sheffield.
We maintain that the mental and physical health of our staff is a priority. We aim to get together with all staff members at least once a quarter. We check in with staff via various channels (virtual meetings, telephone calls, messaging, face to face) every day. We therefore understand their workload and can solve problems before they escalate.
With expansion, we have plans to implement additional support for our staff including the personal health and well-being package provided by “Looking After Me”.
One of our founders is a woman, and three are veterans.
Pricing
- Price
- £660 a licence a year
- Discount for educational organisations
- No
- Free trial available
- Yes
- Description of free trial
-
Access to the tool for 5 consecutive working days.
Ability to create one building safety case with associated bowties and risk registers for up to 10 users.