Skip to main content

Help us improve the Digital Marketplace - send your feedback

RISKFLAG LTD

RiskFlag Digital Risk Management Software with Safety Case and Bowtie

RiskFlag's modular risk management solution manages safety cases and risk information. The user-friendly interface serves as a single source of truth and offers full safety case management, with bowtie module integration and repeatable reporting functions. The safety case follows the Claim, Argument, Evidence framework creating an auditable and repeatable report.

Features

  • Active safety case management with simple structured report preparation
  • Bowtie risk management for problem identification and modular connections
  • Safety case report function with automated safety case report generation
  • Custom safety case key building information and report templates
  • Embedded word processor for collaborative safety case report creation
  • Reporting dashboard with integrated configurable management dashboard management dashboard reporting
  • Mandatory occurrence reporting, incident reporting, occurrence reporting and investigation
  • Evidence database connection, evidence database connectivity, cloud evidence storage
  • Integrated activity logging tool, audit integration, integrated auditing tool
  • Collaborative working, built in commenting, task management. Workflow management

Benefits

  • Version control, automated updates, real time collaboration, live working
  • Audit activity with change recording, interaction auditing and action tracking
  • Manage risk exposure, with risk tracking and complex risk visualisation
  • Safety management, safety case records, safety information and overview reports
  • Consistent reporting with compliance management, safety reporting, and compliance reporting
  • Collaborative document management, co-authoring, real-time working and document collaboration
  • Safety case improvement information, visual representation, safety case operation information.
  • Safety case replication, template cloning, document cloning, templates
  • Structured arguments, structured evidence, minimise risk, compliance forecasting, forecast reporting
  • Real time data, live reporting, report export, barrier effectiveness

Pricing

£660 a licence a year

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mkeeble@riskflag.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

7 1 4 5 4 5 6 0 2 6 2 3 4 7 7

Contact

RISKFLAG LTD Mark Keeble
Telephone: 07979604749
Email: mkeeble@riskflag.com

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
Users require an internet enabled browser and internet enabled device.
Licensing is on a per-building basis. Access to the system is via a web application and is available 24/7, subject to planned maintenance and upgrades.
System requirements
  • Users need a computer with a web browser
  • Users need a reliable internet connection
  • If enabled, users need a suitable 2-factor authentication app.
  • Users need a .pdf viewer to review system reports
  • MS Office or similar is needed to review some output

User support

Email or online ticketing support
Email or online ticketing
Support response times
Mon – Fri, 0900-1700
Critical
•Complete loss of service or a critical functionality, impacting all users.
•Acknowledgment - 2 hours.
•Resolution or workaround - 1 working day.

High
•Major functionality is impacted, affecting a significant number of users.
•Acknowledgment - 4 hours.
•Resolution or workaround - 2 working days.

Medium
•Noncritical functionality is impacted, affecting a limited number of users.
•Acknowledgment - 3 days.
•Resolution or workaround - 1 working week.

Low
•Minor issues that do not significantly impact functionality.
•Acknowledgment - 4 working days.
•Resolution or workaround - proportionate timeframe.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
1.Technical Support (including in the subscription fee)
- Email support during business hours (9 AM to 5 PM, Monday to Friday).
- Access to a knowledge base.
2. Remote expert support - £95 per hour.
Answer questions around methodology, theory and best practice
3. Additional client on-boarding is available at £180.
4. Workshops are also available from £2,500 plus travel and subsistence.
Refer to pricing document for more detail.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Users receive an initial 90 minute virtual on-boarding session from a member of the support team. This is backed-up with a series of videos documents describing how to use the system.
Onsite training is available on a case by case basis, at an extra cost as detailed in the pricing document
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
Documentation and support videos are also available within the system
End-of-contract data extraction
Upon termination, provided that the Customer has, at that time, paid all fees and charges outstanding RiskFlag will deliver the back-up of customer data to the Customer within 30 days of the contract ending.
Data can be extracted by the customer in the form of a Word or PDF export at any time during the contract.
End-of-contract process
Following data handover all user data is deleted from the live system and access is removed for any departing registered users.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Interaction with the system is via web browsers in all cases. Whilst the system is responsive to viewing window dimensions, some functionality, such as report writing, is easier to operate using a laptop or desktop screen with a keyboard.
Service interface
Yes
User support accessibility
None or don’t know
Description of service interface
Interaction with the system is via a web application with an intuitive graphical user interface.
Accessibility standards
None or don’t know
Description of accessibility
The application has been assessed using an automated tool against WCAG 2.1 AA standards and achieved a score of 76%. The areas for improvement are largely based around colour schemes and contrast. We have a plan in place for making the suggested improvements which will mean improved accessibility for users with vision impairments.
We consider alt-text an essential inclusion because it assists people with visual impairments in understanding the documents. All images/diagrams should in our Service Definition have clear sentence captions/alt-text.
Accessibility testing
None
API
Yes
What users can and can't do using the API
The API allows organisations to remotely and automatically monitor and audit system activity and create system user logs.

Users set up the API via their organisation's administrative interface within RiskFlag to retrieve client ID and secret token.
API documentation
Yes
API documentation formats
Other
API sandbox or test environment
No
Customisation available
Yes
Description of customisation
Terminology - this can be changed via a simple menu, by administrators only.
Safety case scoring - the RAG scoring and word pictures are configurable, with any number of scoring levels and associated colour codes easily defined.
User roles - this can be changed via a simple menu, by administrators only.
Templates - report export templates can be changed via an options menu, by administrators only.

Safety case structures, Bowtie arrangements and metadata, and a range of other features across the system are highly configurable and adaptable to different use cases.

Scaling

Independence of resources
The software uses load balancing and auto-scaling to ensure that times of high demand do not change responsiveness.

Analytics

Service usage metrics
No

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Other
Other data at rest protection approach
RiskFlag uses an IONOS VPS hosted at the VIRTUS data centre to host the SaaS platform. IONOS and VIRTUS are both ISO 27001 accredited organisations and provide:
• 24/7 on-site security team,
• 3 metre high perimeter fence,
• Car parks fitted with Vehicle Traps,
• Internal and External IP CCTV with complete site coverage,
• Full authentication and access policy control,
• Security bollards at building perimeter,
• Biometric entry system,
Data sanitisation process
No
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
The software supports a series of customisable and exportable reports in both pdf and docx format. .csv or xlsx files are also available on request.
Data export formats
Other
Other data export formats
  • Pdf
  • Docx
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • DOCX
  • XLS
  • PDF

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
Traffic in transit is encrypted using SSL/TLS (PKCS #1 SHA-256 With RSA Encryption)
Industry standard salting & hashing algorithms are used to protect authentication information.
Vulnerability scanning is automated and takes place within our system. Scanning takes place during the build pipeline of the app, and on a weekly basis.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
RiskFlag hardens all network services and firewalls.
Continuous compliance monitoring for changes are run to secure configurations.
Segregation principles are used at multiple levels for security, redundancy and performance.
RiskFlag provides guidance on the safe methods of information transfer and trains users on the risks.

Availability and resilience

Guaranteed availability
RiskFlag uses commercially reasonable endeavours to make the Services available 24 hours a day, seven days a week, except for:
(a) planned maintenance carried out during the maintenance window of 10.00 pm to 2.00 am UK time; and
(b) unscheduled maintenance performed outside Normal Business Hours, provided that the Supplier has used reasonable endeavours to give the Customer at least 6 Normal Business Hours' notice in advance.
Approach to resilience
RiskFlag has a documented Business Continuity Plan and defined recovery procedures.
The Business Continuity Plan and recovery procedures are tested twice annually, at a minimum, and all learnings are incorporated into the Plan.
Redundancy is ensconced as an engineering principle, including self-healing features built-in to the platform to automatically adjust to outages wherever possible.
A cyber risk assessment has been conducted and is reviewed annually.
Outage reporting
Our service monitors for outages but does not publish the detail publicly

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Users can be assigned as either organisation administrators or, for RiskFlag staff, RiskFlag system administrators. These statuses give users access to various admin-only features, with more powerful configuration settings, user administration controls and other management-level functions. RiskFlag system administrators also require higher security protection, including mandatory 2FA.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Cyber essentials
Yes
Cyber essentials plus
Yes
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
RiskFlag has implemented a risk-based approach to information security aligned with ISO 27001 and security is considered in all projects the company undertakes.
The CTO sponsors information security at the RiskFlag Board and is also responsible for directing information security and data protection activities.
The company has trained and experienced staff developing and operating information systems.
RiskFlag has implemented segregation of duties where applicable to protect critical functions.
Information security policies and processes
RiskFlag maintains a formal cybersecurity programme structured around the ISO 27001 framework. This document provides an overview of the firm’s approach to information security and cybersecurity, and its practices to secure data, systems and services. While information security and cybersecurity measures will naturally change over time and may differ across the range of RiskFlag’s services, this document provides an overview of our security practices.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Changes to systems within the development life-cycle shall be controlled by the use of formal change control procedures.
Significant code changes must be reviewed and approved by at least one other Riskflag employee before being merged into any production branch.
All Riskflag software is version controlled and synced between contributors (developers). All code is written, tested, and saved in a temporary git branch before being synced to the main branch
Modifications to third-party business application packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
A dedicated DevOps team monitors and manages the production platform. RiskFlag deploys malware controls to reduce the chance and impact of infections.
Audit and event logs are captured, protected and regularly reviewed.
RiskFlag regularly takes and tests backups and builds multiple layers of redundancy into the company’s platform.
The deployment process makes it impossible to install software on live production systems.
RiskFlag runs a vulnerability management program based off the CVSS
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Suspicious events (login to servers, unusual outbound activity) is detected and alerts sent to senior staff. Incident response procedure is laid out in a separate document.
Incident management type
Supplier-defined controls
Incident management approach
Suspicious events (login to servers, unusual outbound activity) is detected and alerts sent to senior staff. Incident response procedure is laid out in a separate document.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Social Value

Social Value

Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Wellbeing

Fighting climate change

RiskFlag respects our relationship with the natural environment and its ecosystems. We acknowledge the adverse impacts that human activity can impose and take actions to prevent degradation of those natural systems. RiskFlag Ltd commits to the following principles and practices:
• Monitoring and managing our environmental performance and working towards targets set to reduce adverse impacts.

• Complying with relevant UK National and Local environmental policy, practices, regulations and legislation, and industry-specific legislation.

• Reducing the consumption of natural resources in daily operations, including water, paper and energy.

• Maximising the recycling of resources.

• Disposing of waste appropriately, including e-waste at designated e-waste centres.

• Committing to the principles of preventing pollution to the environment and continual improvement.

• Minimising pollution by taking steps to limit carbon emissions resulting from vehicle and air travel.

• Where possible, encouraging suppliers to meet high standards of environmental performance.

• Communicating this policy to all employees, contractors and other stakeholders, as well as making this policy available to the general public.
Specifically, we have chosen to work with a start-up that is making renewable powered aviation a reality, for a reduced fee. We are part of the Everyday Plastic project that aims to limit plastic use and especially single use plastics, which we promote with our staff.
We sponsor the Yellowstone to Yukon conservation initiative.

Tackling economic inequality

As a micro organisation we are not yet in a position to provide apprenticeships or training schemes, however we are sponsoring a software developer with her university thesis, the subject of which is the role of AI in risk management.

Wellbeing

We are a Micro organisation with aspirations to grow, and as part of that growth we aim to be involved in social value projects. Currently, our employees are based in some less well-off areas of the country including Cornwall and Sheffield and we aim to have an impact in these regions in the future. For example we already sponsor a local youth rugby team and have plans to open an IT hub in Sheffield.

We maintain that the mental and physical health of our staff is a priority. We aim to get together with all staff members at least once a quarter. We check in with staff via various channels (virtual meetings, telephone calls, messaging, face to face) every day. We therefore understand their workload and can solve problems before they escalate.
With expansion, we have plans to implement additional support for our staff including the personal health and well-being package provided by “Looking After Me”.
One of our founders is a woman, and three are veterans.

Pricing

Price
£660 a licence a year
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
Access to the tool for 5 consecutive working days.
Ability to create one building safety case with associated bowties and risk registers for up to 10 users.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mkeeble@riskflag.com. Tell them what format you need. It will help if you say what assistive technology you use.