riskHive Software Solutions Ltd

Enterprise Risk Management and Portfolio Analysis application (ERM)

riskHive Enterprise Risk Manager® is a secure private-cloud risk database that supports all your risk management needs and is fully configurable to meet the changing requirements of your risk management journey.
riskHive ERM supports the management of risk, opportunity, actions, controls, issues, dependencies, BIA, assumptions, benefits and modelling.

Features

• Simple but incredibly capable and powerful - novices to experts
• Highly configurable interface that you define rather than 'defines you'
• Provides aggregation presents your whole 'risk universe' in one place
• Interactive graphical interfaces like Bow-Ties and Heatmaps
• Monte Carlo Simulation and Analysis for Cost, Schedule and Combined
• Alignment with ISO 31000 and other industry standards
• Policy Groups based security with highly configurable access controls
• Highly scalable licencing model
• Integration with riskHive Agile GRC products (Governance & Compliance)
• Fast and simple drag-n-drop import of existing data

Benefits

• Implements collaborative risk management working environment
• Accessible on any device that supports browser internet access
• Saves hundreds or thousands of hours vs using traditional spreadsheets
• Generate consistent reports and outputs at a mouse-click
• Consolidation of projects into programmes and portfolios
• Instant search, filter and locate across entire portfolio
• Simplify identification of duplicates and commonality
• Consolidates data from multiple sources into Single Version of Truth
• Assists identification and recovery of unspent risk allocations
• Implementation can significantly reduce insurance premiums

£2,859.98 to £14,634.19 an instance a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sandu.hellings@riskhive.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

788130614709307

Contact

Sandu Hellings
01275545874
sandu.hellings@riskhive.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: There will be planned maintenance arrangements but these will be pre-agreed with customer and are generally outside of normal working hours.
• System requirements: Internet access to the cloud solution via a browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Usually within 15 minutes but 1 hour is our max target time to respond.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), 7 days a week
• Web chat support: Yes, at an extra cost
• Web chat support availability: 9 to 5 (UK time), 7 days a week
• Web chat support accessibility standard: WCAG 2.1 A
• Web chat accessibility testing: None - reply on using third-party applications that have WCAG compliance.
• Onsite support: Yes, at extra cost
• Support levels: 1) Standard Support: This is included in the basic fee. It provides application technical support by ticket-system, email, chat or telephone during UK business hours (0900-1730) 5 days a week guaranteed and on weekends. This support is covered by the SLAs in our contract and is valid whilst in-contract. ; COST £ included.; ; 2) Enhanced Customer Aftercare and Database Administration Support: This is available where the client does not have the confidence or the resources to administer and operate the system themselves.; COST: £5,750 pcm.; ; We provide both technical account manager and cloud/system support engineer. Both are directly available to the assigned client within normal UK business hours by ticket, email, chat or telephone.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide online or on-site training, quick-start videos on-demand, PowerPoint slides and bespoke courses.; System Administrator training is included within the initial system setup and configuration fee.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats:
  • Word
  • Video
• End-of-contract data extraction: Data may be extracted to various formats (including XML and Excel) or archived at any time by an authorised system administrator. This is a system command and is very quick and simple to do. It is encouraged.
• End-of-contract process: At the end of the contract the system is retained for three months such that it may be accessed by authorised users to extract data or information and to generate system archive files. After this time the system image is destroyed.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Dependent on screen size the view may be reduced slightly.
• Service interface: Yes
• User support accessibility: WCAG 2.1 A
• Description of service interface: There is an automatable configurable JSON service interface to facilitate the controlled sharing of system information.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: None.
• API: Yes
• What users can and can't do using the API: The API is outbound only to JSON files which may be used to provide data to third-party systems such as PowerBI. All configuration and scheduling of outputs are done from within the application by the end user.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Pretty much anything can be customised (configured by the customer) including data fields, views, reports, lists, colours, schema and structures to match the required client framework. The riskHive ERM solution is currently the most configurable solution of its type on the market.

Scaling

• Independence of resources: 1) Each customer is on a single-tenant platform so unaffected by other clients. ; 2) We monitor performance and increase system resources as necessary dependent on user or system activity.

Analytics

• Service usage metrics: Yes
• Metrics types: We provide live access to user metrics to authorised system users. This includes things like access (attempts and successful logins), activity type and duration.
• Reporting types:
  • API access
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data can be exported by a user with appropriate privileges to various formats including XML, JSON, Excel, Office formats and PDF. This is quick and simple to do and is a primary system capability. Users can only export the data to which they have been granted access.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • Excel (Office formats)
  • JSON
  • XML
• Data import formats:
  • CSV
  • Other
• Other data import formats: Excel

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Uptime of 99.5% (excluding planned maintenance and upgrades).; Actual measured uptime across systems averaged 99.89% in 2021.; Users are refunded pro-rata based on the percentage of on-availability over the period e.g. 10% additional downtime over SLA (88.5%) would trigger a 10% refund for that period.
• Approach to resilience: This and other security and architecture information is available upon request. The system is designed from the ground-up to be inherently secure, resilient and scalable.
• Outage reporting: 1) a public dashboard - 1 minute monitor with automated alert function (requires a login to be assigned to the customer in order to access service); 2) email alerts; 3) telephone alerts

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: The system has a user (admin) configurable data access model to control which groups or individual users have access to which information. Access may be restricted in both breadth and depth within the data cube. It is possible to restrict and segregate data in supply chain and client third-party collaborators. Support resource must be UK security cleared to gain access to full systems. Lower-level (IT support) does not have access to client data.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Lloyd's Register Quality Assurance Limited
• ISO/IEC 27001 accreditation date: 8/5/2021
• What the ISO/IEC 27001 doesn’t cover: All delivery and data hosting is covered. Development is not covered as there is no client data involved in development activities and non of the client hosting platforms are used in development.
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 10/28/2016
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: Development - there are no third-parties involved.
• PCI certification: Yes
• Who accredited the PCI DSS certification: Safer Payments
• PCI DSS accreditation date: 28/6/2021
• What the PCI DSS doesn’t cover: N/a
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • CAIQ accreditation
  • DART
  • CYDR
  • JOSCAR
  • Picasso

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • CSA CCM version 3.0
  • ISO/IEC 27001
• Information security policies and processes: 1) Data Protection Policy; 2) Information Security Policy; 3) Business Continuity Management Policy; 4) CAIQ; ; The Managing Director is responsible for: ; • Reviewing, endorsing, and achieving the policy’s aims. ; • Ensuring ongoing compliance to this policy and is the responsible person for Data Protection. ; ; riskHive employees are responsible for: ; • Carrying out their work in line with policies and associated procedures. ; • Identifying any breaches of policies and reporting them to the appointed Data Protection Officer.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: CAIQ: All features and major changes are subject to technical review before implementation, including assessment of security impact. All changes are tested prior to release and tracked in source control. As part of ongoing architectural stability and security evaluation, which takes place at both ad-hoc and at milestone releases, libraries and features are evaluated for new and changed capabilities, including threats, and activities are added to the development plan to manage these. New and updated features are assessed for impact on existing deployments and either offer progressive enhancement (supporting both old and new functionality) or automated migration.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: CAIQ: Potential vulnerabilities are identified by regular pentesting, ad-hoc external security evaluation, and ongoing awareness of threat reports for technologies in use. Potential vulnerabilities are logged to our vulnerability record and then formally assessed for impact. Depending on the assessed impact, mitigation actions are taken and included either in a security hotfix, released as soon as possible, or as part of the next version, released approximately quarterly. Mitigation actions and post-mitigation impact are added to the vulnerability record.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Security events, including new application sessions, authentication successes and failures, potential session abuses, and more along with pertinent security details (e.g. IP address, browser details, activity, route, etc) are automatically logged and visible to application administrators. Threats are highlighted in the log for easy identification. Security events are reviewed ad-hoc and recent events are reviewed as part of regular system maintenance. Reports of potential issues are evaluated against the application log and cross-referenced with the logs captured by the operating system (e.g. from IIS) to assess impact and then managed as part of our formal data & system protection process.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: CAIQ: We have a formal Incident Management Procedure which describes how events are identified, logged, validated, assigned, managed through to closure, and reported. This also covers lessons-learned. ; We use a formal ticket system to manage responses to incidents.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • Joint Academic Network (JANET)
  • Health and Social Care Network (HSCN)
  • Other
• Other public sector networks: RLI

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  riskHive ERM is the only risk tool to feature impact scoring and analysis for multiple ESG aspects such as Carbon types, power, emissions, effluent, etc. This facilitates the modelling, simulation and analysis of, for instance, cost vs carbon scenario analysis for the project, programme or the whole organisation in line with current Cabinet Office and MPA guidelines and direction of travel.

Pricing

• Price: £2,859.98 to £14,634.19 an instance a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Full working version time limited to 30 days on request .

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sandu.hellings@riskhive.com. Tell them what format you need. It will help if you say what assistive technology you use.