Corporate Governance Risk Ltd

CGR Foundation

CGR Foundation (CGRF) allows users to clearly and visually integrate risk, compliance and other business processes (including incidents and issues). This activity is connected through real-time action management and communicated through concise reporting - including cost/benefit analysis. The resulting live and collaborative picture enhances decision-making whilst also delivering efficiency benefit.

Features

• Real-time action management (with notifications) across all modules.
• Linkage of risks to objectives (aligned with ISO31000).
• Intuitive bowtie visualisation (aligned with ISO/IEC31010) supporting focus on controls.
• User-configurable audit capability with management summary and risk integration.
• HSE modules including hazards, observations and incidents.
• Reporting suite including dashboards, client logos/templates, and personally customisable filters.
• Fully auditable history of changes in all modules.
• Use 'in the field' through CGRF Mobile (iOS and Android).
• Strong integration between modules/records - easily entered and assimilated.
• Auto-word search prompts user identification and linkage of records.

Benefits

• Decision-support with clear picture integrating risk, business intelligence and objectives.
• Efficiencies through reduction in overheads associated with standard office tools.
• Transparency of action management supports accountability and drives positive behaviours.
• Live status of records (including actions) reduces time on communications/prompts.
• Integration of actions/evidence to risk and compliance increases review/audit efficiency.
• Notifications to user email addresses integrates with Business as Usual.
• Automatic report delivery against user-defined filters and schedules supports governance.
• Inherent ease-of-use supports acceptance and data-input whilst minimising training requirements.
• Integrated Cost Benefit Analysis (through risks/controls) supports resource prioritisation.
• Ease of configuration enables self-administered changes - allowing agile updates.

£10.00 to £27.00 a user a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pat.parker@corpgovrisk.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

922195218550027

Contact

Patrick Parker
07780986929
pat.parker@corpgovrisk.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Hybrid cloud
• Service constraints: CGRF supports all standards-compliant browsers, including IE, Chrome, and Firefox.; ; CGRF Mobile is used by many clients, and is available for iOS and Android.
• System requirements: Standards-compliant web browser.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Commitment for response times to technical support questions are contained in our Terms and Conditions document - they are based on business hours and range from 1 hour to 2 days based on severity level.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Support Levels are outlined in our Terms and Conditions document (Part E). Levels 1 and 2 are generally associated with user account management and permissions which we expect client helpdesk/system champions to manage. Level 3 would be other queries escalated in the first instance to the CGR account manager through our ticketing system - these may often be resolved by the account manager but technical issues may be further escalated within CGR for resolution. Response times vary according to severity level as described elsewhere in this service (and in our Terms and Conditions document). Technical support is included within the license cost provided in our Pricing document.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: CGR provides full project roll-out and structured implementation of installation, process mapping, configuration, data migration and training.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: CGRF allows export of data at all times, using the "Export CSV" functionality; ; Additionally, the CGR Terms and Conditions document includes: "Within 30 days after the date of termination or expiry of this Agreement, the Licensor must, at its cost, return all Licensee Data to the Licensee in a form that means the Licensee Data is readily usable without the Software or other non-generic application. For clarity, the Licensor must provide the Licensee with a single flat file in CSV format, containing all Licensee Data."
• End-of-contract process: Database backup will be provided if required, and the service will be disabled. After an agreed period of time, the service will be deleted. Data deletion is aligned with client request and agreement.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: CGRF Mobile provides a subset of CGR Foundation functionality but does not fully replicate it. Designed to work "on site", modules such as Incidents, Actions, and Observations can be accessed for creation of new records or revision/update of existing records. The audits module can be accessed such that pre-assigned audits can be executed. Data entered on CGRF Mobile is immediately accessible by users operating on the core system. CGRF Mobile can be used offline, with data synchronising once mobile connection is re-established.
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: Yes
• What users can and can't do using the API: The CGR Foundation API enables complex push and/or pull interfacing to a range of key systems. These have included SharePoint, 1SAP, and other enterprise systems.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: CGRF is highly configurable in forms, fields, workflows and notifications. We expect to provide initial configuration for clients, aligned to their requirements, during deployment of CGRF - the user interface for this configuration activity is so straightforward that we do much of that activity live in-session with the clients. Thereafter, although we can continue to provide configuration support, the highly intuitive nature of the system interface allows designated admin users to add and adjust as required without having to come back to CGR. This reduces client dependency and increases agility - helping client use to remain in-step with changing business requirements. ; ; CGR also provides customisation for clients within the contract terms - for instance, in generating bespoke dashboard reports that may be required above and beyond the existing report library.

Scaling

• Independence of resources: Clients are hosted in their own environment (resources are not shared).; ; Additionally, hosting through AWS allows rapid elasticity of resources.

Analytics

• Service usage metrics: Yes
• Metrics types: CGRF provides "last login", "all active users" and other service usage metrics in the Reporting module.
• Reporting types:
  • API access
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can export individual records or entire registers in PDF/XLSX/DOCX formats through a simple 'Export' menu. Additionally, users can manage the search and export of multiple records across any registers through a Reports module - here the data can be presented in customised graphical dashboards tailored to client requirements (including formats and logo) or subject to data-mining request against filters based on any of the record input fields. Reports can be automatically scheduled for delivery to user email address at user-nominated frequency/date/time. Finally, users can review the interactive data dashboards and export a dashboard image in PDF.
• Data export formats:
  • CSV
  • Other
• Other data export formats: JPEG/PNG/GIF etc (for attachments)
• Data import formats:
  • CSV
  • Other
• Other data import formats: CGRF data import template (CSV) only

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: In line with Amazon Web Services SLA of 99.9% uptime, CGR provides a 99% uptime target which is routinely exceeded due to redundant servers for all clients (i.e. multiple instances, staged upgrade deployments to one instance at a time). Over the last 5 years, CGR has operated above 99.99% availability. ; ; There are no rebates for downtime.
• Approach to resilience: https://aws.amazon.com/compliance/data-center/data-centers/
• Outage reporting: Email alerts in line with CGR's ‘Information Security Incident Response Plan’.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: CGR uses 2FA internally for all management interfaces.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: CSA CAIQ

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: CGR is certified to Cyber Essentials. Our cloud services provider, Amazon Web Services, is certified to a range of international standards as identified as this link: https://aws.amazon.com/compliance/programs/
• Information security policies and processes: CGR is aligned with ISO 27001, with certification scheduled for late 2022.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: CGR uses internal tools including enterprise-grade version control systems to manage all configuration and change management.; ; CM processes are aligned with client requirements.; ; All CM is passed through internal CGR quality assurance team, before being made available via a staging environment for client review and sign-off.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: CGR has continuous monitoring of vulnerabilities through CVE. https://cve.mitre.org/; ; All servers have vulnerability management tools.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: CGR maintains logs on all servers. These are managed via SIEM.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: CGR uses its own SaaS platform (CGRF) to log incidents in line with best practice.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  The application is ideal for collating and managing carbon performance (including with the supply chain) and is also ideal for managing performance against applicable standards such as the Task Force for Climate Related Financial Disclosures. Among a growing number of our client base using the application in this way, we have a FTSE 100 client using the application to manage ESG performance across its global operation.
• Covid-19 recovery:

  Covid-19 recovery

  By delivering a collaborative single point of truth, CGR Foundation supports new ways of working that are likely, post Covid, to involve a hybrid of office and home working. Our mobile app further enhances this flexibility. This will support employers and employees as they seek to find a new BaU balance of working life. This in turn may help reduce the travel demand – with positive financial impact that can mitigate rising costs of living, and positive environmental impact.
• Tackling economic inequality:

  Tackling economic inequality

  N/A
• Equal opportunity:

  Equal opportunity

  As an employer, CGR can demonstrate significant diversity - especially for its size. Our employees range from early 20s to late 70s, with a gender spread across different levels of seniority. Our staff come from a range of cultural backgrounds, between us bringing fluency in 6 global languages.
• Wellbeing:

  Wellbeing

  CGR Foundation is a powerful process tool. It takes on the heavy-lifting that would otherwise be required of users trying to fight with data across MS tools – from our own former experience, we know this legacy way of working to be inefficient and often demoralising because the picture is perennially out of data and incomplete. CGR Foundation releases staff time to think about the ‘so what’ rather than just the ‘what’, to add more value based on a better picture delivered with less struggle. This has a positive impact in terms of well-being and mental health.

Pricing

• Price: £10.00 to £27.00 a user a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Following an in-person presentation and signed confidentiality agreement, CGR may choose to provide a demonstration environment to client.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pat.parker@corpgovrisk.com. Tell them what format you need. It will help if you say what assistive technology you use.