Homes England - Automated Risk Management System (RM1557.12 G-Cloud call off)

Concepts

• risk manager controls
• newcastle upon tyne
• software package
• england
• information systems
• different risk score factors
• manager incident manager
• risk manager standard features
• homes england
• multi-level risk taxonomy

Location

Description

Homes England require the following: Automated risk management system consisting of the following modules: Risk Manager Controls (Compliance) Manager Incident Manager and related support services in accordance with the relevant service descriptions including 24 days for implementation and an optional 20 days on a call off basis for further development and or implementation requirements and as further set out below: Risk: Risk Manager standard features: • Risk Capture with Inherent, current and target risk scoring • Risk approval and closure workflow • Multi-level risk taxonomy (managed by Buyer administrative staff) • Multi-level Risk register hierarchy (managed by Buyer administrative staff) • Key Risk indicator management • Risks linked to controls in the controls framework • Risk Events capture • Mitigation action tracking (utilising your existing action tracking module) • Process mapping tool with ability to overlay risks and other content Buyer specific features: • Ability to score risks on multiple dimensions. E.gdifferent weightings to different risk score factors, and possibly utilising inputs from Control scoring (Requires clarification of HE's methodology - may not be a day 1 requirement) • Strategic objectives changed to 'demand drivers' with ability to copy this categorisation through to linked controls • Risk events added (possibly merged with data breach reporting in IAM depending on agreement with the HE DP team) Controls: Controls (Compliance ) Manager standard features: • Controls Framework to model Buyer control environment, including: • Controls, linked to Organisation, Process, Sub process, risk, entity. • Controls linked to control objectives management • Change control • Control confirmation tasks • Control design effectiveness testing by first line, with 2nd line assurance review • Control operating effectiveness testing by first line with 2nd line assurance review • Control testing deficiency management • Action management (integrated with the existing action module) • Self-serve reference data management (e.g. for process, sub process, entity and org structure, user permissions etc) • Ability to manage / test controls independently of Risk linkages Buyer specific features: • Ability to mark a control test status as a Partial Pass (where mitigations are in place that mean the control is not strictly a fail. Note this may also be able to be supported via a 'pass' with mitigating actions attached • Ability to scope tests by 'demand driver' (inherited from Risk) • Specific reporting dashboards (requirements to be Future Features (when Buyer requirements are known): • Ability to score controls through the testing process and use this to compare against risk scores - the aim is to surface controls that may not be proportionate to the risk they are controlling Incident Manager: Incident Manager centralises the recording, resolution and reporting of incidents / problems across your organisation

Award Detail

CPV Codes

• 48000000 - Software package and information systems

Indicators

• Contract is suitable for SMEs.
• Contract is suitable for VCOs.