Enterprise Risk Management Software

The Vendor is required to provide a cloud-based enterprise risk management software-as-a-service (the “solution”) to the state office.
- Services include:
•    Develop and deliver a project plan that includes roles, milestones, key dates, and regular status updates,
•    Analyze and define office business requirements and business rules and perform a gap analysis comparing office requirements with existing solution functionality.
•    Customize or configure the solution to meet office business requirements and business rules, ensuring that the solution meets all mandatory requirements as detailed in section iii (solution requirements),
•    Convert and migrate five years of historical data from office current system into the solution and perform migration testing to verify the successful migration,
•    Conduct and facilitate testing of the solution, and refine configuration or customization as  needed based on the results of that testing,
•    Provide training to office staff on the use of the solution, and
•    Deploy the solution to production.
- User License Types
•    Business User – can edit/update/certify for their organizational units. Business User’s access must be restricted to only their organizational unit’s risk data.
•    Viewer – has read-only access to all data for their organizational units or for other levels (as assigned by an Administrator).
•    Administrator – can edit/view all organizational units, add/remove users, change access rights and roles, review audit trails/data changes, set up new organizational units, and perform other tasks necessary to administer the Solution.
- Risk Register
1. The risk register must allow Administrators and Business Users to:
•    Describe the risk;
•    Identify risk ratings (scores or risk levels) such as high, medium, low;
•    Relate the office functions affected by the risk;
•    Identify risks as being unmitigated (deficient, significant, major, etc.);
•    Assign controls to risks;
•    Allow creation of an action plan for unmitigated risks including steps required to be completed;
•    Allow status updates to the corrective actions, including date completed; and
•    Identify when a risk is no longer unmitigated and/or applicable.
2. The risk register must allow Administrators to:
•    Administer risks;
•    Relate risks to office strategic priorities;
•    Rate risks in multiple categories (e.g., it, privacy, operational); and
•    Allow for the ability to edit/update any information including creating, updating, and deleting risks.
- Allow Administrators to notify office organizational units of their required risk assessments;
- Allow Administrators to send automated reminders to business users to complete unfinished work;
- Allow Administrators to respond to risk assessments submitted by organizational units;
- Reporting
•    Create reports on the risk categories assigned to the risks, by organizational unit and strategic priority;
•    Produce reports identifying office  top risks and risk exposure based on the information provided by business users (e.g. Heat maps, aggregated reports, risk portfolios);
•    Share reports (e.g., by pdf export, secure link) with stakeholders outside the solution (i.e., individuals without a user license), such as management or external auditors;
•    Identify and report on functions not tested that are required to be tested by the organizational unit;
•    Determine how long corrective actions have been outstanding; and
•    Create reports that show the organizational unit’s risks, risk profiles, and outstanding corrective actions to the unit’s respective head.

- Contract Period/Term: 10 years