Risk Analysis Software

The Vendor is required to provide risk analysis software for the purpose of estimate development, for major projects ranging from $50m to the multi-billion cad, at any project development stage, but primarily focused on early project development stages.
- Requirement
•    The solution performs risk analysis using a parametric method as per AACE international recommended practice no. 42r-08: risk analysis and contingency determination using parametric estimating.
•    The solution performs risk analysis using an expected value method as per AACE international recommended practice no. 44r-08: risk analysis and contingency determination using expected value.
•    The solution performs risk analysis using a hybrid method as per AACE international recommended practice 113r-20: integrated cost and schedule risk analysis using combined parametric and expected value.
•    The solution can perform risk analysis using standalone parametric method or expected value method independently.
•    The solution has the ability to consider systematic risks in the risk analysis model.
•    The solution performs cost and schedule risk analysis.
•    The solution has ready-to-use built-in parametric model and data provided by the vendor.
•    The solution performs risk analysis estimates for all classes of estimates, project types, sizes and project phases.
•    The solution uses simulation to perform analysis.
•    The solution has the ability to assign correlations.
•    "The solution allows for parametric model elements to be configured for various types of projects.
•    "The solution allows models to be updated with user entered data.
•    "The solution allows models to be calibrated as required.
•    The solution has no practical limitation on the number of projects and risk analysis estimates.
•    The solution generates report on cost and schedule, with multiple chart and table formats, including a clear output at various probability values.
•    The solution allows reports to be exported to various formats. E.g. Csv, pdf, XLS
•    The solution allows model outcomes to be reproduced within accepted statistical variability ranges.
•    The solution provides traceability and version control of different model versions e.g. parametric and expected value
•    The solution is supported by user training material.  
•    These materials are and how they are accessed.
•    The solution deploys new functionality, capabilities and patches with minimal impact to existing system functions and operations.
•    The solution supports approximately 3 users.
- Cybersecurity: solution general (mandatory)
•    The solution’s capability to support single sign‑on (SSO) using Microsoft active directory or to support SSO to the client’s ENTRA id tenant.
•    Provide details on the solution’s capabilities, how least privilege and segregation of duties are enforced.
•    Provide details on how user, admin, and system events are logged and how the solution enables export or integration with a SIEM or centralized log‑collection platform.
•    The solution protects client data using encryption in transit and at rest, and describe the controls in place governing client data access, storage, retention, and deletion.
•    The downstream sub processors that access or process client data— including their roles, processing locations, and the types of data handled— and describe the process used to notify the client in advance of any addition, removal, or change to those sub processors.
•    Secure software development lifecycle (SDLC), including framework alignment, and describe how application testing and vulnerability discovery processes are integrated.
•    Patching and upgrade strategy, including regular maintenance cycles, patch‑release cadence, and emergency procedures for responding to zero‑day vulnerabilities.
- Cybersecurity: only if cloud services (SaaS/PaaS/IaaS) are included in the solution (conditional) 
•    The service model (SaaS, PaaS, or IaaS), the tenancy architecture (single‑tenant or multi‑tenant), and the cloud and service providers used, and describe how the shared responsibility model applies to the solution.
•    The data residency model for the solution (including location), including the primary and backup storage locations for client data, all cross‑border transfers, and whether the service offers a data‑residency or sovereign option.
•    Administrative access and interfaces are hardened, including MFA, device/location/network restrictions, least‑privilege and pam controls, admin‑interface segmentation, and monitoring of privileged activity.
•    The penetration testing and cybersecurity controls assessments performed on the solution, including scope, frequency, and evidence of remediation.
•    The solution supports automated user provisioning using the SCIM 2.0 standard, including how user accounts are created, updated, and provisioned automatically based on changes made in the client’s identity provider (IDP).
•    The solution supports centralized credential management by delegating all authentication and password‑reset flows to the client’s identity provider (IDP)
•    The solution protects inbound and outbound data exchange—including APIs, web hooks, and batch transfers—covering encryption, endpoint authorization, payload integrity, logging, and monitoring controls.
•    Backup and recovery capabilities, including point‑in‑time restore options, support for immutable backups, the frequency and results of tested restores, and defined targets for each service tier.
- Cybersecurity: only if a mobile application is included as part of the solution (conditional)
•    Mobile apps follow secure coding practices and address the OWASP mobile top 10 within a documented that includes threat modeling and code review.
•    The mobile app implements modern authentication with Entra id SSO, MFA, and device‑compliance checks, preferably through brokered authentication.
•    The mobile application protects data at rest using the operating system’s secure storage mechanisms, encrypts data in transit using TLS 1.2 or higher, implements certificate pinning for critical APIs, and ensures that no secrets are stored in plaintext or insecure keychains.
- Cybersecurity: only if gen AI is used in the solution or used in the service delivery processes (conditional). 
•    The gen AI use cases within the solution or service delivery, including the models and providers used and the functional or operational boundaries applied.
•    The solution ensures that client data is not used to train or tune gen AI models without explicit opt‑in, and describe data‑retention and segregation controls.
•    The access controls applied to gen AI capabilities, the ability to disable gen AI features, and how logs are redacted or sanitized to protect sensitive data.
•    The controls in place to protect against prompt injection, data leakage, and unsafe or unintended tool actions triggered through gen AI components.
•    The safeguards applied to gen AI outputs to prevent malicious or unsafe content from being injected into downstream systems.
- Information management: data ownership and control
•    Hydro retains sole ownership of all data throughout the life of the contract or service.
•    The vendor must not use, disclose, sell, share, or otherwise make hydro data available for any secondary or commercial purpose (including analytics, benchmarking, advertising, product or service improvement, or artificial intelligence and machine learning training), except where explicitly authorized in writing by hydro.
•    Provide hydro with a complete export of all hydro data in a usable format upon contract expiry or termination and must securely destroy any remaining copies in its custody or control.
•    Describe how data can be exported from the solution at contract end, including available formats and any metadata provided to support context and traceability.
- Information management: data residency and jurisdiction
•    Disclose where hydro data is stored, processed, backed up, and replicated for disaster recovery or failover purposes, and must identify any cross‑border data flows involving hydro data.
•    Describe its corporate jurisdiction and any legal or regulatory obligations that may apply to government or law‑enforcement access to hydro data.
- Information management: data access
•    Disclose any subcontracting, outsourcing, or use of third‑party service providers that involve access to or processing of hydro data.
- Information management: artificial intelligence (AI) and transparency
•    Disclose whether the solution uses artificial intelligence (AI), automated decision‑making, or machine‑learning capabilities in relation to hydro data or content, and, if so, describe the purpose, scope, and role of such capabilities within the solution.
- Information management: documents, attachments and metadata
•    Describe how documents, attachments, and other file‑based content are stored and managed by the solution, what metadata is used to identify, find, and export that content, and how changes to such content are handled over time (e.g., versioning or replacement) to support traceability and integrity.
- Information management: retention, disposal and purge capabilities
•    The solution supports the purging of hydro data and content in accordance with records retention and disposal schedules, including available configuration options and constraints, and how purge activities are captured, logged, and reported through the solution’s audit trail to support accountability and traceability.
•    The solution supports legal hold or preservation of data, including the ability to suspend deletion or disposition where required.