Governance Risk and Compliance tool

DELTA Access Code :4J4GPFS79V Description The Authority aims to procure a scalable, integrated Governance, Risk and Compliance (GRC) software solution, capable of supporting its organisational growth and any required regulatory obligations. The solution is intended to consolidate risk data from across the Authority into a single platform that strengthens oversight, enhances analysis & reporting, improves operational efficiency, and ensures accountability. A GRC tool may also provide the opportunity to identify data synergies and move away from several systems used across the Authority. Strategic Objectives Integrated View of the Risk and Control Environment A unified cloud-based platform will provide a single source of truth for risks, controls, incidents, actions and metrics. Full traceability will be maintained across taxonomies, business units, policies and key processes, improving framework integration, transparency and decision-making. Data Driven Culture and Analytics The system will enable trend analysis, early warning indicators and data driven insights to support proactive management of current and emerging risks. Operational Efficiency and Improved Ownership An intuitive user experience, default ‘outofthebox’ configurability, guided workflows and automation will reduce manual effort and embed firstline ownership of risks and controls, while supporting second line oversight and challenge. High Quality Data and Reporting Automated dashboards and configurable reporting to the Microsoft Office suite will streamline internal and external stakeholder reporting, including for senior management, committees and regulators. Assurance and Regulatory Compliance The platform will facilitate compliance with the UK Corporate Governance Code (including Provision 29) and relevant FCA expectations. Evidence trails, compliance monitoring and control testing will support a robust assurance framework. Core Capability Requirements Initial core capability requirements have been identified, with activities still ongoing to define the full scope of requirements and determine the business units which a GRC tool may be implemented into. A full prioritised list of requirements and business units identified as part of ongoing activities, will be incorporated into future specifications. The current core GRC solution must support, but not be limited to the following key modules: Risk & Control Management - Risk and control library - RCSA: inherent/residual assessments, control tiering and assessments, risk acceptances and outoftolerance management - Heat maps, bow ties and risk scoring matrices - Control improvement actions - Endtoend traceability of risk, control and incident data by risk taxonomy, business unit, policy suite, and key processes Control Testing - Structured workflows, evidence capture and reporting to support assurance activities. Data, Reporting & Analytics - Configurable automated reporting - UK Corporate Governance Code Provision 29aligned reporting - Data ingestion from internal and external sources - Use of AIassisted tooling where appropriate Risk Appetite & Key Risk Indicators - Capture, monitoring and reporting of KRIs and risk appetite metrics. Incident Management - Central reporting portal - End to end incident lifecycle management, including automations - Metrics and trend analysis Policy Management - Governance and maintenance of the policy suite - Evidence based assessment of policy effectiveness using risk, control, testing and incident data Regulatory Compliance - Compliance monitoring plan execution - Horizon scanning and analysis of regulatory changes - Impact assessment of external developments on the control environment Ethics & Integrity - Management and reporting of gifts and hospitality, conflicts of interest, personal account dealing and insider lists. Internal Audit - Audit planning and delivery workflows - Action tracking and reporting Non-Core Capabilities While not central to the initial procurement, the system should also be capable of supporting: - Business continuity and resilience - Programme/project risk management - Third party risk management