Awarded to Sword IT Solutions Ltd

Start date: Monday 21 February 2022
Value: £345,000
Company size: SME
Financial Conduct Authority

M365 Document Management Monitoring, Alerting & Reporting - design & implementation

2 Incomplete applications

2 SME, 0 large

5 Completed applications

2 SME, 3 large

Important dates

Thursday 2 December 2021
Deadline for asking questions
Thursday 9 December 2021 at 11:59pm GMT
Closing date for applications
Thursday 16 December 2021 at 11:59pm GMT


Off-payroll (IR35) determination
Contracted out service: the off-payroll rules do not apply
Summary of the work
FCA have implemented SharePoint as their primary document management platform and moved documents onto the new platform
Support now required to improve collaboration and productivity, provide a controls framework to mitigate compliance risk, monitor and establish an operating model and BAU capability to alert, report and remediate.
Latest start date
Monday 31 January 2022
Expected contract length
6 months with an option to extend for up to a further 6 months
Organisation the work is for
Financial Conduct Authority
Budget range

About the work

Why the work is being done
During 2020-2021 the FCA implemented SharePoint as their primary document management platform, with c4000 users who between them have access to c28m documents
Focus has been on configuring and deploying the platform, moving documents from the legacy EDRM.
A follow on phase of work is now being mobilised with the objectives of improving collaboration and productivity, provide a controls framework to mitigate risk, identify instances of poor compliance and establish an operating model and BAU capability to alert, report and remediate.
Problem to be solved
The FCA has a suite of tools (M365 Compliance/Security Center E5) which it now needs to prioritise, configure and optimise to provide insights. A team to run this capability needs to be designed & stood up, embedded in the overall operating model and a roadmap for continuous improvement designed.
Who the users are and what they need to do
FCA as an organisation seeks to:
- set up of new Compliance Assurance function for the business, embedding processes within the wider business landscape and enabling technology to add value early on, set up for success & continuous improvement
-establish a maturity framework and roadmap to develop the initial Assurance model.
- develop an overarching control framework including the ability to fix and find, (reactively and proactively), detect and report levels of non-adherence to internal policy.
- Design KPIs and associated reporting to support business leaders in assessing and reviewing operational activities and compliance position
- Select, design and proof of concept appropriate monitoring, alerting and threat management tools (e.g. trainable data classifiers)
- optimise the implementation of sensitivity labelling, records management, retention and disposition management, automating policies within M365
Early market engagement
Any work that’s already been done
Existing team
There is a Compliance Assurance team lead in place who will run the function in BAU and who will work with the supplier as the supplier designs and implements the operating model, processes, technology, roadmap to build the capability.
Current phase
Not started

Work setup

Address where the work will take place
Stratford, London 2 days per week (rest remotely)
Working arrangements
Stratford, London 2 days per week (rest remotely). Standard business hours.
Security clearance

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Previous experience of designing, delivering and embedding Compliance Monitoring and Alerting technologies & capabilities for a variety of clients.
  • Proven experience in developing and embedding risk & controls frameworks for collaboration, compliance & assurance capabilities.
  • Expertise in business and technical architecture for Security & Compliance assurance across the Microsoft product estate
  • Proven expertise in security & compliance of M365 suite of applications and supporting toolkits
  • Previous experience of developing maturity roadmaps and continuous improvement capabilities for collaboration and compliance.
  • Proven expertise in designing and developing insights and dashboards with Microsoft Power BI for Microsoft 365
Nice-to-have skills and experience

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
Proposal criteria
  • Domain experience;
  • Innovation of approach and methodology;
  • How the approach or solution meets FCA needs;
  • Estimated timeframes for the work;
  • Approach to identifying & managing risks and dependencies;
  • Team structure;
  • Value for money.
  • Service Quality Management;
  • Flexibility & agility of response;
  • Value add proposition;
  • Skills profiles of resources;
Cultural fit criteria
  • be transparent and collaborative when making decisions
  • share knowledge and experience with other team members
Payment approach
Capped time and materials
Additional assessment methods
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. What is your budget please? – We need to know if this opportunity is the right size for us to go after.
We expect the budget to be between £500k - £1m, inc VAT
2. Is there an incumbent?
No, this is a new piece of work to be mobilised
3. Who will make up the evaluation panel? – Both for this stage and the next?
The evaluation panel will review all responses, both pre and post shortlist. There are 4 evaluators who are all stakeholders or SME's.
4. What is the rationale for the 6 months optional extension?
We are anticipating a 6-9 month initiative to design and deliver a first transition state for Compliance & Assurance model. The initial contract is for 6 months.
5. What is expected to achieve within 6 months?
We are expecting the team that comes in to work with us to design a roadmap and the first 6-9 month transition state, and to use their previous experience to inform what is achievable. We will agree MVP as part of that.
6. Is vetting/security clearance required?
We do background checks on all consultants who work at FCA. Security Clearance may be required for those who will have access to the most sensitive document classification.
7. What regulations and frameworks does FCA need to comply with?
There are a number of frameworks and regulations that we must abide by. The key regulatory ones are MAR, FSMA, GDPR and UK DPA 2018.
For frameworks, we follow ISO27001/002, ISO 15489, NIST & CIS.
8. Is there an existing Data Classification scheme in place? If so, is it currently in use and/or enforced?
Yes there is a new information classification scheme and policy that has not fully matured across the organisation as it was only launched in 2020.
9. Is the start date based on a compelling event or aspirational?
- Start date is the desirable date in order to meet project timescales
10. What is the current licensing profile for Microsoft 365? i.e. do all users have E3/E5 +- add-ons?
E3 and E5 licenses available for all staff. E5 licenses have been procured but not fully implemented. Limited e5 components currently used, I.e. Bit Locker, Advanced eDiscovery and some components of advanced threat protection. There is a keen requirement to enable further e5 components including Data Loss Protection (DLP), Information Protection and Governance, and advanced threat protection.
11. What configuration, if any, has been applied with regards to the Microsoft 365 Security & Compliance features?
- Minimal configuration has been applied to M365 security and compliance features, the majority areas of development have been powershell/BI scripting to generate requested reporting and auditing
12. Are there other systems, apart from Microsoft 365, that are used to store documents and subject to Records Management/Retention policies?
- Yes, and we are looking at additional work to centralise disparate repositories within SharePoint. The scope of the work for the next 6-9 months is SharePoint centric
13. Are any retention policies currently being enforced on the Microsoft 365 platform?
- Yes in part. Some of the data-based and event-based policies need to be optimised and robust supporting processes designed and implemented. This work is planned.