riskHive Software Solutions Ltd

riskHive ERM Enterprise Risk Manager software (RAID) application

riskHive ERM centralises and simplifies risk management processes, actions and data management and makes graphical whole-portfolio reporting a breeze. It is a robust professional database that manages risks, opportunities, assumptions, issues and trends centrally. It quickly and effectively imports, consolidates and maintains existing risk registers within a secure, holistic portfolio.


  • Provide aggregation, escalation and roll-up of risk information
  • Alignment with ISO31000, AU/NZ and COSO standards
  • Highly configurable user interface caters for all maturities and processes
  • Qualitative and quantitative assessment and reporting
  • In-built Monte Carlo simulation and analysis including confidence curves
  • Graphical interfaces like Bow Tie, Word Cloud and Risk Radar
  • Simple interface that can replicate existing data layouts and fields
  • Fast and easy import / export of data and information
  • Exceptional UI performance and low data bandwidth requirements


  • Consolidate data from multiple sources and registers - one truth
  • Instantly accessible from any browser on any device
  • Save time vs regular consolidation of Excel spreadsheets
  • Deliver consistency of data collection and reporting
  • Actively search and filter across entire portfolio instantly
  • Simplify risk clustering and automate risk escalation
  • Produce consistent, relevant and interesting reports instantly
  • Control who sees, changes, contributes and reports on what data
  • Consolidate multiple projects into programmes and portfolios
  • Easily import and export all data in Excel and XML


£1000 to £7500 per instance per month

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

3 6 6 8 8 2 9 8 5 6 7 9 0 1 0


riskHive Software Solutions Ltd

Sandu Hellings



Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
RiskHive Arrisca Analyser and riskHive Sentinel KRI monitor
Cloud deployment model
Private cloud
Service constraints
Monthly planned maintenance.
System requirements
  • Buyers must have an internet browser
  • Buyer must have an internet connection

User support

Email or online ticketing support
Email or online ticketing
Support response times
Target less than one hour
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
- - Mandatory online ticketing (UserVoice) prior to telephone or email
- - UK business hours (0900-1730) and weekends within 12 hours
- - Technical account manager and cloud support engineer provided
- - On-site call-out £650 per day plus T&S (24 hours notice required)
Support available to third parties

Onboarding and offboarding

Getting started
Full online manual as PDF (Printable)
Interactive help and ticketing system with FAQs and Articles
How-to guides
Mini-video bytes
Skype and telephone
Service documentation
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • Word
  • Video
End-of-contract data extraction
Export to CSV, Excel or XML.
Everything is exportable including configuration files and user information
End-of-contract process
System is securely retained for 90 days at end of contract and then destroyed unless otherwise instructed. System may be hibernated at additional cost to cover hosting

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Reduced view, same data.
Service interface
Customisation available
Description of customisation
Screens, menus, views, data fields, scoring and reports can be configured online. Customisation can be done using the 'Administration' functionality by the system administrator.


Independence of resources
Application is delivered on a dedicated server. Loading is monitored and resources increased where necessary.


Service usage metrics
Metrics types
User logons and activity whilst active
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
By manual selection of data or pre-configured export followed by manual or automated creation of an exportable file that is downloaded through the browser. Files can also be set-up to FTP.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • Excel
Data import formats
  • CSV
  • Other
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Data at rest encryption

Availability and resilience

Guaranteed availability
99.5% (99.7% measured previous year)
Approach to resilience
On request
Outage reporting
Private dashboard and email alerts

Identity and authentication

User authentication needed
User authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Role-based user access and control
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
Internal process - available on request. Not published.
Information security policies and processes
Two level hierarchy straight to the top. Quarterly reviews.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Ticket and review system is used with peer-review.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Use 3rd party software and internal SME
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Managed firewall service with automated reporting
Incident management type
Supplier-defined controls
Incident management approach
Available on request

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£1000 to £7500 per instance per month
Discount for educational organisations
Free trial available
Description of free trial
5-users for 30 days

Service documents

Return to top ↑