McKinsey & Company, Inc. United Kingdom

McKinsey Wave

Building on our extensive expertise in program management, Wave is McKinsey’s proprietary program-management platform that supports transformation and change programs by tracking initiatives, measuring their impact, driving accountability, and sustaining results.


  • Create and describe initiatives and actions
  • Track and report financial impact
  • Workflow management with approval and stage-gating process
  • Flexible and extensive real-time reporting
  • Notifications via weekly emails
  • Highly configurable user permissions
  • Custom dashboards are configurable
  • Data export to excel
  • Bulk update of data via services


  • Generate and capture ideas and initiatives
  • Prioritise initiatives to create a balanced portfolio
  • Plan timeline and financial impact of initiatives
  • Identify delays and quickly act on them
  • Compare actuals and forecasts of financial impact against planned values
  • Create a single source of truth for your program
  • Drive accountability throughout your organization
  • Drive adoption with our user-friendly and intuitive interface
  • Get started quickly


£60000 per licence per year

Service documents

G-Cloud 10


McKinsey & Company, Inc. United Kingdom

Katrina Johnstone

+44 207 961 5548

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints No
System requirements
  • 64bit operating system. Windows and MAC OS X compatible
  • Internet Browser: IE, Google Chrome, Safari or Firefox compatible
  • Computer must have internet connection

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 1 business day
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels McKinsey Wave offer the following to all clients as part of the Wave service: Service desk, Email & Phone.

The service response operates 24 hours per day, from Sunday 6:30 PM (GMT) to Saturday 3:00 AM (GMT)

Each client is assigned a Service Delivery Manager who is responsible for the successful delivery and ongoing performance of the software.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Structured learning and knowledge transfer program designed to quickly orientate new users helping them to become productive from day 1.

Onsite in person training can be delivered with options for virtual web based training if required. Online resources for training materials, video tutorials and role specific learning journeys are available to all Wave users via the online Wave Success Center.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction We offer a historical data extract to the client at the end of the contract if needed. All of the data is exported into an excel format and securely transferred to the client.
End-of-contract process At the end of the contract the Wave team will offer the opportunity to renew the contract. If the client does not want to renew, we require a formal notification via email. Once this is received the service delivery manager will set up a short 15 minute debrief session and will commence from that point the decommissioning process. A historical data extract is offered to the client in excel format and once confirmed the Wave environment is permanently deleted.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices No
Accessibility standards None or don’t know
Description of accessibility Accessible via a web browser. Users can create, modify and remove initiative data with associated actions, tasks and impact data. (access permissions allowing). Users have complete access to all of the data visualisation, reporting and export functions within the toolset. Users can not self configure the tool or make major adjustments to the tool. This will be carried out by the Wave team on request of the client.
Accessibility testing None
Customisation available Yes
Description of customisation Yes. Wave is a heavily customisable solution. The Wave team work directly with the client pre deployment to deep dive on the key requirements and deliverables of the program. The team then translate these into a customised software platform engineered exclusively for the client to deliver their specific requirements.

Key areas for consideration are customisation of initiative card structures and associated attributes. Approval and governance process. Organisational topology/hierarchy. Accountability and impact allocation. Configuration of financial and non financial metrics, dashboards and customised business reporting.

Major structural changes on request via the Wave team support.

Clients can now self manage user accounts should they have the required level of access to the system.


Independence of resources Each client instance resides on an independent, dedicated cloud. This removes any issues associated with overall demand for the service.


Service usage metrics Yes
Metrics types Registered and active user numbers. Log in frequency, time spend on average in tool, number of initiatives and associated actions. (Upon agreement and approval of the client)
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach Database and S3 buckets are encrypted using AWS’ KMS (all volumes, incl. boot)
Back-ups (in S3 buckets in other regions) are encrypted using AWS’ KMS
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Data can be exported into an excel file if needed.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Other
Other protection between networks All transports use HTTPS or WSS2, encrypted using 256-bit AES
Data protection within supplier network Other
Other protection within supplier network Database and S3 buckets are encrypted using AWS’ KMS1 (all volumes, incl. boot)
Back-ups (in S3 buckets in other regions) are encrypted using AWS’ KMS

Availability and resilience

Availability and resilience
Guaranteed availability Undisclosed
Approach to resilience All transports use HTTPS or WSS, encrypted using 256-bit AES. Built-in AWS DDOS resiliency and Application Load Balancer2 (ALB). Services and databases are designed for high availability and run on multiple AWS Availability Zones (AZ). Application, services and databases are fully segregated on a per client basis (“shared-nothing” design). All data volumes encrypted at rest using AWS Key Management Service (KMS)

24/7 active monitoring of infrastructure, services and databases. 24/7 first line support (help desk) for infrastructure incidents. 24/5 first line support (help desk) for client service requests and access support. 12/5 second and third line support for escalated infrastructure and application incidents.

Wave takes a backup of the database every two hours or when an application or configuration update is performed.
The full data is copied to an AWS S31 encrypted bucket, dedicated to the Client tenant.

Geo replication: The S3 bucket is replicated immediately to another Wave datacenter in another region, providing full restore capability should a disaster renders the origin datacenter inoperative.
Outage reporting Outage reporting via email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
  • Other
Other user authentication Combination of:

(Username) client corporate email address

(Password) User defined - temporary unique set/reset link, with minimum strength conditions


(Adaptive - risk based) second factor authentication

(IP Address) Whitelisted / Blacklisted list of IP addresses and ranges

(Originating region) Whitelisted / Blacklisted regions
Device cookie/certificate: silent registration of known devices

(One time challenge) one-time-link delivered by email

(Single Sign On) - SAML2
Access restrictions in management interfaces and support channels Data security and permission authorization is governed by a configurable 7 layers authorization model. Restrictive controls based on: Card and attribute value, card type access, card attribute access, conditional and user based card attribute visibility/editability, override visibility/editability, revoke editability.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Hosting partner AWS ISO 27001 certified. Documentation available on request
ISO/IEC 27001 accreditation date Part of AWS Certifications/Accreditations
What the ISO/IEC 27001 doesn’t cover Wave solution has a ISAE 3000 SOC2 Type 2 attestation. Deeply related to ISO 27001
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications ISAE 3000 SOC 2 Type I

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes On an annual basis the information security program is assessed by an independent 3rd party according t othe ISO/IEC 27001:2013 standard.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All change requests are centrally managed by the nominated service delivery manager. A copy of the current configuration will be securely stored should the client wish to revert back to the previous configuration at an time. Any changes can be made in a draft environment and once approved by the client can be promoted to the live environment. This ensures no downtime. Ticketing system in place to track progress of change requests. The change requests are quality checked by 2 members of the configuration team to identify any risks before finalising the configuration change request.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Vulnerability management assured as part of Amazon Web Services (AWS)
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Covered as part of the AWS hosting service
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Adhere to industry best practices . Incident Management process is integrated with the Crisis Management, Business Continuity Management, Legal, Communications and Management process.

Application incidents are jointly categorized by Wave and the Client into three levels of severity to ensure our Clients receive the appropriate incident resolution support.

Severity -1 Incident (Emergency - Tool unavailable)
Severity - 2 Incident (Detrimental situation - Tool has limited function)
Severity - 3 Incident (Inconvenient situation - Tool usable but not optimal)

Users report incidents via or via direct communication with the account manager or service delivery manager.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £60000 per licence per year
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑