Project Activity Manager (PAM)

PAM is a Workplan and Savings Tracking Service for managing and reporting on your Cost Improvement Programme (CIP). PAM supports project management against defined milestones with planned, forecast and actual savings based on real-time spend. Workflow seamlessly connects multiple teams to generate project pipelines and provide full visibility and accountability.


  • CIP Savings Tracker
  • Project Management
  • Real time Reporting
  • Management Reports
  • Data Analysis
  • Real-time data collection
  • Workflow
  • Document Storage
  • Governance
  • Multi user access


  • Increase CIP Delivery
  • Report cost savings at the cost centre code level
  • Single communication channel between multiple teams
  • Reduce time/cost of collating, validating and reporting data
  • Automatically track actual savings in real time
  • Identify slippage or areas of risk in order to mitigate
  • Provide governance and assurance
  • Real-time interactive management dashboards


£500 to £3500 per licence per month

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

7 2 4 3 0 8 5 0 7 3 6 2 9 7 6



Ashley Waterman


Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
Real-time Actual Savings Tracking requires an interface with Purchasing (PO) or Finance (AP) data.
System requirements
  • Microsoft Windows environment
  • Network to allow access to Microsoft Azure (Cloud Service)

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support dependent on Severity Level as set out in SLA. Urgent queries responded to within 24 hours.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Level 1: 8 hours of developer time for Development, Configuration and Application Support; Includes Hot Fixes and access to all Version Upgrades. Level 2: 16 hours of developer time for Development, Configuration and Application Support; Includes Hot Fixes and access to all Version Upgrades. Level 3: 24 hours of developer time for Development, Configuration and Application Support; Includes Hot Fixes and access to all Version Upgrades.
Support available to third parties

Onboarding and offboarding

Getting started
We have a standard implementation plan which is used as the basis for all of our implementations. This can be amended according to customer requirements. Initial system training is provided onsite as part of the system implementation process. Additional training is available either remotely or onsite as required. The system also includes detailed user documentation which describes the steps required for setting up and managing projects.
Service documentation
Documentation formats
End-of-contract data extraction
All data is exported in an agreed CSV file format. The customer also has direct access to write SQL statements to export any data as required.
End-of-contract process
The customer has the option to continue with the contracted service or to terminate the contract. If the contract is terminated, the customers data will be made available in the agreed format. The customer will no longer have access to the Cloud service via the application.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Chrome
Application to install
Compatible operating systems
Designed for use on mobile devices
Differences between the mobile and desktop service
Differences to basic layout and interface design but not to functionality
Service interface
Customisation available
Description of customisation
The service can be customised to include bespoke data items in order to meet specific customer requirements. This can be completed with support from the providers development team as part of the SaaS agreement.


Independence of resources
Each organisation license includes a dedicated service which is isolated from other customers. Therefore increased demand from other organisations has no impact on service level. Database services are dynamically scalable to handle an increase in data or system usage.


Service usage metrics
Metrics types
User login statistics and data access requests to the SQL server database.
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Users have direct access to the database and can write SQL statements to export their data. Data can also be exported into MS Excel directly from the User Interface.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
In order to enable the client to do business effectively, the supplier guarantees that the service will be available for a certain percentage of time: Guaranteed Uptime 98% Uptime is measured using automated systems, over each calendar month. It is calculated to the nearest minute, based on the number of minutes in the given month (for instance, a 31-day month contains 44,640 minutes). If uptime for any item drops below the relevant threshold, a penalty will be applied in the form of a credit for the client. This means the following month’s fee payable by the client will be reduced on a sliding scale. The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA: Penalty per hour is 3% of total monthly fee
Approach to resilience
All data is replicated a minimum of three times across multiple hardware racks to ensure durability and high availability. Data can also be backed up to a second geographic location. So even in the case of a complete regional outage or a regional disaster in which the primary location is not recoverable, the data is still durable.
Outage reporting
Outages are reported via email alerts

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Access is controlled across applications using Microsoft built in security.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users receive audit information on a regular basis
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
CSA CCM version 3.0
Information security policies and processes
Security policies and processes are documented with a named security officer. We follow a clean desk policy with all documentation stored in locked units. Information is classified according to an appropriate level of confidentiality, integrity and availability. Staff are trained to handle documentation according to the information classification. Policy breaches are to be reported and dealt with accordingly. Information policies are reviewed and updated on a regular basis.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All change requests are managed through a single system with a standardised change control form. All changes are assessed on their merit and whether they introduce any risk to the integrity or security of the system. Any changes must be approved by a Change Control Board. Changes are then managed through a process tracking log with a named accountable person.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We use Microsoft Azure's integrated vulnerability assessment. Each of our virtual machines on Azure, have this assessment solution installed. Once deployed, the Qualys agent will start reporting vulnerability data to the Qualys management platform, which in turn provides vulnerability and health monitoring data back to Security Center. Users can quickly identify vulnerable VMs from the Security Center dashboard. We use MS Azure Update Management for patch alerts to ensure patches are deployed immediately.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
From Azure Monitor we can now get at-a-glance reporting on the health and performance of all our cloud resources, from virtual machines to applications to individual lines of codes in the applications. Policies and processes are in place to appropriately manage and respond to incidents detected by Azure Monitor.
Incident management type
Supplier-defined controls
Incident management approach
All incidents are logged on a central database and all actions and findings are stored against the incident number. These are then emailed to the person/persons responsible for managing the incident. We follow the Incident Model: This includes a sequence of steps and responsibilities; Timescales for resolution; Escalation procedures; Evidence preservation; Reporting is done on a regular basis from the central database and provided at Management Meetings for review/learning.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£500 to £3500 per licence per month
Discount for educational organisations
Free trial available
Description of free trial
Service can be accessed and used with basic functionality for a period of 2 months. This does not include any bespoke configuration or interfaces which are required for tracking actual savings in real-time.

Service documents

Return to top ↑