Risk Reasoning Limited


RiskAid is a powerful yet intuitive online collaborative tool to manage risk and uncertainty for projects, operationally or across an organisation. It incorporates advanced features such as "what if" scenarios, a full searchable audit trail, role based security, instant personalised reports and risk assessment hierarchies with knowledge aggregation and summaries.


  • Online collaborative risk management
  • Extensive online reporting, drill-down and graphical displays
  • Risk priority matrix ("heat map"), risk registers, risk improvement
  • Data import from spreadsheets and CSV files
  • Extensive user configurable displays and dashboards
  • "What if" scenarios for alternative models and instant compariosn
  • Hierarchical risk management with consolidation of results
  • Assessments saved as "snapshots" for comparison reporting
  • Comprehensive audit trail records every single change
  • Integrates with other tools such as Primavera


  • Enables collaborative team based approach to risk management
  • Shows ROI of taking appropriate action at the appropriate time
  • Imports existing data to preserve your existing risk management investment
  • Alternative solutions can be explored without affecting live assessments
  • Enables better informed decision making
  • Audit trail provides regulatory information with ease
  • Instant customisable displays and reports, personalised for each user
  • Rapid synchronisation with project planning tools such as Primavera


£300 to £3000 per user per year

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

8 1 1 4 8 2 7 3 9 8 0 7 1 3 1


Risk Reasoning Limited

Mark Swabey

08456 803457


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Available using any browser and browser version released within the last five years on PC, Apple Mac, tablets and smart-phones.
System requirements
  • Browser based software, any browser version in last five years
  • Requires internet connection

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Normal response to email support is within 2 hours.
Mean time between first email notification and resolution of problem or issue has been three working hours over the last five years.
We pride ourselves on providing a quick and responsive support service that all users can be confident to rely upon when needed.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.1 A
Web chat accessibility testing We have tested these facilities with colour-blind and visually-impaired users
Onsite support Yes, at extra cost
Support levels RiskAid support is included within the licence fee.
This includes error detection and rectification, planned maintenance and software upgrades, and help-desk support.
We reserve the right to charge for more general risk management discussions and advice, but this will always be discussed and agreed beforehand with the designated client authority.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We typically provide either online training or on-site training dependent on customer requirements. This can take the format of an interactive workshop. We also assist customers to import their own data or they can use the import facilities within RiskAid. Full online documentation is included in RiskAid as well as context-sensitive help and a range of short illustrated Briefing Notes on various aspects of collaborative risk management.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Users can extract data using the CSV export facility or we can export it for them if required.
End-of-contract process At the end of a contract, users can export their data from the system to use how they see fit. Their access to RiskAid would then be removed. We can extract and provide data in various formats as required but there may be an additional cost for this service depending on the complexity.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None, as the user interface is responsive to screen size and will arrange itself accordingly, making best use of the screen size and orientation.
Service interface No
Customisation available Yes
Description of customisation Any user can create any number of risk assessments.
Assessment Managers and administrators control: Role-Based Access Control for each user to each assessment, Currencies used, Risk Probability Ranges,
Risk Impact Criteria and range definitions,
Multiple risk categorisations, approval of updates supplied by users.
Users can control display detail for informational displays & reports, and display filters to focus on relevant information. They can also create what-if scenarios to explore alternatives and/or supply updates, customise their Alert notifications and select the numeric & date representations that they prefer.
Users can import data from Excel spreadsheets.
Assessment managers and administrators can create interfaces to project planning tools including Primavera P9 and Microsoft Project, using simple guided sequences, that then support rapid synchronisation between project planning and project risk.


Independence of resources Client's data is stored in secure, independent databases separate from each other. Hosting is provided on an "over engineered" platform meaning that capacity for performance is high, secure and protected for users. RiskAid has been designed, from the start of its development, for collaborative use by large teams worldwide, and is implemented by experienced real-time software engineers for efficient execution using the minimum processing resources.


Service usage metrics Yes
Metrics types The full audit trail records all activity which authorised users can then report on to see which users have been performing which actions and the changes they have made including the date, time and reasons (which can be mandated)
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency Less than once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Using the built in data export facility to generate a CSV or Excel data file.
Data export formats
  • CSV
  • Other
Other data export formats Excel
Data import formats
  • CSV
  • Other
Other data import formats Excel

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability RiskAid is available 24/7. The RiskAid server facilities have offered 99.988% availability for the last two years.
We guarantee 99% availability of the RiskAid server facilities, but cannot be held responsible for internet connectivity services outside our control. If the RiskAid server facilities are available for less than 99% over a calendar year, we will refund clients on a pro-rata daily rate proportional to their licence prices.
Approach to resilience Our datacentre service resilience policy is available on request.
Outage reporting Email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels For obvious security reasons, this information is available on request
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach We are currently applying for accreditation.
Our approach to security governance is set out in our security policies, and conducted in all our activities, to maintain client information and confidentiality, incorporate defensive security design in our product - RiskAid, host it securely and provide only secure encrypted access to it.
Information security policies and processes Our security policies and processes are available on request

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All commercial products used as components are integrated, tested and validated in-house before being deployed as part of live services.
All in-house developed components are integrated, tested and validated in-house, and incorporated in the live system in each RiskAid release, and as part of fault rectification.
All components are assessed for security impact as a whole system, for working domain separation, and against the individual user security model.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach We assess the potential threats to our services based upon information supplied by component and associated product manufacturers, from our web host supplier, and from relevant trade and security associations. This information is matched against RiskAid's use of facilities and architecture, to identify relevant threats and then search for potential vulnerabilities. Any vulnerabilities identified are resolved as a priority.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Every access to RiskAid, successful or not, is logged. This log is regularly analysed to detect potential compromises. In addition, any error in RiskAid is emailed directly to key staff for immediate attention. Due to the security features in place, it is very likely that any potential compromise causes a fault, providing immediate warning. Any potential compromises are analysed and responded to as a matter of urgency, with detailed investigation, response definition and then response implementation. We respond to an incident within a day.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach We have predefined processes for handling common events, which are regularly tested and proven. RiskAid automatically informs key Risk Reasoning staff of any errors detected. Users can also report incidents by email or phone. All incident reports are logged, allocated and actioned. Within the last three years, all incidents have been resolved within 3 working hours.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £300 to £3000 per user per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Usually this will be a 1 - 3 month trial of the software which includes telephone support and hosting but not on-site services.

Service documents

Return to top ↑