Risk Reasoning Limited


RiskAid is a powerful yet intuitive online collaborative tool to manage risk and uncertainty for projects, operationally or across an organisation. It incorporates advanced features such as "what if" scenarios, a full searchable audit trail, role based security, instant personalised reports and risk assessment hierarchies with knowledge aggregation and summaries.


  • Online collaborative risk management
  • Extensive online reporting, drill-down and graphical displays
  • Risk priority matrix ("heat map"), risk registers, risk improvement
  • Data import from spreadsheets and CSV files
  • Extensive user configurable displays and dashboards
  • "What if" scenarios for alternative models and instant compariosn
  • Hierarchical risk management with consolidation of results
  • Assessments saved as "snapshots" for comparison reporting
  • Comprehensive audit trail records every single change
  • Integrates with other tools such as Primavera


  • Enables collaborative team based approach to risk management
  • Shows ROI of taking appropriate action at the appropriate time
  • Imports existing data to preserve your existing risk management investment
  • Alternative solutions can be explored without affecting live assessments
  • Enables better informed decision making
  • Audit trail provides regulatory information with ease
  • Instant customisable displays and reports, personalised for each user
  • Rapid synchronisation with project planning tools such as Primavera


£300 to £3000 per user per year

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

8 1 1 4 8 2 7 3 9 8 0 7 1 3 1


Risk Reasoning Limited

Mark Swabey

08456 803457


Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
Available using any browser and browser version released within the last five years on PC, Apple Mac, tablets and smart-phones.
System requirements
  • Browser based software, any browser version in last five years
  • Requires internet connection

User support

Email or online ticketing support
Email or online ticketing
Support response times
Normal response to email support is within 2 hours.
Mean time between first email notification and resolution of problem or issue has been three working hours over the last five years.
We pride ourselves on providing a quick and responsive support service that all users can be confident to rely upon when needed.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 A
Web chat accessibility testing
We have tested these facilities with colour-blind and visually-impaired users
Onsite support
Yes, at extra cost
Support levels
RiskAid support is included within the licence fee.
This includes error detection and rectification, planned maintenance and software upgrades, and help-desk support.
We reserve the right to charge for more general risk management discussions and advice, but this will always be discussed and agreed beforehand with the designated client authority.
Support available to third parties

Onboarding and offboarding

Getting started
We typically provide either online training or on-site training dependent on customer requirements. This can take the format of an interactive workshop. We also assist customers to import their own data or they can use the import facilities within RiskAid. Full online documentation is included in RiskAid as well as context-sensitive help and a range of short illustrated Briefing Notes on various aspects of collaborative risk management.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Users can extract data using the CSV export facility or we can export it for them if required.
End-of-contract process
At the end of a contract, users can export their data from the system to use how they see fit. Their access to RiskAid would then be removed. We can extract and provide data in various formats as required but there may be an additional cost for this service depending on the complexity.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
None, as the user interface is responsive to screen size and will arrange itself accordingly, making best use of the screen size and orientation.
Service interface
Customisation available
Description of customisation
Any user can create any number of risk assessments.
Assessment Managers and administrators control: Role-Based Access Control for each user to each assessment, Currencies used, Risk Probability Ranges,
Risk Impact Criteria and range definitions,
Multiple risk categorisations, approval of updates supplied by users.
Users can control display detail for informational displays & reports, and display filters to focus on relevant information. They can also create what-if scenarios to explore alternatives and/or supply updates, customise their Alert notifications and select the numeric & date representations that they prefer.
Users can import data from Excel spreadsheets.
Assessment managers and administrators can create interfaces to project planning tools including Primavera P9 and Microsoft Project, using simple guided sequences, that then support rapid synchronisation between project planning and project risk.


Independence of resources
Client's data is stored in secure, independent databases separate from each other. Hosting is provided on an "over engineered" platform meaning that capacity for performance is high, secure and protected for users. RiskAid has been designed, from the start of its development, for collaborative use by large teams worldwide, and is implemented by experienced real-time software engineers for efficient execution using the minimum processing resources.


Service usage metrics
Metrics types
The full audit trail records all activity which authorised users can then report on to see which users have been performing which actions and the changes they have made including the date, time and reasons (which can be mandated)
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
Less than once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Physical access control, complying with CSA CCM v3.0
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Using the built in data export facility to generate a CSV or Excel data file.
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats
  • CSV
  • Other
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
RiskAid is available 24/7. The RiskAid server facilities have offered 99.988% availability for the last two years.
We guarantee 99% availability of the RiskAid server facilities, but cannot be held responsible for internet connectivity services outside our control. If the RiskAid server facilities are available for less than 99% over a calendar year, we will refund clients on a pro-rata daily rate proportional to their licence prices.
Approach to resilience
Our datacentre service resilience policy is available on request.
Outage reporting
Email alerts

Identity and authentication

User authentication needed
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
For obvious security reasons, this information is available on request
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
We are currently applying for accreditation.
Our approach to security governance is set out in our security policies, and conducted in all our activities, to maintain client information and confidentiality, incorporate defensive security design in our product - RiskAid, host it securely and provide only secure encrypted access to it.
Information security policies and processes
Our security policies and processes are available on request

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
All commercial products used as components are integrated, tested and validated in-house before being deployed as part of live services.
All in-house developed components are integrated, tested and validated in-house, and incorporated in the live system in each RiskAid release, and as part of fault rectification.
All components are assessed for security impact as a whole system, for working domain separation, and against the individual user security model.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
We assess the potential threats to our services based upon information supplied by component and associated product manufacturers, from our web host supplier, and from relevant trade and security associations. This information is matched against RiskAid's use of facilities and architecture, to identify relevant threats and then search for potential vulnerabilities. Any vulnerabilities identified are resolved as a priority.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Every access to RiskAid, successful or not, is logged. This log is regularly analysed to detect potential compromises. In addition, any error in RiskAid is emailed directly to key staff for immediate attention. Due to the security features in place, it is very likely that any potential compromise causes a fault, providing immediate warning. Any potential compromises are analysed and responded to as a matter of urgency, with detailed investigation, response definition and then response implementation. We respond to an incident within a day.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
We have predefined processes for handling common events, which are regularly tested and proven. RiskAid automatically informs key Risk Reasoning staff of any errors detected. Users can also report incidents by email or phone. All incident reports are logged, allocated and actioned. Within the last three years, all incidents have been resolved within 3 working hours.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£300 to £3000 per user per year
Discount for educational organisations
Free trial available
Description of free trial
Usually this will be a 1 - 3 month trial of the software which includes telephone support and hosting but not on-site services.

Service documents

Return to top ↑