The Organization for Security and Co-operation in Europe (OSCE) is an international non-profit organization with its Secretariat in Vienna, Austria; detailed information about the work of the OSCE is available at www.osce.org
Risk Management at the OSCE
The Department of Management and Finance (DMF) provides services in the area of finance, budget, information and communication technology, procurement and assets management, as well as in maintaining the system of internal control and a supporting risk-based approach to management decision-making that facilitates achieving OSCE´s objectives. This is achieved through proactive identification, evaluation and control of strategic, security and operational risks across the OSCE.
In 2008, the OSCE implemented a web-based Enterprise Risk Management software that supports the collection of risks across the OSCE and reporting on them. The Contract for existing software expires at the end of December 2019.
In general, the OSCE is satisfied with the current software solution but interested to learn about alternative products, their technical capabilities, and related pricing information to decide to stay with the current solution or migrate to an alternative platform.
Given the above, the OSCE is interested in receiving feedback from the market operators on the following information:
1. Product name;
2. Service options - cloud-based vs. on premises and related costs;
3. Functional capabilities including:
a) Support for Internet Explorer and Chrome browser;
b) Enable the OSCE to manage risk in a structured way and assist with embedding the ownership, management, review and reporting of risks to stakeholders, in accordance with the ISO 31000 standard;
c) Provide a full mapping of risks, controls, ownership, risk status, control status;
d) Access real-time interactive dashboards and reporting tools allowing to get to the data that is needed promptly for further analysis and/or decision-making;
e) Customize reports and their format, including how the reports can be customized and what special knowledge is required;
f) Customize naming of the fields to be consistent with the OSCE naming convention;
g) Operate two sets of naming for the fields to allow for differing terminology for security and operational risks;
h) Create drop-down lists with standardized sets of risks and controls;
i) Register cross-cutting risks and
j) Possibility to include audit recommendations, tracking, compliance and other business functions. Possibility to cross-link the data (e.g., audit recommendations to the new controls proposed).
4. Technical requirements in case of on-premises hosting (e.g., hardware, operating system, database, software, etc.);
5. Data migration from existing platform to a new solution;
6. Availability and scope of technical support function and related cost. If initial support is provided for free, please specify the timeframe;
7. A possibility of data exchange (integration) with Oracle ERP;
8. API functionalities;
9. Export and import of data from external sources (e.g., Excel, MS-SQL);
10. Demo access;
11. References (e.g., implementation and usage in the international organizations and agencies, e.g., UN, World Bank, etc.), preferably with a point of contact from the reference;
12. Pricing and licensing information, including all incurred costs for three years:
a) One-time implementation costs;
b) Ongoing operational costs (yearly);
c) Licensing structure and prices and
d) Other costs if applicable.
The feedback on the above requirements is required by the OSCE to evaluate the quality of the current system and support the decision making process toward a new system.
There is no specific format for providing your response to this RFI; however, the inclusion of an answer on the above twelve points, including the detailed pricing information is mandatory.
Request for Information procedure
Interested Vendors wishing to participate in the Request for Information process are requested to submit their responses by email to Yury Golovkov at firstname.lastname@example.org by 30 April 2019.
All responses will be rated against the requirements stipulated in this document. At the end of the evaluation process, Vendors will be notified regarding the outcome of this process.