Skip to main content

Request for Information (RFI): Enterprise Risk Management Software

Reference Number
Enterprise Risk Management Software
Procurement procedures
Request for Information (RFI)
Launch date
01 July 2016
, Europe/Vienna
Expected contract duration
5 years
On behalf of

Summary of Requirements



The Organization for Security and Co-operation in Europe (OSCE) is an international non-profit organization with its Secretariat in Vienna, Austria; detailed information about the work of the OSCE and its presence is available at

Risk Management at the OSCE

The Department of Management and Finance (DMF) provides services in the area of finance, budget, information and communication technology, procurement and assets management, as well as in maintaining the system of internal control and a supporting risk-based approach to management decision-making that facilitates achieving OSCE´s objectives. This is achieved through proactive identification, evaluation and control of major, security and operational risks across the OSCE.

In 2008, the OSCE implemented a web-based Enterprise Risk Management software that supports the collection of risks across the OSCE and reporting on them.

At present, the OSCE is satisfied with the current software solution but interested to learn about alternative products, their technical capabilities, and related pricing information.


In view of the above, the OSCE is interested to receive feedback from the market on the following requirements:
1. Product name;
2. Service options - cloud based vs. on premises;
3. Functional capabilities including:
• Multiple browser;
• Enable the OSCE to manage risk in a structured way and assist with embedding the ownership, management, review and reporting of risks to stakeholders;
• Provide full mapping of risks, controls, ownership, risk status, control status;
• Access real-time interactive dashboards and reporting tools allowing to get to the data that is needed promptly for further analysis and/or decision-making;
• Customize reports and their format;
• Customize naming of the fields to be consistent with the OSCE naming convention;
• Operate two sets of naming for the fields to allow for differing terminology for security and operational risks;
• Create drop-down lists with standardized sets of risks and controls;
• Register cross-cutting risks;
• Possibility to include audit recommendations, tracking, compliance and other business functions.  Possibility to cross-link the data (e.g. audit recommendations to the new controls proposed).
4. Technical requirements;
5. Data migration from existing platform to a new solution;
4. Availability of technical support function and related cost. If initial support is provided for free, please specify the timeframe;
5. Possibility of data exchange (integration) with Oracle ERP;
6. Demo access;
7. Success stories (e.g., implementation and usage in the international organizations and agencies e.g., UN, World Bank, etc.;
8. Pricing and licensing information.

The feedback on the above requirements is required by the OSCE to evaluate the quality of current system and support the decision making process toward new system.

Request for Information procedure

Interested Vendors wishing to participate in the pre-qualification process are requested to submit relevant pre-qualification documentation by email to Yury Golovkov at by 28 August 2016 22:00HRS CET.

All responses will be rated against the mandatory requirements and pre-qualification criteria. At the end of the evaluation process, Vendor will be notified where its response rated as acceptable or not.

OSCE Disclaimer

The OSCE reserves the right to accept or reject any pre-qualification documentation, and to annul or to suspend the pre-qualification and subsequent tender process and reject all solicitations at any time and without reason prior to the date of Contract Award, without thereby incurring any liability or responsibility to affected participants of this pre-qualification or tender process.