|
The New York State Office of the State Comptroller (“OSC”) intends to procure cloud-based Enterprise Risk Management Software-as-a-Service (“Solution”) pursuant to its discretionary purchasing authority under State Finance Law §163(6). This procurement opportunity is limited to New York State businesses certified pursuant to Article 15-A of the New York State Executive Law, and businesses certified pursuant to Article 3 of the New York State Veterans’ Services Law.
Background
OSC currently uses Microsoft Excel or Word to perform risk assessments and record testing results. A standard spreadsheet template is used by business units to report risks, corrective actions, and respond to a questionnaire. Additionally, a Word document is used by the business units to certify the results of the risk assessment. OSC uses a separate Excel spreadsheet to document and rate the business functions. These documents are all maintained and stored by the OSC Internal Control Office (“ICO”). ICO uses data from these documents to update risks and corrective actions in an Access database. Also included in this database is the date of each business unit’s certification and its associated risk categories. The information is transferred manually from the Excel spreadsheets and Word documents to the Access database. Reports are generated using Tableau with data pulled from Excel spreadsheets and the Access database. Generating reports involves significant manual work to ensure graphs are correctly portrayed and formatted.
OSC is seeking a qualified proposer (“Contractor”) who will provide and implement the Solution. The Solution will (1) automate the collection of risk assessment data and streamline the reporting of risks to executive management and (2) demonstrate compliance with the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) Framework.
STATEMENT OF WORK
The Contractor shall perform the Services as detailed in Attachment A (Statement of Work) posted to OSC’s website at: https://www.osc.state.ny.us/procurement.
MINIMUM QUALIFICATIONS
A proposer must meet the following minimum qualifications to be considered:
1. The proposed Solution must specialize in enterprise risk management and have the ability to perform risk assessments and record testing results.
2. The proposed Solution must be cloud-based.
3. The Proposer must have successfully implemented the proposed Solution in at least two organizations with 2,000 or more employees, at least one of which must be a public sector entity, within the previous six years, preceding the proposal due date.
4. The Project Manager must have a minimum of two years of experience implementing the proposed Solution.
5. The proposed Solution must have the ability to integrate the most recent COSO Framework within the risk assessment.
ADDITIONAL INFORMATION
Interviews and Product Demonstrations
During the evaluation process, proposers may be required to conduct a product demonstration and participate in an interview, either in person or virtually, that is arranged by OSC. The product demonstration and interview will be an opportunity for the proposer to demonstrate the proposed Solution, and for OSC to interview the proposer, obtain clarification, if needed, and to substantiate the characteristics and attributes claimed within the written response. The interview should confirm the proposer’s ability to provide the required services. The proposer, including Project Manager and any key personnel, should be present and participate in the interview. Proposers will be provided with guidelines for the product demonstration at least two weeks prior to their product demonstration. Proposers who cannot be contacted via telephone or email to arrange the interview after three attempts by OSC may be disqualified.
Solution Security Requirements
Upon notice of conditional award, the Contractor shall submit a third-party assessment and certification that the Solution complies with an industry- or government-accepted security framework (e.g., FedRAMP, ISO 27000 series) and meets the security requirements listed in this Section. If the Contractor cannot provide such third-party assessment and certification, the Contractor shall submit a completed Consensus Assessment Initiative Questionnaire (“CAIQ”), available at: https://cloudsecurityalliance.org.
OSC may require the Contractor to 1) address security concerns identified by OSC to ensure data confidentiality, integrity, and availability in both normal and contingency situations; 2) provide additional information regarding the Contractor’s existing security controls, and 3) implement additional controls. OSC may require the Contractor to provide the results of assessments of the selected Proposer’s compliance with an industry- or government-accepted security framework that becomes available after conditional award and throughout the term of this Agreement.
OSC may decline to make a final award to any conditionally awarded Contractor that OSC concludes is unable to demonstrate that its security measures, processes, standards, and/or policies sufficiently align with the security requirements stated in this Section and as required by applicable law or regulation. Upon such determination, OSC may elect to grant the award to the next-highest scoring Proposer. OSC may simultaneously engage in discussions with multiple Proposers regarding their security practices.
SUBMISSION REQUIREMENTS
Proposers responding to this solicitation should submit the following:
· Attachment B – Response Form
· Attachment C – Cost Response Form
· Resume for proposed Project Manager
· Proposer’s Standard Service Level Agreement (SLA)
Interested proposers should submit a response to RFP@osc.ny.gov (preferred) or via hard copy mail to:
Director of Finance
Office of the State Comptroller
110 State Street, Stop 13-2
Albany, NY 12236-0001
All documents related to this procurement are available on the OSC website at: https://www.osc.state.ny.us/procurement.
The proposer must be willing to enter into an agreement substantially in accord with the terms of the Draft Contract posted to the OSC website should the proposer be selected for contract award.
NOTE: Procurement documents may, from time to time, be amended or addenda issued. It is the proposer’s responsibility to become aware of any such amendments and/or addenda prior to submission of a response. All amendments and/or addenda to procurements will be posted to the OSC website at https://www.osc.state.ny.us/procurement.
Proposers should review the OSC website prior to submission of a response to ensure that they have all information required to submit a complete response.
This procurement is subject to, and shall be conducted in accordance with, the OSC Executive Order on Procurement Integrity and OSC’s Procurement Integrity Procedures, both of which are available in full on the OSC website noted above, or upon email request. All inquiries concerning this procurement must be addressed to the Contracting Officer or designee(s) at OSC, via email (preferred) to RFP@osc.ny.gov or via hard copy mail to:
Director of Finance
Questions for Contract #C001193
Office of the State Comptroller
110 State Street, Stop 13-2
Albany, NY 12236-0001
Questions regarding this procurement opportunity must be received by OSC by at 4:00 p.m. EST on 09/22/2025. The comprehensive list of questions and responses will be posted to the OSC website on or about 10/6/2025. This listing will not include the identities of the vendors submitting the questions; those vendors will remain anonymous to the extent allowed by law.
|