Tender: Governance Risk & Compliance Tool | British Business Bank
Tender Governance Risk and Compliance tool British Business Bank Plc
Description
The Authority aims to procure a scalable, integrated Governance, Risk and Compliance (GRC) software solution, capable of supporting its organisational growth and any required regulatory obligations. The solution is intended to consolidate risk data from across the Authority into a single platform that strengthens oversight, enhances analysis & reporting, improves operational efficiency, and ensures accountability. A GRC tool may also provide the opportunity to identify data synergies and move away from several systems used across the Authority.
Strategic Objectives
Integrated View of the Risk and Control Environment
A unified cloud-based platform will provide a single source of truth for risks, controls, incidents, actions and metrics. Full traceability will be maintained across taxonomies, business units, policies and key processes, improving framework integration, transparency and decision-making.
Data Driven Culture and Analytics
The system will enable trend analysis, early warning indicators and data driven insights to support proactive management of current and emerging risks.
Operational Efficiency and Improved Ownership
An intuitive user experience, default ‘outofthebox’ configurability, guided workflows and automation will reduce manual effort and embed firstline ownership of risks and controls, while supporting second line oversight and challenge.
High Quality Data and Reporting
Automated dashboards and configurable reporting to the Microsoft Office suite will streamline internal and external stakeholder reporting, including for senior management, committees and regulators.
Assurance and Regulatory Compliance
The platform will facilitate compliance with the UK Corporate Governance Code (including Provision 29) and relevant FCA expectations. Evidence trails, compliance monitoring and control testing will support a robust assurance framework.
Core Capability Requirements
Initial core capability requirements have been identified, with activities still ongoing to define the full scope of requirements and determine the business units which a GRC tool may be implemented into. A full prioritised list of requirements and business units identified as part of ongoing activities, will be incorporated into future specifications.
The current core GRC solution must support, but not be limited to the following key modules:
Risk & Control Management
– Risk and control library
– RCSA: inherent/residual assessments, control tiering and assessments, risk acceptances and outoftolerance management
– Heat maps, bow ties and risk scoring matrices
– Control improvement actions
– Endtoend traceability of risk, control and incident data by risk taxonomy, business unit, policy suite, and key processes
Control Testing
– Structured workflows, evidence capture and reporting to support assurance activities.
Data, Reporting & Analytics
– Configurable automated reporting
– UK Corporate Governance Code Provision 29aligned reporting
– Data ingestion from internal and external sources
– Use of AIassisted tooling where appropriate
Risk Appetite & Key Risk Indicators
– Capture, monitoring and reporting of KRIs and risk appetite metrics.
Incident Management
– Central reporting portal
– End to end incident lifecycle management, including automations
– Metrics and trend analysis
Policy Management
– Governance and maintenance of the policy suite
– Evidence based assessment of policy effectiveness using risk, control, testing and incident data
Regulatory Compliance
– Compliance monitoring plan execution
– Horizon scanning and analysis of regulatory changes
– Impact assessment of external developments on the control environment
Ethics & Integrity
– Management and reporting of gifts and hospitality, conflicts of interest, personal account dealing and insider lists.
Internal Audit
– Audit planning and delivery workflows
– Action tracking and reporting
Non-Core Capabilities
While not central to the initial procurement, the system should also be capable of supporting:
– Business continuity and resilience
– Programme/project risk management
– Third party risk management
Total value (estimated)
- £1,100,000 excluding VAT
- £1,320,000 including VAT
Above the relevant threshold
Contract dates (estimated)
- 6 October 2026 to 5 October 2032
- Possible extension to 5 October 2034
- 8 years
Description of possible extension:
Optional 2 year extension is applicable to this contract
Main procurement category
Services
CPV classifications
- 72212170 – Compliance software development services
- 72212442 – Financial systems software development services
- 79212110 – Corporate governance rating services
- 90711100 – Risk or hazard assessment other than for construction
Contract locations
- UK – United Kingdom
Participation
Particular suitability
- Small and medium-sized enterprises (SME)
- Voluntary, community and social enterprises (VCSE)
Submission
Enquiry deadline
29 May 2026, 12:00pm
Submission type
Tenders
Deadline for requests to participate
5 June 2026, 12:00pm
Submission address and any special instructions
Tenders may be submitted electronically
Yes
Languages that may be used for submission
English
Award decision date (estimated)
22 September 2026
Award criteria
| Name | Type | Weighting |
|---|---|---|
| Quality Criteria | Quality | 65% |
| Commercial Offer | Price | 35% |
Other information
Applicable trade agreements
- Government Procurement Agreement (GPA)
Conflicts assessment prepared/revised
Yes
Procedure
Procedure type
Competitive flexible procedure
Competitive flexible procedure description
Procurement Specific Questionnaire
Invitation to Participate
Proof of Concepts
Reduced tendering period
Yes
Qualifying planned procurement notice – minimum 10 days
Contracting authority
British Business Bank Plc
- Public Procurement Organisation Number: PGTM-8337-GYXM
2, West Street
Sheffield
S1 2GQ
United Kingdom
Region: UKE32 – Sheffield
Organisation type: Public authority – central government