Governance Risk and Compliance Solution

Seeking a vendor to implement and customize a GRC solution, enhancing risk management, governance, and compliance across the organization.

Provide a Governance, Risk & Compliance (GRC) solution and associated services.
Align with Scarborough Health Network's Information Security GRC program and Integrated Risk Management (IRM) Framework.
Support Board governance functions.
Include full implementation, integration, customization, development, configuration, testing, and training services for the GRC solution.
Support policy management for information security policies and processes.
Ensure regulatory alignment with Ontario's Personal Health Information Protection Act (PHIPA) and PIPEDA.
Provide security framework controls alignment and tracking to industry standards (e.g., NIST CSF).
Support Threat Risk Assessment (TRA) aligned with Communications Security Establishment Canada (CSEC) methodology.
Offer Vendor Risk Management with a centralized repository for risk assessment.
Include a Risk Register for identifying, assessing, and tracking information security risks.
Provide automated quantitative and qualitative risk scoring.
Integrate with incident response workflows.
Support regulatory mapping of controls to PHIPA, PIPEDA, and other relevant standards.
Provide control frameworks for implementing and monitoring security controls.
Enable automated evidence collection and storage for compliance.
Offer audit readiness tools for internal and external audits.
Integrate with Security Information and Event Management (SIEM) systems.
Support Vulnerability Management and Endpoint Detection and Response (EDR) integration.
Provide real-time dashboards and custom reports for information security risk posture, compliance status, and incidents.
Feature a user-friendly interface, multi-tenant support, and secure mobile access.
Provide a centralized, customizable risk register for various risk types (clinical, operational, strategic, privacy, emergency).
Support risk categorization, documentation of risk events, and tracking of mitigation strategies and KPIs.
Enable regular monitoring, review, and archiving of risks.
Support assignment and tracking of risk ownership, accountability, and responsibility.
Enable reporting and escalation workflows for critical risks to the Board, CEO, and relevant committees.
Facilitate cross-functional coordination and sharing of risk information.
Include features for risk categories, risk scoring, risk history, residual vs. inherent risks, risk assessment intake, mitigation strategies, progress tracking, data visualization, and risk heatmaps.
Ensure risk register updates automatically trigger based on risk appetite/tolerance.
Generate and assign treatment tasks with owners and configure escalation rules.
Support privacy incident intake, management, notification, and reporting.
Provide features for data subject requests, privacy assessment submission, and record of processing activities.
Include Emergency Management (EM) features for exercises, activity training, notification, ownership, and accountability.
Support Internal Audit functions including artefacts, audit trail, documentation, ownership, accountability, and task assignment.
Provide documentation repository for Board materials, scheduling capabilities, and role-based access controls.
Capture Board/CEO resolutions, directives, and risk tolerance statements.
Support confidential voting workflows for Board/committee decisions with auditability.
Include Data Governance features such as ownership, stewardship, data inventory, data dictionary, data quality rules, and retention schedule.
Comply with PHIPA requirements for health information network providers (HINP).
Provide a Privacy Impact Assessment and Threat Risk Assessment if acting as a HINP.
Ensure Personal Health Information (PHI) is hosted in a System and Organization Controls 2 (SOC 2) compliant data center within Canada.
Encrypt PHI at rest and in transit with a minimum 256-bit encryption.
Ensure Purchaser's data is stored on servers exclusively within Canada and accessed only by Supplier's personnel located within Canada.
Maintain an information security program aligned with ISO 27001:2013 and NIST Special Publication standards.
Update software regularly for security vulnerabilities and notify Purchaser of breaches/vulnerabilities within 24 hours.
Maintain disaster recovery and business continuity plans.
Obtain and maintain an annual SOC 2 Type 2 report and complete a recent Threat and Risk Assessment (TRA).
Remediate critical, high, and moderate risks/vulnerabilities within specified timeframes.
Comply with the Accessibility for Ontarians with Disabilities Act (AODA) and its regulations.
Hold pricing firm for 6 months upon RFP completion.
Provide all prices in Canadian funds, exclusive of taxes.
Submit proposals online via Euna in English, adhering to specified formatting and file size limits.
Proponent must not have a conflict of interest or unfair advantage.
Proponent must have all necessary work permits and authorizations.
Proponent must ensure personnel are registered health care providers (if applicable) and in good standing.
Proponent must conduct criminal background and security checks on personnel.
Proponent must maintain comprehensive commercial general liability insurance (minimum $10,000,000 per occurrence).
Proponent must maintain cyber liability insurance (minimum $5,000,000 per occurrence).
Proponent must comply with the Workplace Safety and Insurance Act (Ontario) and Occupational Health and Safety Act (Ontario).
Services must not be the result of forced or child labor.
Environmental claims must be based on adequate testing.
Materials used must be first-class quality, new, and free from defects for 12 months.

$500,000 – $4,000,000

Question Deadline: March 30th, 2026, 14:00:00 ET

Addenda Posting Deadline: April 6th, 2026

Proposal Submission Deadline: April 13th, 2026, 14:00:00 ET

Proposal Irrevocability Period: 1 year from April 13th, 2026

Pricing Hold Period: 6 months upon RFP completion

Contract Term: 3 years with two 1-year options

Mohawk Medbuy Corporation

Organization overview and procurement intelligence available on paid plans.

The selected vendor will provide a comprehensive governance, risk, and compliance (GRC) solution. This project involves implementing a robust GRC platform to enhance information security governance, risk management, and compliance activities.

The GRC platform will support proactive and integrated enterprise-wide risk management and governance oversight. It is required to ensure decisions are traceable, actionable, and monitored throughout their lifecycle, aligning with relevant policies. Vendors will be responsible for application implementation, including customization, development, and configuration, as well as delivering dashboards and reports that provide governance views and board-level KPI reporting.

Governance Risk and Compliance Solution

Overview

Fit Score

SUMMARY

KEY REQUIREMENTS

BUDGET

CONTRACT DURATION

TIMELINE

QUESTION DEADLINE

Issuing Agency

DESCRIPTION

Similar RFPs