199 RT101 Suite 1B

Amherst NH 03031

Call Us!

Email Us!


199 RT101 Suite 1B

Amherst NH 03031

Call Us!

Email Us!



What are Professional and Advisory Services?

Professional services firms exist in many different industries. They include lawyers, technology experts, process experts, advertising professionals, architects, accountants, financial advisers, engineers, and consultants. In truth, they can be any organization or profession that offers highly customized, knowledge-based services to clients.

CastleHill Managed Risk Solutions has deep experience in Enterprise Risk Management (ERM), both from a business and technology perspective. We are experts in creating, improving and executing ERM systems (in multiple business areas) that generate real value for our clients.

How do Professional and Advisory Services benefit me?

Adopting Professional and Advisory Services is highly regarded as an efficient way to stay up to date on technology, have access to specialized skills and backgrounds, enjoy significant continuity of resources, and address a range of issues related to cost, quality of service and risk.

What industry verticals and risk management domains are you most aligned to?

We are primarily focused on financial services, insurance, healthcare, pharma, higher education and media delivery. Because “enterprise risk” implies all risk areas in an organization, it’s easier to break down the domain answer by saying internal & external / business & technology. However, because that’s not a helpful description, a few examples would be unified systems that include the following components:

Third-party (vendor) risk management (TPRM), regulation and standards management, document management, incident management, issue management, policy and procedure management, risk assessment and control structures, enterprise integration, risk reporting and business intelligence.

Do you respond to RFPs?

Yes, when we feel the project description is a good fit for our areas of expertise.

Do Professional and Advisory Services teams work onsite or remotely?

The answer is both, depending on the nature of the work being performed. The majority of our consultants work remotely with several onsite visits as the work demands. However, we also have engagements where a small team may be onsite more than 80% of the time.

How are your professional and advisory services teams structured? Is it a senior resource with junior resources learning and performing under the group manager?

No. All CastleHill consultants have an average of 13 years professional experience, and act as Subject Matter Experts in two or more specialized domains. We do not hire junior resources** (on Professional and Advisory Services teams) due to the need for fast, accurate delivery of targeted solutions. Many companies (the “Big 4” for example) necessarily need to hire junior resources in order to moderate blended hourly rates, thus diminishing the impact of costs associated with (very expensive) principal and senior level consultants. Although this is generally accepted in the industry, because CastleHill rates are already cost effective across the board, we do not have a need to dilute our invoices. So, no junior resources.

**CastleHill is a big believer in mentoring and professional development. We do have excellent interns and junior resources aligned to GRC as a Service as well as some managed services and implementation/integration functions. Some of our best people have developed through those service offerings!

What are managed services anyway?

Managed service is the practice of proactively outsourcing management responsibilities and functions and is also a strategic method for improving operations and cutting expenses. Managed services are an alternative to the break/fix or on-demand outsourcing model where the service provider performs on-demand services and bills the customer for work done on a time and materials basis.

Under the managed service subscription model, the client (that’s you) is the entity that owns or has direct oversight of the system being managed, meaning you own it. The managed services provider (MSP) is the service provider delivering the managed services. CastleHill is the RSA Archer MSP. The client and the MSP are bound by a contractual, service-level agreement that states the performance and quality metrics of their relationship.

How do managed IT services benefit me?

Adopting managed services is known to be an efficient way to stay up to date on technology, have access to necessary skills, enjoy continuity of resources, and address a range of issues related to cost, quality of service, and risk.

CastleHill will establish a single point of contact for all your RSA Archer managed service requirements, including configuration and maintenance. Post implementation, remote monitoring of system logs and critical services allows us to proactively identify potential issues with your RSA Archer platform instances that may cause downtime.

A sampling of managed services we provide includes setup, installation, configuration, real-time service and event log monitoring, anti-virus/anti-malware software installation and updates, change control, controlled platform updates and patching, managed firewall protection, client VPN access, and personalized monthly status reports.

Will I have one point of contact to call when I have problems?

Yes! Our best-in-class RSA Archer Service Desk will be your single point of contact for all of your support needs. Our service desk team has cultivated a specific skill set and a clear understanding of the business model and their role in IT.

What if I have an emergency issue in the middle of the night?

Your service desk will be readily available during your standard operating hours, and a Level 2 Support expert will be assigned to your account and available 24/7.

What kind of response times can I expect?

We work with each client to establish specific expectations around service level agreements (SLAs).

What if I need more than standard managed IT services?

CastleHill is a leader in both technology and strategic RSA Archer consulting services. Our governance, risk and compliance experts can provide an in-depth assessment of your organization’s RSA Archer needs and then guide you through any deployment, project, upgrade, or other business need.

Please contact us for any additional inquiries! We’re happy to answer your questions.

How does implementation differ from enablement?

Implementation guides you through the entire process and involves the actual setup of your CastleHill system. It also makes sure your CastleHill system is ready to go live based on your customizations. Enablement means you’ll have a CastleHill resource available for on-site assistance. Their job is to make sure you have a successful deployment, and your team is well prepared to use your CastleHill system going forward.

When can I go live?

We’ll work with you to determine the best time to go live in your environment – normally your new CastleHill system will be live within 45-60 days. If you need a faster implementation, we also offer expedited deployments.

What comes included in the implementation fee?

We have a variety of different implementation packages to fit your needs.

  • A dedicated implementation consultant who will walk you through the requirement gathering, configuration, and testing processes to ensure your application is created with supportability and sustainability in mind.
  • Web-based coaching for training your agents, including a live Q&A to answer your team’s questions.
  • Configuration and customization of your initial set-up.
  • On-site education, if needed.
  • An on-site member of our enablement team to handle deployment details.

What if the scope changes during our implementation?

We just assume it will.  In most cases, minor course corrections and the addition of platform features or integrated functions can be accommodated fluidly. In those cases where scope changes and integration paths fundamentally change the target state agreement or project tempo, change orders can be initiated to cover cost and resources tied to the new requirements.

What options do you have for end-user training of the solution?

We have many options available, ranging from web-based conferencing and seminars to in-person or shoulder-to-shoulder sessions at your facility. Remember that enablement is a huge part of the services we provide. We want you to be successful, and we ensure stakeholders and internal resources are kept up to speed during the entire project lifecycle, not just as we near completion.

Who is the main point of contact for questions during the different implementation and integration phases?

You’ll have a dedicated implementation team with a principal team lead who will be your main point of contact throughout the project. We also have customer care and customer success teams that can assist you throughout the engagement.

Who is my main point of contact after we go live?

Our customer care team is available 24/7/365. We also have options for using dedicated customer success managers. No matter which options you choose, you’ll be supported by a superior team of professionals.

How do I monitor the progress of our implementation or integration engagement?

We’ll set up key milestones, so you can keep tabs on progress as we go. Weekly status meetings with your project team will be used to review the project plan, identify what’s good, what needs to improve and progress towards the milestones. Our project teams are both professional and transparent. Stakeholders will always know where they stand in the project lifecycle.

What is CastleHill GRC as a Service (GRCaaS) all about?

It’s about increased effectiveness, reduced costs and the establishment of new risk management capabilities for our clients. We believe that improved efficiency, effectiveness and productivity drive profitability for our customers. CastleHill GRC as a service leverages the business process outsourcing (BPO) model to execute a wide range of enterprise risk management and support functions. CastleHill GRCaaS frees up our client’s key strategic resources to focus on their core business, find cost savings, operate more effectively and be more efficient as an organization.

Who are your customers and what is the engagement model?

We serve businesses and institutions operating in high-risk and highly regulated environments. Our employees work externally as dedicated risk management teams on behalf of our customers, ensuring the highest level of service, professionalism and proficiency possible. We assign subject matter expertise and teams of domain professionals to each customer, providing:

  • Experienced, responsive domain experts and GRC professionals
  • Familiarity and resource continuity
  • Single points of contact
  • Elimination of call trees and support tiers
  • Elimination of single points of failure


What are the CastleHill GRC as a service core deliverables?

CastleHill GRC as a Service delivers an end-to-end outsourced management capability that handles the day to day tactical functions of establishing, running and monitoring governance, risk and compliance programs. Engaging with CastleHill ensures support for critical decision-making processes, continuous improvement of governance, risk and compliance management programs, and rapid controlled responses to increased regulatory scrutiny of a temporary or sustained nature.

Working with CastleHill Managed Risk Solutions means:

  • Establishing an outsourced risk and compliance management function that creates a clear division between the process of monitoring risk and the management of risk.
  • Providing a fully managed, fully hosted technology solution that eliminates risks and limitations associated with using common office products as the primary tools supporting critical, risk-aligned business functions.
  • Aggregating and provisioning actionable data that drives client organizations toward meaningful improvements in enterprise governance, risk and compliance management functions.
  • Reducing client costs by decreasing latency and improving communications workflow, while still improving the effectiveness and efficiency of critical business process activities.
  • Establishing or improving oversight of regulatory, policy and procedure, process, vendor and control management programs.
  • Introducing well-managed and scalable solutions for accommodating rapid change to business, technology and compliance risk environments.


What are some of the services included with CastleHill GRC as a Service (GRCaaS), and what are some of the outputs?

Our services and deliverables are tied to business objectives aligned to strengthening not only the business value of strong GRC management, but the improvement of your organization’s supporting business processes as well. Our GRC business and technology professionals accomplish these objectives through delivery of:

  • Internal systems development
  • Risk management process engineering and continuous improvement
  • Execution of key governance, risk and compliance functions
  • Risk data aggregation, reporting and business intelligence
  • Risk platform configuration and deployment
  • Best practice advisory and support services
  • Real-time feedback, issue management and actionable data


What, in addition to successful delivery of an outsourced capability, are the CastleHill criteria for success?

Critical success factors include, but are not limited to, the following:

  • Improved operational workflows and measurable decreases in GRC program lifecycle times
  • GRC program transition to fixed cost and observed cost savings as a dimension of resource overhead, time and effort
  • Improved GRC program communications and establishment of effective feedback loops
  • An observed improvement in reporting accuracy and sustained client access to actionable data
  • An observed improvement to compliance environment efficiency, effectiveness, scalability, and sustainability

In some cases, evidence of success is plainly observable while, in others, metrics may need to be applied as baselines early and monitored on an ongoing basis. Specific criteria and baseline measurements may be different for each client. However, typical success indicators are inclusive of timeliness and accuracy of control testing, compliance assessments, assessment lifecycle times including certification, overall remediation lifecycle times, time to remediation (issue management) for individually underperforming areas, and the availability, accuracy and effectiveness of organizational reporting.

What and how many GRC programs can I outsource?

You can let CastleHill handle as many or as few programs as you’re comfortable with. We generally apply a proof of concept in one or two areas at first, then move on to integrate additional areas of focus as the client becomes more comfortable with the process. For example, we might begin with third-party risk and issue management, moving on to controls and document management soon after. As you add additional program scope, the process and supporting systems become increasingly effective even though the costs associated with GRC as a service remain largely level!

Some of the GRC programs that can be fully developed and managed by CastleHill:

  • Vendor Management and Third-Party Risk Management
  • Regulatory Compliance
  • Issue Management
  • Incident Management
  • Library Management (Risks, Policies & Procedures, Processes, Regulations and Standards)
  • Business Impact, Business Continuity and Disaster Recovery Program Management
  • Document Management
  • Custom GRC Program Development and Execution


What does service delivery look like in the beginning, and how does it change as we progress through the program?

Your program will be executed and managed by a dedicated team of GRC professionals, all with specific domain expertise.

Trial Period: We start with a trial period designed to quickly onboard an effective baseline capability, such as vendor management or issue management. The trial period is intended to ensure low overhead entry into your organization over a period of a few months, allowing you to observe, engage in the process handoffs and evaluate the outputs. After completion of the trial period, we can evaluate your overall program performance and decide what direction is required in moving forward with additional solutions for GRC management.

Project Normalization (ongoing): In this phase, we begin to mature your GRC programs through a process of continuous improvement. We work to build in structured methodologies and best practice, integrating your outsourced programs with your complete enterprise risk function. We also work to centralize and onboard additional GRC areas, as the capabilities continue to increase and more value is driven out of the program.

Do program costs increase as additional GRC areas are added to the overall scope?

Of course. However, the spend increase is so minimal that we’ve never actually received pushback on the pricing. For example, if CastleHill is already handling vendor management, third-party risk management and issue management for a client, and they decide the entire RCSA and contract management should be onboarded as well, total cost increase for the added capability would probably be about 6%. The economy of scale with CastleHill GRC as a Service (GRCaaS) is a major contributor to our incredible ROI.

Are your services cost-effective?

Yes. CastleHill GRC as a Service (GRCaaS) can cut your GRC program operating costs by 75% or more, and you probably don’t have to lay off resources post implementation to get there. No kidding. Even better, GRCaaS has never failed to improve the effectiveness and continuity of a previously existing, internally managed, GRC function. Our reputation for cost savings, program improvement and high-quality output is unblemished.

What qualifications do your employees hold?

At CastleHill, client teams are staffed with only the most qualified and experienced professionals, ensuring we provide our customers with quality solutions and high-value interactions. Most CastleHill employees hold certifications in their specialty domain (CISSP, GSEC GIAC, CISA, HCISPP, CTPRP, CVPM), while others are simply among the best at what they do. We hire quality people to provide quality results.

Note: Although we do train high potential candidates in specific domains, we do not dedicate these junior professionals to client teams without them first achieving a high level of proficiency as “floating” resources.

Do you have the adequate infrastructure and technology to support my business processes?

Yes. Our systems are actively managed, completely modern and entirely scalable.

Do you sign non-disclosure agreements and SLA’s?

Yes. We sign non-disclosure agreements and service level agreements for every customer who outsources to CastleHill.

I want to discuss CastleHill GRC as a Service details and opportunities. What should I do?

Call or email us!

  • Phone: +1 603 259 4007
  • Email Us: support@castlehillrisk.comMailing
  • Address: P.O. Box 1402 Amherst NH 03031
  • Physical Address: 199 RT101 Suite 1B Amherst NH 03031