Third-Party Risk Management
Capability Model Facilitates Rapid Identification of Weaknesses
By i-confidential Staff
Weaknesses in third-party risk management (TPRM) represent an ever-growing challenge for organisations.
The Executive Management Team at a global financial services company lacked a holistic view of the cyber risks across its third-party estate. The client asked i-confidential to conduct a review focusing on the cyber risk domain. We were to identify any weaknesses in the end-to-end TPRM process, whether they were the responsibility of Cyber Security or any other area.
Our TPRM Capability Assessment Framework was used to assess the client’s cyber security approach. The framework covers 23 capability areas, including foundational pre-requisites such as roles and responsibilities, governance, policies, and the operating model. It is built on the experience of working with large financial services organisations for many years.
In this case, the assessment encompassed the entire organisation, including all types of third parties, overlaps with other operational risk domains, and the identification of critical fourth and fifth parties. The client’s risk appetite and impact tolerance were also considered.
An interview process covering all relevant role holders was completed, and observations were syndicated back to both the interviewees and sponsors to verify accuracy. The findings were then risk assessed and any capability improvements recommended to enable prioritisation in line with the Board’s risk appetite statements.
A report was published with capabilities grouped into three risk-based categories. The highest-priority category signalled where immediate attention was required. The exercise was completed in five weeks.
The review identified weaknesses across 20 of the 23 capabilities. Five capabilities were identified as high priority, requiring immediate attention. Significantly, only one high-priority capability was a responsibility of the Cyber Team.
Inadequate third-party inventory management, a broken inherent risk assessment process, poor exit management, and oversight of remediation activity all lay with other departments.
The client’s Head of Cyber Security was able to explain to the Executive and Board the need for a holistic approach to TPRM and an upgrade of supply-chain management processes. He stressed that if the organisation failed to fix processes outside the Cyber function’s control, he could not provide the required level of comfort regarding cyber security in third parties.
The Executive recognised these foundational weaknesses in the TPRM approach and that they would exist within other operational risk domains. A remediation exercise was launched and the client moved rapidly to address the issues identified.