Third-Party Risk Management II
Comprehensive Capability Model Enables Rapid TPRM Upgrade
By i-confidential Staff
Weaknesses in third-party risk management (TPRM) are being exploited by bad actors with increasing frequency.
External auditors expressed some concern about an investment management company’s approach to third-party cyber risk. The board requested that the executive make improvements based on the audit feedback.
There were several recommendations which required a revamp of the policy for cyber.
The company approached i-confidential and asked for our help.
Our TPRM Capability Assessment Framework was used to identify the changes required. The framework covers 23 capability areas, including foundational pre-requisites such as roles and responsibilities, governance, policies, and operating model. It is built on our experience of working with financial services organisations over many years.
In this case, we needed to map the capability framework to the client’s TPRM policy.
We then identified gaps in the current documentation and drafted a set of prioritised improvement recommendations based on industry good practice.
A specific observation by the auditors was the lack of an inherent-risk scoring matrix. This is an important tool in identifying and prioritising risks. We created a four-tier scoring matrix aligned to the client’s risk appetite and impact tolerance guidelines, which was embedded in the new policy.
Following a review with key stakeholders, the new policy was adopted by the client. The whole exercise was completed in four weeks.
The new policy highlighted three significant weaknesses which needed to be addressed:
1. Inadequate third-party inventory management.
2. An immature inherent-risk assessment process.
3. The lack of a risk-weighted treatment strategy.
These weaknesses undermined the effectiveness and efficiency of the client’s risk management efforts.
The client’s head of operational risk was able to explain to the executive and board the priorities for remediation and gain sponsorship to drive the required improvements.
The executive acknowledged the recommendations and approved a remediation programme. The programme was launched only seven weeks after i-confidential was first engaged and, together with the client, we moved rapidly to address the identified issues.
“The client’s head of operational risk was able to explain …the priorities for remediation and gain sponsorship to drive the required improvements.”