Third-Party Risk Management Policy
Upgraded TPRM Processes Deliver Clarity and Improve Decision-Making
By i-confidential Staff
A financial services company asked i-confidential to assess the design adequacy and operational effectiveness of their key technology cyber security controls. One of the significant gaps identified was the immaturity of third-party risk management.
The client was impressed by the i-confidential approach, engagement style, and skills transfer ethos. As a result, the client contracted us to update its technology third-party risk management (TPRM) policy and processes in line with financial services industry good practice. The board requested rapid remediation of a few related issues, which in turn depended on these updates being in place.
The client’s TPRM approach was not prioritised according to inherent risk, and the associated assurance and remediation processes were immature.
It was recognised that the risk of a third-party incident was above appetite and the impact could be beyond the board’s stated tolerances. i-confidential has a strong track record in helping many other organisations remedy such issues.
With a good understanding of the client’s overall approach to risk management, we were able to exploit i-confidential’s TPRM Capability Framework and rapidly deliver a new draft policy and implementation guidelines.
Following a review with key executive stakeholders and policy sign-off, i-confidential produced an action plan prioritised to maximise critical-risk reduction.
The key features and benefits of the i-confidential approach were:
· A policy aligned with good practice across financial services.
· Delivery of a risk-based policy and strategy instead of being spend driven.
· Rapid turnaround, with six weeks from contract signature to policy signoff.
Rigorous, strongly supported management is the ‘glue’ that binds all third-party risk activities together, enabling positive engagement with the C-suite and executives.
The new policy was readily understandable and pragmatic. The executive realised that it was implementable and would deliver clarity about third-party risk, enabling objective management decision-making.
Roles and responsibilities were clear, with no room for debate around risk-management accountabilities. IT management gained credibility with the executive and other business leaders, and buy-in (with supporting budget) for the new approach.
“…i-confidential produced an action plan prioritised to maximise critical-risk reduction.”