Third-Party Supplier Profiling
Inherent Risk Profiling Solution Puts the Client Back in Control
By i-confidential Staff
One of i-confidential’s banking clients needed to act on an internal audit report that indicated it was failing to meet its regulatory requirements for third-party supplier security. Regulators and auditors hold licenced organisations fully accountable for controls operated on their behalf by suppliers.
In this case, the auditors identified weaknesses that showed the bank was highly exposed through failing to properly risk assess third-party supplier access to data.
The bank had incomplete supplier information, including inherent risk classifications. This meant it was unable to effectively target the highest risks via its supplier assurance process. In response, i-confidential’s inherent risk profiling solution was chosen to determine the bank’s supplier classifications. Following this activity, assurance could be directed appropriately.
We started by working with the Sourcing Team to re-focus their existing work on third-party risk profiling. Stakeholder sessions were held with policy owners covering resilience, cyber, privacy, and conduct. This resulted in an agreed set of questions for suppliers along with associated thresholds, such as volumes and existing risk ratings. The responses allowed the bank to derive an overall inherent risk rating for each supplier that could be fed into the existing assurance framework.
We acquired a list of suppliers to be profiled, which included contact details for supplier relationship managers. This information was collated in i-confidential’s profiling tool, which is a centrally stored repository of key information relating to suppliers. The questionnaire determined supplier risk in a number of areas regarding access to bank data.
Thousands of questionnaires were sent to hundreds of supplier relationship managers relating to their suppliers. They were asked about the service provided by the supplier, the type of data being shared, and how it was shared, held, or accessed.
i-confidential collected and validated the questionnaire responses within the profiling tool. It calculated these responses and classified the suppliers into Critical, Very High, High, Medium, and Low categories. This output was used to inform the scope and controls to be included in any subsequent assurance activity.
i-confidential’s profiling tool significantly reduced the risk of the bank’s assets and information being compromised by a third-party supplier. It provided a centralised repository of supplier information, including a security classification of all suppliers in scope. This output was then used to focus more cost-effective assurance on any high-risk suppliers that were identified.
More importantly, the Head of Sourcing was able to demonstrate to internal auditors and external regulators that significant progress had been made in identifying supplier risk, and that overall governance was more effective. This resulted in a number of subsequent ‘green’ audit outcomes.
“The responses allowed the bank to derive an overall inherent risk rating for each supplier...”