top of page
Case Study

Upgraded TPRM Processes Deliver Clarity and Improve Decision-Making

Third Party

"i-confidential produced an action plan prioritised to maximise critical-risk reduction."

The client’s TPRM approach was not prioritised according to inherent risk, and the associated assurance and remediation processes were immature.


It was recognised that the risk of a third-party incident was above appetite and the impact could be beyond the board’s stated tolerances. i-confidential has a strong track record in helping many other organisations remedy such issues.

With a good understanding of the client’s overall approach to risk management, we were able to exploit i-confidential’s Third-Party Capability Framework and rapidly deliver a new draft policy and implementation guidelines.


Following a review with key executive stakeholders and policy sign-off, i-confidential produced an action plan prioritised to maximise critical-risk reduction.


The key features and benefits of the i-confidential approach were:


· A policy aligned with good practice across financial services.

· Delivery of a risk-based policy and strategy instead of being spend driven.​

· Rapid turnaround, with six weeks from contract signature to policy signoff.

The Approach

The Problem

A financial services company asked i-confidential to assess the design adequacy and operational effectiveness of their key technology cyber security controls. One of the significant gaps identified was the immaturity of third-party risk management.


The client was impressed by the i-confidential approach, engagement style, and skills transfer ethos. As a result, the client contracted us to update its technology third-party risk management (TPRM) policy and processes in line with financial services industry good practice. The board requested rapid remediation of a few related issues, which in turn depended on these updates being in place.

The Outcome

Rigorous, strongly supported management is the ‘glue’ that binds all third-party risk activities together, enabling positive engagement with the C-suite and executives. ​

The new policy was readily understandable and pragmatic. The executive realised that it was implementable and would deliver clarity about third-party risk, enabling objective management decision-making.


Roles and responsibilities were clear, with no room for debate around risk-management accountabilities. IT management gained credibility with the executive and other business leaders, and buy-in (with supporting budget) for the new approach.

bottom of page