Upgraded TPRM Processes Deliver Clarity and Improve Decision-Making
"i-confidential produced an action plan prioritised to maximise critical-risk reduction."
The client’s TPRM approach was not prioritised according to inherent risk, and the associated assurance and remediation processes were immature.
It was recognised that the risk of a third-party incident was above appetite and the impact could be beyond the board’s stated tolerances. i-confidential has a strong track record in helping many other organisations remedy such issues.
With a good understanding of the client’s overall approach to risk management, we were able to exploit i-confidential’s Third-Party Capability Framework and rapidly deliver a new draft policy and implementation guidelines.
Following a review with key executive stakeholders and policy sign-off, i-confidential produced an action plan prioritised to maximise critical-risk reduction.
The key features and benefits of the i-confidential approach were:
· A policy aligned with good practice across financial services.
· Delivery of a risk-based policy and strategy instead of being spend driven.
· Rapid turnaround, with six weeks from contract signature to policy signoff.
The Approach
The Problem
A financial services company asked i-confidential to assess the design adequacy and operational effectiveness of their key technology cyber security controls. One of the significant gaps identified was the immaturity of third-party risk management.
The client was impressed by the i-confidential approach, engagement style, and skills transfer ethos. As a result, the client contracted us to update its technology third-party risk management (TPRM) policy and processes in line with financial services industry good practice. The board requested rapid remediation of a few related issues, which in turn depended on these updates being in place.
The Outcome
Rigorous, strongly supported management is the ‘glue’ that binds all third-party risk activities together, enabling positive engagement with the C-suite and executives.
The new policy was readily understandable and pragmatic. The executive realised that it was implementable and would deliver clarity about third-party risk, enabling objective management decision-making.
Roles and responsibilities were clear, with no room for debate around risk-management accountabilities. IT management gained credibility with the executive and other business leaders, and buy-in (with supporting budget) for the new approach.