Following an internal audit review, a UK banking client was required to fix several problems that prevented effective management of its third-party risk. Accountability was poorly defined, which created governance issues.

Executives were not provided with a clear, data-led view of the risks they were exposed to. In addition, the organisation was not able to effectively target valuable assurance resources because it did not understand the inherent risk of its individual third parties.

i-confidential worked with the Head of Sourcing and his team to develop operating model changes that redefined the ownership of third-party risk, placing more accountability on business areas. We then worked with stakeholders to explain and embed these changes. At the same time, we improved the bank’s overall presentation of third-party management data, which clarified the risks being faced.

Our approach to profiling was to start from scratch – the existing position was unreliable. We worked with teams across Sourcing and the business, agreeing a baseline of third parties to be recorded in a new inventory. We then built an inherent risk profiling solution that assessed these third parties across a number of risk domains, such as Cyber and Resilience. This allowed us to mobilise and resource a team that worked with business managers to run the entire third-party population (2000+) through the profiling solution.

Behind the scenes, we produced daily MI reports and executive summaries that presented the emerging inherent risk profile to the bank. This data drove follow-on assurance work and supported effective targeting of the scarce resources required.

The level of granularity and analysis that was possible through our new data set enabled a graduated approach to assurance, spanning light-touch remote data gathering from suppliers through to expensive onsite reviews.

The final phase of this work was to create a BAU model that ensured profiling became an embedded process. As a result, i-confidential was asked to run the service and provide weekly MI dashboards. We also provided specific SME guidance in areas such as third-party contract clauses, and offered ongoing advice on emerging trends and best practice.

The Approach

The Problem

The Outcome

The bank could demonstrate to internal auditors, second-line risk teams, and external regulators, that it had addressed the issues preventing proper management of third-party risk across several policy areas. It was also able to target assurance resources based on the precise inherent risk of individual third parties. This drove efficiency gains and financial savings.

Overall, there was clear management accountability, with more effective governance, and a data-led view for executives that concisely highlighted the risks they were exposed to.