Client Challenge
As part of the organisation’s Operational Resilience (Ops Res) initiative and in particular the Third-Party Risk Assessment component, our client a leading Insurer, wanted to carry out Risk Assessment reviews for a selection of critical suppliers; using a combination of resources and a pooled automated audit service (Hellios Stage 3). The client wanted the capability of reduced dependency on Hellios and more reliance on expertise and industry best practise adoption.
TORI were engaged to perform a combination of on-site and off-site reviews of the client’s critical suppliers.
The operational areas included:
- Physical Security
- Operational Resilience
- Service Management
- Data Privacy
- Risk & Control
- Cyber / IT
Initial focus within the following domains:
- Telecommunications
- Facilities management
- Online payment portals
- Cloud-based payment platform
- Banking services
- Technology infrastructure provider
What We Did
- Produced a tailored questionnaire for each in-scope supplier relative to the service they provide; this included over 100 control points assessing areas including: Physical Security, Service Management, Operational Resilience, Data privacy, Cyber / IT, and Risk & Control
- Conducted independent assessments of the existing contractual arrangements between the client and their suppliers
- Conducted in-depth reviews of the in-scope suppliers to ensure compliance with regulatory requirements (PRA / EBA) and industry best practices, producing comprehensive valuations of the suppliers including; identifying gaps, opportunities for improvement, and recommending action plans
Outcome & Results
- Hosted specific deep dive assessments to identify any gaps or opportunities for improvement in the six domains (i.e., Physical Security, Service Management, Operational Resilience, Data Privacy, Cyber / IT, and Risk & Control) for each in-scope supplier (both on-site and off-site reviews)
- Produced comprehensive risk assessment reports, highlighting gaps in compliance, industry best practices and regulations; including suggested action plans for addressing gaps/issues
- Presented actionable recommendations to Senior Management to address identified risks. These enabled the client to introduce a culture of continuous improvement, enhance supplier relationships and risk mitigation of identified risks such as security breaches, service disruptions, privacy violations, and regulatory non-compliance
