Enabling operationally resilient outsourcing of IT services and third-party risk management
Share:
key fact
Robust IT Controls Frameworks are crucial for ensuring operational resilience, regulatory compliance, and effective third-party risk management in the investment industry.
Challenge
Our client, a global investment organisation based in the UK with over £500 billion in assets under management and more than 5,000 employees worldwide, faced significant challenges following the merger of two leading asset and investment management firms. Their primary focus was to enhance supplier management capabilities by improving risk management, supplier governance and operational resilience to effectively onboard a new strategic technology partner and transition IT service delivery operations efficiently.
Mason Advisory was engaged to assess key risks and issues within our client’s existing IT Governance, Risk and Compliance Management and Supplier Management capabilities. Our goal was to identify strengths and weaknesses, ensuring synergies with ways of working and target operating model to effectively onboard the new supplier and manage the outsourcing of all infrastructure, application, and technology services.
Solution
Working closely with their business management team, we helped our client to develop and implement an IT Controls Framework to systematically identify, assess, and manage technical and operational risks. The framework included designing and planning necessary controls to mitigate risks, defining impact tolerances, and establishing key risk indicators. Our approach leveraged both our clients and their strategic partner’s existing risk management, operational resiliency and information security capabilities ensuring effective alignment between the two organisations.
We followed a comprehensive approach to identify risks related to the client’s operational resiliency requirements and the controls to mitigate those risks. These efforts were aligned with their overarching Enterprise Risk Management Framework, supporting the development of policies, processes, and procedures to implement controls for risk monitoring effectively. We identified and agreed on control ownership and key upskilling requirements to establish and drive the Controls Framework regime effectively. This led to the development of key assurance design and implementation principles to ensure that systems and controls are effectively implemented by third parties, enabling continuous monitoring, assessment, and reporting of risks concerning applications and data dependencies. Key Risk Indicators (KRIs) were developed for each control being implemented internally and externally to generate the overall performance level of the control indicators as described in Figure 1 below.
Figure 1 – Controls Monitoring and Measurement
The development of policies, processes and guidelines for the Controls Framework was based on COBIT, NIST and ISAE3402 standards.
Outcome
The development of a robust Controls Framework ensured the identification of critical business services, risks, vulnerabilities, and the setting of impact tolerances and key risk indicators to ensure operational resilience requirements were effectively assessed, understood, and implemented by our supplier and its strategic technology partner. This framework facilitated the identification of remediation activities and fine-tuning of existing controls, processes, and procedures to continuously monitor its effectiveness.
The implementation closely aligned and integrated our client’s and their supplier’s operating models and ways of working, enabling resilient IT service delivery. Additionally, it provided evidence to regulators and assurance to auditors that the client and its strategic suppliers operate professionally and adhere to industry standards.
“Our comprehensive approach defining the IT Controls Framework ensured the supplier governance, risk and compliance management approach was consistent to our client’s organisational standards and best practices. The implementation of effective IT controls Framework enhanced our client’s operational resilience capability to protect their critical business services.”
Kaustubh Ambavanekar, Principal Consultant – Mason Advisory
If you would like to speak to one of our industry experts regarding this case study, email contact@masonadvisory.com. Find out more about our services.