Starting in 2018, EY and its client embarked on a far-reaching project to develop a transformed approach to TPRM. This began with identifying three core risks in the bank’s TRPM landscape: cybersecurity risk; business continuity risk; and privacy regulation risk.
EY then worked to transform the bank’s existing operating model by implementing a comprehensive, end-to-end TPRM solution, which included an operational framework, an operating model, a checklist of controls, and a supporting IT platform.
The implementation of EY’s TPRM service has unfolded along three main objectives:
1. Establish an operating model:
EY and the bank worked closely together to develop an operating model to securely govern third-party risk management. Based around EY standard methodologies, the work focused on:
- Designing pre-contract, monitoring and reporting processes
- Building a platform to support the process
- Defining control methodologies
- Providing external operational support
2. Activate the new process:
A new centralized process service was implemented by coordinating all internal functions – including security, IT and risk compliance – and launching a support platform.
3. Executing a managed service:
EY then developed a managed service to provide support for relevant in-scope domains, including cybersecurity, risk and compliance. Particular capabilities developed include:
- Specialist support in pre-contract phase and negotiation
- Due diligence activities
- Execution of assessments
- Continuous monitoring and remediation actions
Thanks to this transformed approach to TPRM, the bank, with EY’s assistance, is now able to comprehensively assess third-party risks, then monitor those risks throughout the partnership and take pro-active remediation steps when new vulnerabilities are identified. For instance, EY’s TPRM solution has enabled the bank to effectively identify contracts, classify them by type (such as IT or supply contracts), and then monitor them for risk and compliance features based on those classifications.
In order to deliver the service, EY was able to draw on our extensive technical and operational capabilities – particularly around IT on the one hand, and compliance and functional on the other – and we will be well placed to offer additional capabilities as the scope of the project extends.
While the project was largely based in Italy, where EY’s Bari office had a strong relationship with the bank, its success meant the solution was expanded to the bank’s European subsidiaries. EY teams from Romania, Croatia, Serbia, Bulgaria, Germany, Austria and Hungary worked hand in hand to help clear any specific roadblocks around language or specific local rules.