Advisory

Our services support organisations in defining why and how external relationships are governed, depending on their specific risk profile and regulatory context.

We offer, among others, the following services and deliverables:

• Development and review of TPRM policies and governance structures, aligned with the broader organisational policy framework
• Clarification of ownership and accountability across the Three Lines Model, from operational contract management to board-level oversight
• Definition of third-party risk categories (e.g. critical, high, standard) and corresponding due diligence and monitoring requirements
• Alignment and gap analysis against DNB Good Practices, EBA Guidelines on Outsourcing, and DORA requirements for critical ICT third-party providers

These services can be engaged individually or together, providing consistent governance without unnecessary complexity or bureaucracy.

We support organisations in designing, reviewing, and improving supplier risk assessment processes that are proportionate, consistent, and workable in practice.

Our services include, where applicable:

• Design and execution of pre-contract due diligence, covering financial stability, information security, and regulatory compliance
• Development of standardised assessment frameworks and templates, aligned with ISO/IEC 27001 Annex A, NIST CSF, and DORA requirements
• Definition of risk scoring and tiering methodologies to ensure depth where needed and efficiency where possible
• Design of approval and escalation workflows integrating business, risk, and legal perspectives
• Independent third-party assessments or support in validating supplier controls, including reviews of ISAE 3402, SOC 2, and ISO certifications

These services can be applied individually or together, depending on the organisation’s maturity, risk exposure, and regulatory context.

Oversight does not end once a contract is signed. 

We help implement monitoring routines that provide continuous visibility into third-party performance and risk: 

• KPI/KRI dashboards linked to risk appetite
• Periodic assurance reviews and onsite or remote audits
• Centralised supplier inventory with criticality classification
• Annual control attestations and trigger-based reassessments (e.g., major incidents, mergers)
• Our templates are designed to keep monitoring lean: informative enough for governance, light enough for execution

We identify and visualise dependencies within your supplier network. 

Using mapping techniques and risk taxonomy alignment, we highlight areas of potential concentration points, such as reliance on a single data-centre region or sub-outsourced cloud vendor. 

We then offer mitigation strategies, ranging from contractual provisions to diversification roadmaps. As a result, the board can discuss external dependencies with confidence.