Client Overview:
One of the UK’s largest and longest established investment houses managing investments for both individuals and for large institutional investors, such as pension funds globally.

Business Challenge / Problem statement:

Following the organisations demerger from its parent company, there was a need to stand-up various functions that were previously managed by the group/parent organisation.

One of the functions that fell within the Technology remit was the Security and Technology Governance, Risk and Control. GRC capabilities were required to ensure both Security and Technology capabilities operated within acceptable risk tolerances.

Business Requirements:

  • Identify stakeholder e.g. CIO, COO, Enterprise Security/CISO, Operational Risk, Second Line of Defence (2LoD) Technology/Security Risk, Internal Audit
  • Define and agree the target operating model and interlock with the relevant stakeholders
  • Define and agree the terms of reference
  • Assess current Security & Technology control landscape and propose maturity improvement e.g. adopting industry standard frameworks (ISF SoGP for Cyber controls and CoBIT for Technology controls)
  • Develop suite of Security standards aligned to ISF SoGP Cybersecurity framework and meeting the organisations Security Risk policy requirements
  • Develop suite of Technology standards aligned to CoBIT technology framework and meeting the organisations Technology Risk policy requirements
  • Develop Cybersecurity controls including Owner identification, control management process, alignment to Group (Operational Risk) Internal Control Framework and Internal Control Standards
  • Define and develop Business intelligence & insight measures to enable senior management to make informed risk based decisions

Business Benefits/Value:

  • Providing a stable Security control framework enables the ongoing (and future) multi-million pound Security improvement programmes to clearly demonstrate control improvements
  • Provides management with trusted information to make informed risk based decisions
  • Ensures all relevant capabilities are operating as per design, highlight any weaknesses and ensure they are either remediated or risk accepted
  • Ensures a standardised, consistent and sustainable controls environment
  • Ensures compliance to the various regulations
  • Provides consistent due diligence submissions for various corporate clients by being able to demonstrate compliance to an industry standard framework and evidence control operation (if required)