Security Consultancy Case Study - Risk & Controls

Client Case Study

Security Consultancy Risk & Controls

In today’s complex digital landscape, organisations face a multitude of security risks. Security controls are crucial for mitigating these risks and bringing them within an organisation's overall risk appetite. Adopting a security risk management framework provides an additional advantage: it creates a structured, often industry-standard approach to maintaining security compliance.

However, while this sounds ideal in theory, implementing such frameworks in practice is a significant challenge. Without suitable controls and the backing of an existing risk management framework, organisations may face unknown vulnerabilities and increased exposure to risks.

The Problem

Our client, a large UK financial services organisation, faced just such a challenge. It took an external audit to uncover critical gaps in the management and operation of their IT and security controls.

The root cause of these audit findings pointed to weaknesses across several areas, particularly in cyber and technology. Most significantly, the organisation lacked a comprehensive and embedded risk and control framework, leaving key risks unmanaged.

Previous attempts to embed such frameworks had failed to gain traction. An off-the-shelf control framework had been introduced but wasn’t tailored to reflect the organisation’s specific environment, rendering it ineffective and unused.

At this crucial juncture, i-confidential was brought in to address the audit findings and provide sustainable solutions to prevent future issues.

Our Role

i-confidential’s consultancy team was tasked with:

Leading the delivery of a tailored technology risk and control framework.
Resolving all open audit findings.
Designing sustainable controls that would proactively mitigate future risks.

Our Approach

We began by forming a collaborative project team, integrating i-confidential consultants with client resources. Our initial focus was on redesigning the risk framework, with a thorough revision of risk definitions across critical categories: Technology, Cyber, Change, Supplier (third party), and Data.

Value Add

Tailored Risk Definitions and Controls

Instead of relying on generic frameworks, i-confidential ensured each risk category was meticulously defined in alignment with the client’s unique business environment. We worked alongside key stakeholders to design customised controls that directly mapped to these risks. This tailoring ensured the controls were not only relevant but also practical to implement.

Value Add

Through workshops and stakeholder engagement, we brought the client’s teams on board with the new framework. This collaborative approach was critical for embedding the framework into the organisation’s culture. We captured every key process, identifying control points and gaps, ensuring everyone was aligned on how the controls would be implemented and maintained.

Collaborative Stakeholder Engagement

Value Add

Alignment with Industry Standards

To ensure best practice, the newly designed controls were mapped to industry frameworks such as COBIT and NIST. This added an extra layer of credibility and assurance that the controls were not only fit for purpose but also benchmarked against recognised global standards.

Implementation and Assurance

Once the controls were finalised and signed off, our next step was to document and test their design and operating effectiveness. This rigorous testing process ensured the controls were ready for real-world application. Where gaps were identified through audit remediations, we went a step further by documenting configuration changes as new controls. These additions were incorporated into the client’s ongoing control testing programme, ensuring continuous monitoring and improvement.

Value Add

Holistic Audit Resolution

Our team didn’t just address the immediate audit issues; we redefined the organisation’s approach to managing future audits. By embedding these new controls into regular testing schedules, the client could ensure that previous problems would not resurface.

The Outcome

The project delivered a comprehensive, sustainable risk and control framework, specifically designed to reflect the client’s business and aligned with industry standards. The re-articulation of risks across Technology, Cyber, Change, Supplier, and Data was supported by newly implemented or updated controls that are now integrated into everyday operations.

Value Add

Control testing indicated high levels of effectiveness, exceeding board-approved targets, and provided assurance that the new framework would stand up to future audits. Regular progress reports to the audit and risk committees, as well as regulators (PRA/FCA), ensured transparency throughout the project.

Lasting Change and Assurance

The client eliminated their previous audit headaches and gained confidence in their ability to manage risks effectively. With a robust, embedded framework, they are well-positioned to continue navigating the complex risk landscape with assurance.