Third Party Risk Management

Establishing a robust information risk management framework allows you to prioritize resources to address the issues which present a significant risk to your organization.

Implementing an information risk management strategy and methodology must be addressed at a strategic, tactical and operational level in order for the process to be effective and consistent across an organization.

Our risk management consultants apply tried and tested methodologies to implementing formal risk management frameworks across many verticals.

Primarily based on the ISO/IEC 27001, ISO 27005, ISO 31000 model, our consultants ensure that all stakeholders are invested and knowledgeable in the on-going practice of risk management. This means that the process remains in place and is managed effectively after the initial assessment is complete.

Assessing risk appetite

The initial stage of our assessments is a workshop with the business and IT stakeholders to understand your risk appetite. This covers the following areas:

  • Understanding the critical business processes and information
  • Conducting information gathering exercises
  • Defining risk criteria and acceptance criteria

Once risk appetite and context is established, our consultants agree and document the following information which feeds into a defined risk register:

Critical assets

  • Primary and supporting
  • Asset owners


  • Risk matrix
  • Likelihood criteria
  • Impact criteria
  • Acceptance criteria
  • Risk treatment criteria
  • Risk assessment
  • Threats
  • Vulnerabilities
  • Inherent risk
  • Residual risk
  • Risk mitigation
  • Risk owners
  • Time frame