The Challenge

As Lead Consultant engaged by a major financial services enterprise, I was brought in to address critical gaps in their Governance, Risk, and Compliance (GRC) programme. The organisation lacked any structured, quantifiable methodology for evaluating and reporting on cyber risk — risk had previously been tracked in disconnected spreadsheets with inconsistent scoring, no treatment accountability, no supply chain coverage, and no executive visibility. The board was, in effect, making risk decisions without a coherent picture of the organisation's actual exposure.

• Risk assessments were performed ad hoc with no standardised likelihood or impact scoring methodology, making cross-risk comparison and prioritisation impossible
• Supply chain risk was entirely unquantified and untreated, creating significant third-party exposure from vendors with no formal security assessment on record
• No clear treatment accountability existed — identified risks were logged but not actively managed, escalated, or assigned to an owner
• The board lacked a consolidated, interpretable view of current risk exposure, preventing informed risk acceptance decisions with documented justification

The Approach

I designed and implemented a comprehensive, dynamic Risk Assessment Matrix that standardises the calculation of risk likelihood against business impact, aligned directly to the organisation's formally defined risk appetite.

I mapped the matrix directly to the GRC framework, categorising risks by severity and mandating specific treatment strategies — mitigate, accept, transfer, or avoid — based on the board-approved risk appetite I helped the organisation formalise as part of the engagement. I assigned a clear owner and treatment timeline to every identified risk, replacing the previous culture of risk logging without action. I also designed the third-party supplier assessment component, establishing a standardised questionnaire and scoring methodology applied consistently across the entire supply chain.

The Results

I delivered a fully operational, board-ready risk assessment framework that replaced the client's fragmented spreadsheet approach with a structured, accountable GRC process — and left the organisation with an internal capability to run it independently going forward.

Business & Security Impact

• Clear, board-level view of current risk exposure established for the first time — with quantified likelihood and impact scores across the full risk register
• Third-party supplier assessment lifecycle standardised — every supply chain partner now evaluated against the same consistent criteria and documented within the GRC framework
• Treatment accountability enforced — every identified risk assigned a named owner with a defined treatment strategy, action type, and completion timeline
• GRC framework aligned to the board-approved risk appetite, enabling documented risk acceptance decisions with a clear, auditable justification trail
• Repeatable risk assessment methodology established, supporting ongoing and annual risk review cycles without reliance on external consultants or manual interpretation

My combination of technical security expertise and GRC delivery experience across financial services organisations meant I was able to design a risk matrix that was simultaneously rigorous enough to satisfy audit requirements and practical enough for the compliance team to operate without specialist support — a balance that pure GRC consultancies often fail to achieve.