Case Study

6th May 2020
Industry: Investment Management
Annual Revenues: £20bn+
Employees: 50,000+
Locations: US
Sponsor: Chairman, Board of Directors

A global asset management company experienced a loss of their global fund management platform after a failed software upgrade impacted the running of a core legacy and obsolescent system. The system outage lasted 6 days and impacted $400bn of assets. The outage resulted in substantial compensation to clients and regulatory examinations that led to subsequent penalties. The system was operated by an outsourced service provider and was running on software that was up to 15 years old. Risks to the performance, sustainability and security of the system went untreated. The company’s third-party risk management and technology risk management programmes were inadequately designed to identify, assess, manage, monitor and govern risks to the resilience of the company’s operations. The Board of Directors initiated an independent review to assess the maturity and contributing factors to the loss event across the technology risk, third party risk, business continuity and disaster recovery programmes.

Primary activities performed

Led a comprehensive review and analysis of the risk management
capabilities to identify the significance of causes leading to the loss event:

  • Performed a detailed root cause analysis of the system outage;
  • Developed an inventory of critical business processes;
  • Developed a technology and supplier map and mapped to critical
    processes, functions and activities;
  • Performed a technology risk management operating model maturity analysis and identified linkages to root cause analysis findings;
  • Performed a maturity analysis of the third party risk management
    programme and assessed the effectiveness of third party governance
    (including escalation of risks to C-suite executives);
  • Assessed the adequacy of risk governance and oversight activities across technology and third party risk management programmes;
  • Analysed the strengths and weaknesses of the business continuity and disaster recovery programmes to determine programme adequacy against critical systems and third parties;
  • Designed a risk management target operating model; and
  • Reported to the Special Committee of the Board of Directors every two weeks to advise on investigative findings, event causes, future recurrence likelihood and recommendations.

Key Results

  • Advised the Board of Directors on the root cause and problem causes leading to the catastrophic risk event
  • Submitted recommendations to assist the Board in overseeing future risk management developments