Contact us
Contact us
Case study

Strategic review of a TPRM programme: achieving audit readiness under regulatory pressure

Al Catto
Lead partnerAl Catto
Lead partnerAl Catto

Our client, a major European bank, asked us to carry out a time-critical independent review of its new third-party risk management (TPRM) programme. With an Internal Audit due later in the year, looming US Department of Justice (DOJ) deadlines tied to financial crime controls, on top of an ongoing wider strategic transformation, the stakes were high. If the programme wasn’t working, the bank risked breaching regulatory commitments. 

The TPRM framework had been rolled out quickly as part of a broader transformation, but key stakeholders were not confident it was yet complete or running efficiently. Onboarding was slow, documentation was fragmented, and the core tooling was still in UAT. There was limited time to prove the programme could stand up to scrutiny. 

BeyondFS was brought in to give a clear view of how well the programme was working, and where the bank should focus next. 

  • Industry segment

    European Bank

  • Function

    Third-Party Risk

  • Core capabilities

    Strategic Review, Operating Model, Testing & Readiness

Key outcomes delivered
  • Internal audit readiness: A final report demonstrated evidence of progress and outlined 7 thematic recommendations, each with 5-6 clear actions. 
  • Live remediation: Issues were raised and logged, with many resolved during the 4-phase project. 
  • Traceable evidence base: A 200-line tracker with testing outcomes for policies, playbooks, TOM components etc., along with extensive documentation links.

Results

Audit Readiness

0

thematic recommendations, each with 5–6 clear actions

Review

0 +

artefacts reviewed, creating a traceable evidence base

Programme Management

0

fast-moving review phases

Approach

Our team hit the ground running, drawing on deep TPRM experience — including supporting clients preparing for DORA — and regular delivery against regulatory expectations, including those of the DoJ.

We deployed a core team to run the project, alongside senior specialists who joined the project for short, focused periods. This approach allowed us to move fast, keep costs low, and raise the quality of delivery, as almost every problem we encountered was tackled by someone who’d solved it before. 

A practical, four-phase review

BeyondFS broke down the review project into four fast-moving phases: 

Phase 1 – Discovery and scoping:

We focused on three areas: the Target Operating Model (TOM), the new risk-assessment tool, and a financial crime deep dive (to support DOJ compliance). During this phase we created a one-page scoping matrix covering legal entities, branches, life-cycle events and regulations – this became the foundation for every review activity. 

Phase 2 – Review methodology design: 

We looked at the programme through three lenses:

1. Compliance and policy alignment

2. Intended vs actual execution

3. Operationalisation and efficiency 

Underneath those lenses sat eight structured pillars – policy, process, controls, data, RACI, MI, people and tooling.

Once the methodology was designed, we were then able to build a live delivery dashboard using doughnut charts to track progress rather than subjective RAG reports. 

Phase 3 – Review and testing: 

We tracked 200+ artefacts for review: policies, TOM components, playbooks and workshop sessions. When low transaction volumes ruled out scenario testing, we adapted in real time, switching to stress-based data entry testing to ‘break the model’ and revealing logic gaps that would have been missed otherwise. Thanks to thorough reviews and testing, several critical defects were raised in time for go-live, without needing to wait for the final report. 

Phase 4 – Reporting and handover: 

We delivered seven thematic recommendations, each backed by a small set of specific, actionable proposals. The final pack included the full tracker, methodology, test cases and source documentation, giving the client a robust audit trail for future assurance reviews. 

Office workers sitting round a table
Outcome

A thorough review and clear recommendations

By the end of our engagement, the bank had a live evidence base, a clear set of next steps, and visible signs of progress already underway. 

  • Regulatory confidence: DOJ-related risks had been reviewed, surfaced, and resolved with input from compliance and legal.
  • Live fix, not post-mortem: Our weekly check-ins helped the bank act immediately, rather than having to wait for a final report. Many of our recommendations were implemented as we went along, rather than shelving them for a future roadmap.
  • Long-term value: The handover pack became part of the bank’s TPRM documentation set, ready for an internal audit and future reviews.