Scaling third-party risk management without sacrificing consistency
How a global financial services company removed bottlenecks and decreased risk without adding headcount — by extending their existing Talanos partnership beyond the SOC.
A mid-sized global financial services organisation managing hundreds of third-party relationships had a problem familiar to most lean security teams: the expertise to do the work existed in-house, but the capacity to keep pace with demand did not. Supplier risk assessments had become a single-point bottleneck, with much of the work concentrated on the CISO.
Rather than buy a GRC platform or build internal headcount, the organisation extended its existing SOC partnership with Talanos to cover third-party risk management. The result: a TPRM programme that absorbs unpredictable workload spikes, holds suppliers to a higher standard through external objectivity, and translates technical findings into business-ready risk decisions — without diluting the consistency the internal team had already built.
The supplier base splits into a stable strategic core and a smaller, highly unpredictable tail — and the tail is where the pressure shows up.
Strategic suppliers on a predictable renewal cycle. Volume is plannable; due diligence is regular and well understood.
Lower-tier suppliers with unpredictable onboarding spikes. When they hit at the same time as core renewals, capacity collapses.
Workloads spike arbitrarily, with no predictable pattern. Telling the business to wait isn't an option — but neither is dropping rigour to keep pace.
How the engagement unfolded across three phases.
Supplier assessments required a rare blend of technical depth across legacy and modern environments, plus the risk judgement to know which of 200 questions actually mattered. That skill set sat with the CISO and a small team — making the programme fragile and difficult to scale.
A traditional GRC platform was on the table, but the concern was that tooling alone wouldn't change who fielded the questions. Talanos was already trusted as an extension of the security function through SOC services, so extending the scope to TPRM was a natural fit.
Throughput is up significantly, peaks are absorbed without dropping standards, and the CISO is freed to focus on strategy. An unexpected benefit: external assessors apply more objective scrutiny, raising the bar for supplier engagement on the very first review.
What we've been able to do is maintain the consistency which is critical from my point of view. Our throughput has increased significantly, which is great. But more importantly, I now feel comfortable that we can absorb any busy periods and demonstrate a clear reduction in risk over time.
Chief Information Security Officer · Global Financial Services Organisation
Five considerations for scaling third-party risk management without losing rigour.
You need to maintain and improve consistency and quality as you scale, which requires documented processes, tight integration, and experienced judgement.
Supplier assessments require understanding across the full spectrum of technology environments, from legacy systems to cutting-edge cloud and SaaS.
External assessors without prior institutional knowledge can hold suppliers to higher standards and ask questions that internal teams may not.
The ability to translate technical findings into business risk language is what enables deeper conversations and clearer remediation decisions.
Building on existing successes and thinking holistically about security partnerships can deliver better outcomes than procuring isolated tools or services. In this case, extending an existing SOC relationship into TPRM unlocked compounding value neither service would have delivered alone.
The full document includes the CISO's account of the decision-making process, the operating model that emerged, and direct quotes covering the unexpected benefits of external objectivity in supplier assessments.
Start a conversation about your third-party risk operating model with one of our experts.
Get in touch