A healthcare data organisation identified material third-party security risks following a formal review.
Broadgate, part of Ortecha, designed and implemented a structured supplier assurance framework, categorising vendors by criticality and aligning controls accordingly. This gave the organisation a consistent way to onboard, assess and manage suppliers, significantly reducing supply chain risk and improving governance.
Scope:
Impact:
A recent security review surfaced a clear issue. Third-party risk was not theoretical. It was real, and it sat across a growing supplier ecosystem.
The organisation relied on multiple vendors to deliver critical services. Each brought value. Each also introduced risk. But risk was not being managed in a consistent way.
Supplier assessments varied. Contracts held useful detail, but it was not being used systematically. Security policies existed, but they were not tied clearly to supplier criticality.
Leadership had visibility of risk signals. What they lacked was control.
The organisation did not need more one-off assessments.
It needed a way to:
Without this, risk would continue to build quietly across the supply chain.
What was missing was a structured, repeatable assurance model. One that turned risk into something measurable, prioritised and actively managed.
The engagement was led at the Chief Operating Officer level. This was not a technical exercise. It was about control, governance and operational risk.
We brought a practitioner-led approach to supplier assurance. We focused on building something that would work in day-to-day operations, not just on paper.
We focused on a clear structure, proportionate control and no unnecessary complexity.
We started by mapping the full supplier landscape.
Every third-party relationship was identified and reviewed. Contracts, security policies and operating practices were analysed to understand where risk sat and how it could impact the organisation.
From there, we introduced structure. Suppliers were categorised based on criticality. Not all suppliers carry the same level of risk, and the control model needed to reflect that.
We then designed a tiered assurance framework:
Finally, we embedded governance across the supplier lifecycle:
This turned supplier assurance from a set of activities into a working system.
The organisation now has a clear and consistent way to manage third-party risk.
Instead of reactive checks, the organisation operates a structured assurance model that supports:
Most importantly, third-party risk is no longer something that sits outside the organisation’s control. It is actively managed as part of day-to-day operations.
As organisations become more dependent on external suppliers, their risk surface expands beyond their own walls.
In data-driven healthcare environments, that risk carries real consequences.
This case shows the shift that matters. Not just identifying risk, but putting control around it.
That is what turns awareness into action.
A healthcare organisation specialising in data analysis to support hospitals in improving services and patient outcomes. Operating in a highly sensitive environment, where data security, supplier integrity and regulatory expectations are critical.
Partner, Technology Transformation
Partner, Technology Transformation
