Connect with Us


From registered investment advisers to broker-dealers, banking, and insurance to wealth management and securities distribution, Brier & Thorn’s Risk, Audit, and Compliance (RAC) practice is dedicated to serving our clients in all major areas of the financial services industry. Our work draws on more than 6 years in the global financial markets across 71 countries and 200 projects.

We work with our financial services clients as partners. Together we develop an IT risk management program and support the implementation of that plan to address IT risk for our financial services clients. We have worked with leading financial services companies in many strategic and operational areas over the last 6 years.

Risk Assessments


A fact sheet on the OCIE announcement of cyber security audits of at least 50 broker dealer and investment advisory firms.

Oilfield Exploration


The increasing shift towards restructuring the reporting structure for the IT Security department under the Chief Financial Officer and whether the fit makes good business sense.


Financial institutions have been addressing information security and technology risks for decades. However, a proliferation of cyber events in recent years has revealed that the traditional approach is no longer sufficient.

Financial services players will need to harness better and more effective IT risk management strategies to compete against the growing threat of global actors becoming increasingly more focused in financially motivated attacks. We draw on deep experience across industries to help our financial services clients in every region find innovative ways to align their IT risk management strategy with their business and plan for the evolving threat landscape.

The information security threat landscape has evolved over the last decade while the financial services market has not in their IT risk management plan, which is still stuck in the old mentality of “protect everything.” Financial services firms are still executing on a traditional information security model of controls and compliance — a perimeter-oriented strategy aimed at securing data and the back office — which does not effectively address modern-day, advanced persistent threats.

Recent industry changes in the financial services sector driven by increased regulatory oversight and compliance has increased costs for financial institutions placing them under increased pressure and scrutiny to reduce costs but still continue to grow and maintain a competitive advantage through increased productivity and efficiency. Therefore as the world emerges from recession and the survivors find their new place in the financial order that has transpired, financial organizations are now tasked with transitioning their IT risk management and governance practices into world class standards.

It is clear that the growth in cyber crime has continued, if not accelerated, in the financial services industry. U.S. financial services companies lost on average $23.6 million from cybersecurity breaches in 2013, which represents the highest average loss across all industries.

To underscore the rapid rise in cyber threats, this number is 43.9 percent higher than in 2012, when the industry was ranked third, after the defense and utilities & energy industries. While this trend is not to be ignored, these actual losses are sometimes not meaningful to firms’ income statements, because the potentially greater impact from cyber crime is on customer and investor confidence, reputational risk, and regulatory impact that together add up to substantial risks for financial services companies.

The relatively static compliance or policy centric approaches to security found in many financial services firms can be long outdated. Brier & Thorn’s risk advisors works with financial services clients towards developing a new, more secure, vigilant and resilient strategy that effectively manages risk and drives innovation.

Our Approach

Since 2010, we have created an intelligence-driven approach to IT risk management, assisting our financial services clients in preventing, detecting, responding to, and recovering from the potential damages from cyber attacks.

We work with leading institutions in the banking and insurance sectors in all major areas, including:

  • Retail banking
  • Private banking and wealth management
  • Clients and capital markets business
  • Transaction banking
  • Asset management
  • Life and property insurance
  • Health insurance
  • Reinsurance
  • Risk, liquidity and capital management
  • Capital Markets

We have deep expertise in financial services, but we also look beyond the industry and draw upon our capabilities experience. We tailor these offerings to the needs of our financial services clients to help them solve their toughest IT risk management problems.

The critical issues facing financial institutions today are affecting their entire business. IT security is no longer treated as an IT issue, rather a board room issue that should be addressed by the CEO and executive leadership team. The industry continues to address regulatory reform, financial reporting requirements, implementation of cost effective technologies, talent acquisition and increasing demands from stakeholders. These challenges are forcing financial institutions to rethink business imperatives and strategies in managing their IT risk.

There is increasing focus on the overall risk management framework adopted by financial institutions. Much of this focus is driven by supervisory expectations as well as regulations, but investors and creditors also want comfort that a financial institution has a robust IT risk management framework to protect consumer data and assets. Some financial institutions have also understood that having a robust risk management framework, and communicating this clearly to stakeholders, can be a source of comparative advantage.

The fallout from the credit crisis has introduced volatility and uncertainty in the financial markets and within the wider economic community. The single biggest change that has come to light is that of going from years of abundance to a period whereby both funding and equity are scarce and expensive.

Our risk advisors can help you to develop the risk strategy, risk insight and underlying infrastructure of risk identification, evaluation and communication that will give you the edge in a complex and uncertain business environment.

The financial services industry faces challenging markets, new regulatory reform measures, and competition for clients and talent – all against a backdrop of heightened expectations from investors, regulators, industry partners and other stakeholders to also address their enterprise risk management issues.

Our risk, audit, and compliance practice is a distinctive business practice that provides risk management and threat management consulting as well as managed security services to our financial services clients that addresses all tenets of confidentiality, integrity, and availability that are paramount to an effective risk management strategy. Our integrated knowledge enables us to help our clients design solutions that endure and help them find a better way.


Our risk advisors will work with clients to develop the IT risk management program; which encompasses risk strategy and risk insight held up by an underlying foundation of risk identification. This is achieved by characterizing the threats to the business; assessing the vulnerability of critical assets to specific threats; then determining the risk by understanding the expected likelihood and consequences of specific types of attacks on specific assets, identifying ways to reduce those risks, then prioritizing risk reduction measures. Simply put:

  • Risk Identification
  • Risk Assessment
  • Risk Evaluation
  • Risk Communication
  • Risk Treatment

The better our clients understand and manage their information security risks, the better their ability to safeguard their franchise, deploy their IT security budgets in the most effective way, and capitalize on opportunities more quickly and decisively than their competitors. Our approach is to have our clients look at the business through a risk lens; first identifying the center of gravity that the business revolves around — a center of gravity comprised of it’s intellectual property and trade secrets and most importantly, where those major revenue streams are coming from.

We help our clients find a better way, and that means ensuring that security dollars are deployed in the most effective way possible, quickly and more decisively to ensure that disjointed point security controls aren’t adopted that aren’t part of a more congruous whole that work in cadence towards a more risk resilient business, better prepared for that impending threat scenario.

We help redirect our clients focus on trying to protect everything, which is an antiquated and broken approach to an IT risk management strategy. Starting from the top-level down, our consultants work with the business to first establish IT risk as a strategic business threat that should be treated as an enterprise risk management imperative where existing enterprise risk management tools can be leveraged. Finally, an IT risk governance committee is created for the business that is responsible for treating these risks.

Distinct to our process is a detailed analysis of what should be protected. Our clients are guided into a new way of thinking where threat management is seen much more like a vitamin to keep the overall enterprise risk management program healthy as best practice while risk management is seen as a method of matching treatments to specific risks that are identified through risk assessments comprised of specific threats and threat scenarios, much like applied immunology that enables the business to prepare for the eventual pandemic — a potential existential threat to the business through a cyber attack.

Through our risk management methodology driven by our proprietary risk model, we prepare the business instead for a more proactive versus reactive posture, helping the business understand that it is a target. We prepare our clients for that eventual threat scenario by anticipating the nature of the attack through the development of a more resilient posture by rehearsing the scenario for that planned attack, and more importantly, the organization’s response to it.

How We Do It

We work with our financial services clients as partners. Together we develop clear, practical action plans, and support the implementation of those plans to design, implement, test, and build an effective IT risk management strategy that also addresses the increasing regulatory and compliance climate.

We guide the leadership team of our clients in:

  • Establishing a cyber risk governance plan;
  • Understanding the boundaries of their information security management system (ISMS);
  • Identifying their critical business processes and assets;
  • Identifying their cyber threats;
  • Improving their collection, analysis, and reporting of information; and
  • Planning and responding to specific threat scenarios by developing playbooks, improving cyber intelligence gathering techniques, leveraging cyber insurance options, and upgrading cyber security technologies.

Our financial services clients are better positioned to keep pace with evolving threats, thereby helping them to avoid financial damage, negative publicity, and loss of consumer and shareholder confidence.


We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.


After supporting the divestiture from Expert Global Systems, Brier & Thorn builds new ISMS for Transworld Systems Inc. as part of a much broader enterprise risk management plan design.


How Chatham Financial has integrated Brier & Thorn into its enterprise risk management program.


Bank of Springfield controls risk with guidance from Brier & Thorn as it expands its digital footprint to improve efficiency, lowers costs while maintaining customer and shareholder confidence.


Dodge & Cox Funds lowers risk profile by partnering with Brier & Thorn for enterprise threat management