Financial Services


About Churchill & Harriman

Founded in 1986, Churchill & Harriman (C&H) provides comprehensive risk  management advisory services to many of the most distinguished and established financial services organizations across the globe. financialservicessecurityWe proactively collaborate with the Shared Assessments Program, in the establishment and implementation of industry-wide risk assessment and management programs.

Our Financial Services Experience/Credentials:

Our C&H team of advisors have comprehensive executive-level experience in all aspects of enterprise risk management in the financial services industry. C&H consultants have relevant accreditations including CISSP, ISO 27001 Lead Auditor, CTPRP, CIPP, Professional Engineer, and others. C&H has deployed as many as 80 consultants simultaneously to achieve client project objectives. C&H has performed thousands of risk assessments around the world beginning in 1998. In addition, C&H is a charter member of Shared Assessments (SA) Program Steering Committee, External Advisory Board and Technical Development Committee. Additionally, we serve as the liaison between the Shared Assessments Program Steering Committee and the External Shared Assessments Program Advisory Board.

Our Services

We work closely with our financial services clients to help them move beyond mere compliance, by establishing enterprise risk management programs that proactively identify and mitigate risks.

Here are some of our service areas:

  • C-level risk management advisory services
  • Global onsite and remote third party risk assessments
  • NIST Special Publication 800-53 assessments
  • NIST Cybersecurity Framework conformance
  • Vendor management program establishment and optimization


Churchill & Harriman provides financial services industry enterprise risk management guidance and executes third party risk assessments according to the following laws, regulations, standards, and commercial practices:

  • National Institute of Standards and Technology (NIST)
    • NIST SP800-53 assessments
    • NIST Cybersecurity Framework (CSF) assessments
  • International Organization for Standardization (ISO)
    • ISO 27001 pre-certification preparation and post-certification surveillance
    • ISO 22301 business continuity management/disaster recovery planning
    • ISO 22307 privacy impact assessments
  • Federal Financial Institutions Examination Council (FFIEC)
  • Sarbanes-Oxley Act (SOX)
  • Shared Assessments Program – AUP, SIG
  • Financial Services Authority (FSA)
  • European Banking Authority (EBA)
  • Australian Securities and Investments Commission (ASIC)


Our Clients/Results/Earned Distinctions

The following is a sample of financial services clients and results supported by C&H:

Federal Reserve Bank of New York —

Helped the Bank achieve the first ISO 27001 certification awarded in the United States. C&H has assisted clients in earning a total of 10 original ISO 27001 certifications.

U.S. nationwide mobile commerce enterprise —

Developed and implemented an information security management system (ISMS) under ISO 27001 including enterprise information security controls, policies, and standard operating procedures; performed all pre-certification consulting ultimately leading to ISO 27001 certification; development and delivery of an information security training and awareness program; conducted an enterprise ISO 22307 privacy impact assessment (PIA); development of enterprise business continuity management/disaster recovery system plans under ISO 22301; implemented an enterprise vendor-management system, performed vendor/service provider contract reviews and risk ranking; and assessed high-risk vendors. Earned a formal reference from the CEO.

Global Systemically Important Financial Institution (G-SIB) —

Beginning in 2010, developed and implemented an end-to-end third-party vendor assessment methodology. Developed reporting processes, prepared third-party risk assessment criteria, and executed 300+ onsite risk assessments of high-risk vendors around the world. Subsequently, developed a comprehensive global questionnaire encompassing all pertinent laws and regulations to assess the client’s vendors.

Fortune 20 Financial Services Company –

Churchill & Harriman helped this organization to become certified to ISO 27001 within their Global IT Infrastructure function. C&H assisted this organization in securing certification to ISO 27001. C&H also helped the organization harmonize two of five global IT processes into one, crossing departmental boundaries. In addition to resultant cost savings and process efficiencies, our work enabled our client to successfully address a federal regulatory finding.

Global Systemically Important Financial Institution (G-SIB) —

Implemented a vendor risk management program to cover the U.S. operation, entailing the assessment of more than 100 SIG questionnaires submitted by high-risk vendors, preparing residual risk summaries, and developing a risk register. For a corporation whose depository provides custody and asset servicing for securities issued from 131 countries with global trade repositories recording more than U.S. $500 trillion in gross notional value of transactions made worldwide.