🎉 Series A

Announcing $20M Series A to bring AI-enabled security to the forefront of procurement

Coverbase
Case Study: Rewriting the Risk Playbook Through AI-Enabled Third-Party Risk Management

ISACA Journal, 2025, Volume 5: Compliance Conundrum

Case Study: Rewriting the Risk Playbook Through AI-Enabled Third-Party Risk Management

Author: Katie Teitler-Santullo Date Published: 1 September 2025

In today’s highly interconnected financial ecosystem, banks rely more than ever on third-party vendors, platforms, and service providers to remain competitive.

But with that reliance comes risk—especially in the banking sector, where compliance standards are high, customer trust is paramount, and operational resilience is non-negotiable. Managing this risk is not just a matter of vendor due diligence; it involves safeguarding the institution’s reputation, ensuring regulatory alignment, and maintaining the integrity of the financial system itself. For institutions such as the General Bank of Canada (GBC), the challenge of scaling securely with partners required a new playbook—one driven by automation, intelligence, and integration.

The GBC is a wholly-owned subsidiary of First Canadian Insurance Corporation and one of the few privately held Schedule I chartered banks in Canada. Established in 2005 and headquartered in Edmonton, Alberta, GBC focuses on specialized lending and deposit products designed to support Canadian organizations and consumers through a variety of channel partnerships.Unlike many of its larger peers, GBC does not have a retail branch footprint. Instead, the bank operates under a partnership-driven model, working directly with more than 2,000 channel partners including auto dealerships, mortgage brokers, financial planners, and commercial lending groups. This model enables GBC to stay agile, lean, and competitive while offering highly-customized services across a variety of market segments.Yet this model, built for speed and scale, introduced serious risk management challenges as the bank grew. As third-party relationships multiplied, so did the complexity of managing the risk associated with each vendor and partner. Without a centralized platform, the GBC compliance, risk, and security teams were increasingly bogged down by heavily-manual and fragmented processes, inconsistent evaluations, and slow onboarding.Recognizing the growing strain on its risk management function, GBC took a bold step in early 2024 and decided to launch a complete transformation of its third-party risk management (TPRM) program. Led by GBC's Chief Risk, Compliance, and Security Officer Adam Ennamli, the initiative would seek to modernize TPRM as well as fundamentally rewrite the bank's risk playbook.The centerpiece of this transformation would be a partnership with Coverbase, an emerging leader in artificial intelligence (AI)-powered TPRM platforms. Within a few short months, the implementation of the platform would help GBC redefine how the company engaged, assessed, and monitored third-party relationships—improving not only regulatory compliance but also business velocity and competitive positioning.

The Challenge: A Growing Partner Ecosystem and Outdated Risk Infrastructure

As GBC expanded its lines of business, particularly in super-prime auto financing and commercial lending, the volume and variety of third-party relationships surged. Each partnership required appropriate due diligence, contract management, risk analysis, and ongoing monitoring to meet internal standards and regulatory requirements.


Until 2023, GBC’s TPRM process was built around manual processes: spreadsheets, email threads, shared file repositories, and internal knowledge. Risk assessments were conducted and documented unevenly. There was no proverbial single source of truth. Document collection—SOC 2 reports, financial audits, security questionnaires—took weeks. Follow-ups were manual and time-consuming. Monitoring after onboarding was a massive challenge.

Most Pressing Third-Party Risk Factors

CMS Image

Lack of centralized visibility across the third-party ecosystem

CMS Image

Inconsistent and subjective risk scoring

CMS Image

Poor audit trails and documentation

CMS Image

Difficulty in tracking contract obligations and renewals

CMS Image

Inconsistent and delay in onboarding due to manual processes

Meanwhile, regulatory pressures intensified. The Canadian Office of the Superintendent of Financial Institutions (OSFI) issued revised guidance in recent years, particularly around:1

  • Guideline B-10 Third-Party Risk Management
  • Guideline B-13 Technology and Cyber Risk Management

Both guidelines emphasized the need for robust due diligence, board-level visibility, and continuous monitoring. For GBC, this was a turning point.

“The risk wasn’t hypothetical anymore, we knew we needed a platform that could scale with the business, automate our workflows, and meet the gold standard of regulatory oversight.”

Adam Ennamli,

Adam Ennamli,

Chief Risk Officer at General Bank of Canada

Ennamli, who joined GBC in 2022, immediately recognized that the existing approach was unsustainable. He knew that the bank had a small but capable team. Yet, regardless of how talented staff is, organizations cannot scale or standardize a program built on fragmented, manual, and siloed processes. With the current processes and toolset, GBC’s ability to manage risk simply could not keep pace.From onboarding new vendors to evaluating SOC 2 reports, managing security questionnaires, and tracking contract obligations, numerous aspects of the TPRM life cycle required modernization. The bank needed:

  • A single platform to manage the end-to-end third-party risk life cycle
  • Automated workflows to reduce manual effort
  • Consistent and auditable risk scoring
  • Integration with internal systems
  • Role-based access controls
  • Support for Canadian regulatory expectations
  • And crucially, GBC needed a partner—not just a vendor or a tool—to co-create a solution that could grow and adapt with its evolving needs.

Solution: AI-Driven TPRM

GBC set out to not only digitize an outdated risk management system, but fundamentally redesign its approach to third-party risk with business outcomes in mind. This was not about adopting AI for AI’s sake. Instead, the bank adopted a disciplined, business-aligned framework for evaluating which solutions could support faster, safer growth while driving operational efficiency and compliance excellence. GBC’s leadership believed that any modern TPRM transformation had to directly support the bank’s core mission: enabling more high-quality partnerships faster, reducing costs, and increasing returns for capital partners—all while eliminating friction and inefficiency.After an extensive vendor evaluation process, GBC selected Coverbase. The decision was informed by strategic business needs, not just technical features. According to Ennamli, the bank did not start the transformation looking for a silver bullet labeled “AI.” The primary obligation in choosing a partner was to align the solution’s outcomes with business requirements. As such, the selection team was focused on what Ennmali called the “so what” and the “know what”—the business requirements that allow the bank to evolve. He knew that the selection of a tool must be pragmatic and help GBC achieve strategic business results.

The primary considerations for the selection of the platform by GBC included:

A focused, high-quality offering—The TPRM platform was purpose-built for managing vendor, partner, and service provider risk.

Co-creation and strategic influence—A co-creation model allowed GBC to have a direct say in the product’s functionality and contributed to the product’s evolution. Ennamli described this as “skin in the game”—an opportunity for GBC to shape the tool around real business use cases rather than retrofitting existing processes to a vendor’s fixed capabilities.

Security and control by design—GBC’s regulatory obligations required the bank to maintain strict data sovereignty and control. The TPRM platform provided a single-tenant cloud environment hosted in Canada, with advanced encryption protocols, customizable access controls, and complete data isolation. This architecture gave GBC the assurance needed to satisfy regulators and internal stakeholders while providing confidence to its own third parties and business partners.

Pragmatic, outcome-driven AI—With the platform using AI to automate tasks such as document intake, policy and control analysis, security questionnaire evaluation, and automated report generation, GBC reduced manual workloads by as much as 80% without compromising quality or accuracy.

Tailored Implementation: Built for GBC, With GBC

Implementation of the TPRM platform began in January 2024. The platform went live in less than six weeks. The rapid deployment was supported by strong executive sponsorship, a dedicated project team, and the system’s ability to be customized without extensive configuration delays or consulting layers.

There were three factors that made this rapid deployment possible. First, the mutual understanding that risk management software is not one-size-fits-all, and no software or AI solution is perfect out of the box. The team invested time upfront in fine-tuning the system to do exactly as they intended. Second, the software was built with the explicit intent of being as flexible and customizable as possible to the needs and requirements of financial institutions, even as GBC was scaling its business rapidly. Third, the platform’s automated integration meant that minimal manual effort was necessary on either side to get data into the system. The GBC team was able to begin the third-party assessments in less than two business days.

Regardless of how talented staff is, organizations cannot scale or standardize a program built on fragmented, manual, and siloed processes.

In the first 90 days, a number of milestones were achieved:

Data consolidation—All existing third-party vendor data—including risk assessments, contracts, compliance documentation, audit trails, and security questionnaires—were migrated into the new platform. Previously stored across shared drives, spreadsheets, and email threads, this data was normalized, cleaned, and indexed for easy search and reference.

Risk taxonomy development—GBC, in collaboration with Coverbase, developed a customized risk taxonomy aligned with OSFI Guidelines B-10 Third-Party Risk Management and B-13 Technology and Cyber Risk, as well as US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) principles.2 This taxonomy served as the foundation for standardized risk classification and assessment logic.

Automated risk scoring—The team implemented an AI-driven scoring engine that analyzed structured and unstructured data from vendor responses, documents (e.g., SOC 2 reports, insurance certificates), and internal evaluation forms. The system assigned risk levels based on configurable thresholds tied to the bank’s risk appetite and regulatory requirements.

Workflow customization—Not all third parties are created equal. GBC built out role-based workflows and requirements tailored to specific partner categories such as fintech providers, mortgage brokers, marketing agencies, and technology vendors. This ensured that onboarding steps were proportionate to the risk they posed and aligned with business goals.

Scalability Without Headcount

One of the greatest benefits of deployment was GBC’s ability to achieve scale without increasing headcount. By automating more than 50% of previously manual TPRM processes—such as control validations, risk approvals, reassessments, and reporting—GBC was able to manage a growing portfolio of more than 80 software as a service (SaaS) providers, cloud service vendors, and contract-based partners without hiring additional staff or bringing in outside consultants.

This self-service capability was particularly critical as GBC entered new markets and formed strategic partnerships. Ennamli emphasized that speed to partnership was no longer stifled by risk bottlenecks. Instead, the platform enabled the enterprise to move faster, with greater clarity and lower friction, improving both top-line growth and bottom-line efficiency.

The TPRM platform became the connective tissue that aligned the bank’s growth objectives with its compliance and security commitments, laying the foundation for a more agile, scalable, and resilient future.

AI That Learns the Business

Another positive was the platform’s continuous improvement through contextual analysis. As GBC added more data into the system—from contracts to performance reviews—the AI models became more precise in identifying red flags, recommending remediation paths, and anticipating areas of risk exposure. These insights helped GBC evolve its program from static assessments to continuous risk intelligence.

The system was trained using GBC’s bank-specific documentation and risk criteria, ensuring that the outputs reflected the language, culture, and risk tolerance of GBC. This functionality removed the noise and irrelevance that often accompanies generic risk scoring models, and it gave the team confidence in the platform’s accuracy and insights.

Designed for Strategy, Not Just Compliance

What truly distinguished the TPRM platform was its alignment with business outcomes. Instead of implementing a solution that merely checked the compliance box, GBC deployed a system that actively contributed to:

Faster, smarter decision making—With instant visibility into vendor risk and obligations, GBC could evaluate tradeoffs more effectively and move forward with clarity.

Reduced operating costs—By automating lowvalue tasks and eliminating redundant manual work, the team was able to drive efficiency while reallocating time to high-priority strategy work.

Improved partner confidence—As GBC’s underwriting and risk posture became more transparent and data-driven, capital partners and investors gained greater assurance in the bank’s governance maturity.

Future-proofing the enterprise—By choosing a partner that was willing to build an extensible, customizable platform, GBC positioned itself for future needs, from open banking and real-time risk intelligence to broader enterprise risk integration.

Opting for the TPRM platform was not simply a matter of software implementation; it was a strategic modernization initiative. It blended technology, process, and culture in a way that redefined the role of risk management at GBC. The TPRM platform became the connective tissue that aligned the bank’s growth objectives with its compliance and security commitments, laying the foundation for a more agile, scalable, and resilient future

Benefits Across the Organization

The implementation of the AI-powered TPRM platform delivered measurable and wide-reaching benefits across every functional area at GBC, transforming what was once seen as a purely defensive function into a strategic capability. The business benefits were myriad.

Time-to-Value In open banking, time-to-value is a critical success metric. For GBC specifically, the newfound ability to onboard third-party relationships quickly—without compromising security or compliance—was central to its growth strategy. Delays in processing or assessing vendors could threaten business velocity, erode trust, derail strategic partnerships, and limit GBC’s ability to capitalize on opportunities. Therefore, the TPRM platform’s speed and precision were essential. The solution provider’s fast and accurate risk analyses were key components of GBC achieving these goals.

Compliance Improvement From a compliance standpoint, GBC’s leadership recognized the urgency. Ennmali emphasized the bank’s obligation to align with OSFI’s Guidelines B-10 and B-13, which mandate that financial institutions establish a TPRM program capable of conducting thorough due diligence for every external partner. The platform helped GBC achieve this through deep expertise and AI-powered automation.

Ecosystem Mastery Equally important was visibility into technology ecosystem risk. Effective TPRM requires an organization to understand its environment across all tiers—first, second, and even nth-party suppliers. The TPRM solution gave GBC a way to track and quantify risk throughout its supply chain, identify threats, and quickly assess potential impacts. On the human side, the benefits of deploying Coverbase were equally impressive.

Compliance Gains With regulatory expectations from OSFI (notably Guidelines B-10 and B-13) growing more detailed and demanding, the bank was able to demonstrate a proactive, structured approach to third-party governance that directly aligned with this evolving guidance. Manual compliance tracking was replaced by automated workflows and real-time dashboards, significantly reducing the administrative burden associated with audit preparation and ongoing reviews. Perhaps even more important was the ability to collaborate seamlessly with internal stakeholders—from legal to security to procurement—thanks to centralized documentation and transparent workflows. Risk ownership was no longer siloed; it became a shared responsibility executed with precision

Security Enhancements The automated intake and analysis of vendor security documentation, such as SOC 2 reports and penetration test summaries, allowed teams to spot control weaknesses earlier in the life cycle—often during initial onboarding rather than post-deployment. The integration of vendor risk data into the bank’s broader cyberrisk management strategy enabled faster and more informed responses when threats emerged. Instead of reacting in isolation, security analysts could connect third-party incidents to the broader threat landscape and risk posture, prioritizing remediation efforts where they would have the greatest enterprise impact. In short, by modernizing and automating its approach to TPRM, GBC achieved cross-departmental benefits and overall business improvement—streamlining operations, reducing exposure, and setting the foundation for sustainable, scalable growth.

The Results: Visibility, Velocity, and Risk Reduction

Due diligence time was reduced by 77%.

Risk assessments that once took more than 60 days were reduced to fewer than 14. Automated workflows and AI-assisted document review eliminated back-and-forth emails and hours of manual analysis.

Risk evaluation consistency improved by 40%.

By using a standardized risk model and automated scoring, GBC achieved much higher consistency in how vendors were evaluated. This was particularly important for demonstrating regulatory compliance.

Vendor onboarding speed increased by 30%.

With faster risk reviews, the enterprise could onboard new partners more quickly. This meant shorter sales cycles, faster product launches, and improved customer satisfaction.

Auditability, accountability, and traceability were strengthened.

Every risk assessment, document upload, score, and decision is now logged and timestamped. The TPRM platform generates real-time audit trails that satisfy internal audit and regulatory requirements and result in business leaders’ abilities to make more informed decisions with higher quality and completeness.

The Future: Toward Continuous Risk Intelligence

Looking ahead, GBC plans to expand its use of the TPRM platform to support:

Real-time alerts based on changes in vendor security posture

Integration with external threat intelligence feeds

Automated reassessments for key vendors

Expansion of the platform to cover fourth-party (subcontractor) risk

The deep integration of the platform into the organization allowed for rapid adaptation to changing regulatory requirements and market conditions.

Conclusion

GBC’s implementation of a TPRM platform is a study in how AI can reshape critical, highly regulated functions. By rethinking third-party risk management as a collaborative, intelligence-driven discipline, GBC achieved not only compliance but a meaningful business advantage.

"We didn’t just digitize a manual process," said Ennamli. "We redefined how we think about risk. And in doing so, we built a model that scales with our business, aligns with regulators, and sets us apart in the market."

As open banking and digital transformation accelerate across financial services, GBC is poised to lead with confidence—backed by a risk function that is fast, smart, and built for the future.

Endnotes

  1. Office of the Superintendent of Financial Institutions, Third-Party Risk Management Guideline, Canada, 2023, Office of the Superintendent of Financial Institutions, Technology and Cyber Risk Management, Canada, 2022
  2. National Institute of Standards and Technology (NIST), The NIST Cybersecurity Framework (CSF) 2.0, USA, 26 February 2024

Katie Teitler-Santullo

Is a product marketing and strategy leader with a strong track record in business growth, thought leadership, and market research. Over the course of her career, she has been a product marketer, evangelist, industry analyst, research director, content marketer, freelance author, and conference content curator. Currently, Teitler-Santullo is the director of product marketing for OX Security, a leading application security posture management (ASPM) and application security (AppSec) vendor. She contributes to The Cyber Why newsletter and podcast, and is a co-host on Enterprise Security Weekly.

Share this post

Company logo

ISACA Journal is a globally recognized professional publication that delivers expert insights on IT governance, cybersecurity, risk management, and emerging technologies, providing practitioners with thought leadership, practical guidance, and industry-driven research to support their professional development worldwide.