S&P Global Market Intelligence LLC

Managed Service for Credit Risk Assessments

Credit Risk Assessment is a managed service to supply credit risk reports on corporate or financial institutions which are typically not rated by S&P Global Ratings. It is based on the outcome of the application by S&P Global Market Intelligence (SPGMI) analysts of pre-agreed methodologies, tools, scorecards, and processes.

Features

• SPGMI expertise and proven credit risk assessment methodologies.
• Written report (key deliverable), which includes a range of analysis.
• Analysis: business profile, macroeconomic, country/industry risk analysis.
• (Analysis cont.) Company specific credit fundamentals including organizational structures,
• (cont.) competitive analysis, industry specific regulatory or labor issues.
• Analysis includes governmental and/or parental support overlay where applicable.
• Written justification of score for each sub factor.
• Overall credit score in numerical and lowercase letter format.
• Credit score is based on S&P Global Ratings scale.
• Analysis, charts, tables, and graphs included as applicable.

Benefits

• Save time otherwise spent building credit risk methodology/analytical team.
• Save time otherwise spent gathering historical data and benchmarks.
• Access resources with specialist skills around credit risk analysis/modeling.
• Free up time to work on critical business strategy/tasks.
• Gain a solid basis for risk management decisions.
• Use for impairment, risk capital calculation and risk-based pricing.
• SPGMI analysts spread/analyze financial statements, calculate key financial ratios.
• Well-defined, quality assured, and timely deliverables. Strong governance framework.
• Backed by a large, experienced credit risk analyst team.
• Business Continuity Plan and Disaster Recovery Management strategy in place.

£35,000 a licence

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at dpearcey@spglobal.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

923758043490360

Contact

Daniel Pearcey
+447967785826
dpearcey@spglobal.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: This service can be used as a standalone service or as an add-on to the Credit Analytics service (listed separately in Digital Marketplace). ; ; To produce the Credit Risk Assessment reports SPGMI’s credit risk analysts may use Credit Analytics models, S&P Scorecards and other pre-agreed methodologies, tools and processes.
• Cloud deployment model: Private cloud
• Service constraints: This service is provided on an “on demand” basis with agreed delivery schedule, timelines, and service level agreements.
• System requirements:
  • N/A - This is a managed service.
  • The customer is not required to run the models.
  • All system requirements will be managed internally by SPGMI's Analysts.

User support

• Email or online ticketing support: No
• Phone support: No
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: This managed service will be provided remotely. On-site support is not expected, but can be discussed. The Credit Risk Assessments are undertaken by application of S&P's proprietary Scorecards, and/or Credit Analytics models. A Project Manager and Escalation Contact will be listed in Contract for both S&P and the Customer. The S&P Contacts will provide support in terms of kick-offs, resource deployment and management, communications, meetings/governance calls, project deliverables review and delivery, and post-delivery clarifications during the engagement. In this way there are two support levels, but both are project management focused due to the nature of the service.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: As per the agreed Statement of Work, there will need to be an agreed scope of assignment. SPGMI will hold a meeting(s) with the Buyer to determine this, and agree upon the methodologies, tools, scorecards or processes required. ; ; Once the scope is agreed, no training or documentation will be required since this is a managed service. SPGMI will then return completed Credit Risk Assessment deliverables to the Buyer within the stated time period.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: When the contract ends, users can extract their data from S&P Global by following the data extraction process outlined by the Sales Operations team. This process typically involves submitting a data extraction request, specifying the data they need, and providing the necessary details for retrieval. The Sales Operations team will then work with the user to ensure a smooth and secure transfer of their data. It is important for users to communicate their data extraction requirements in a timely manner to ensure a seamless transition. Since any data for this service will be shared in the form of documentation, not data upload to software it is not expected that data extraction will be needed in this way.; ; Once we no longer have a legitimate business need to process your personal information/data, we follow our applicable information governance policies, procedures and standards and retain your information for as long as necessary to accomplish the purpose for which it was collected, following which we either delete or anonymize your personal information/data, or if deletion or anonymization is not possible, then we pseudonymize and/or securely store your personal information and isolate it from any further processing until deletion is possible.
• End-of-contract process: Our contracts will be subscription based and the termination covers as part of our agreement. Please note that there will not be any additional cost. S&P Global has a detailed Exit Strategy document and process. There is a policy for deletion of data in the hosted environment that is followed up written notification of the termination of contracts. S&P Global have a company policy around the deletion of documents and this is reviewed annually. In general, we use several methods to wipe data. These methods are employed dependent on classification of data present on the system. Data is destroyed by overwriting, degaussing, or physical destruction.

Using the service

• Web browser interface: No
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: The report format of Credit Risk Assessments is standardised, and is being offered for Corporates and Financial Institutions.; ; That said, SPGMI is open to discussing the content of the report, approach to analysis, and levels of granularity required in order to best meet the reporting needs of the Buyer.

Scaling

• Independence of resources: For high volume engagements, we can provide a dedicated team of analysts exclusively working for the client.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: Encryption at rest provides data protection for stored data (at rest). Encryption at rest is designed to prevent unauthorized users from accessing the unencrypted data by ensuring the data is encrypted on disk. In addition to satisfying compliance and regulatory requirements, encryption at rest provides defense-in-depth protection. Attacks against data at-rest include attempts to obtain physical access to the hardware on which the data is stored, and then compromise the contained data. Encryption solutions must be applied to servers, desktop computers, thumb drives, mobile devices (phones, tablets, laptops) and Cloud storage. AES 256 based encryption is used for data protection.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: N/A. This is a managed service for Credit Risk Assessments, not a data warehousing solution.
• Data export formats: Other
• Other data export formats: N/A
• Data import formats: Other
• Other data import formats:
  • N/A.
  • Information for conducting the Credit Risk Assessments will be needed.
  • Information can be shared by an agreed channel of communication.
  • No data is required to be uploaded to a platform.

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: SPGI manages network interfaces including gateways, routers, firewalls, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). S&P Global's' Network Security Standard Policy defines the minimum requirements necessary for providing appropriate access controls over the SPGI network infrastructure. This standard applies to all Company owned or leased network devices, and all third-party service provider devices connected to or used to connect to the Company network for any purpose.

Availability and resilience

• Guaranteed availability: As per our Supplier T&Cs (agreements), there will be a scope of work governing the engagement. This governs the obligations of the parties to one another in such respect and how the obligations will be met. Levels of availability do not apply in the sense of software availability, since the delivery will be dependent on analytical employees.
• Approach to resilience: N/A. This is a managed service.
• Outage reporting: N/A. This is a managed service.

Identity and authentication

• User authentication needed: No
• Access restrictions in management interfaces and support channels: According to S&P Global's 'User Provisioning and Access Controls Standard', All users must have an account provisioned via the Corporate Simple Access identity management facility before being granted access to any other SPGI system or application. Users are only given those privileges and entitlements necessary to perform their functions. Access rights are not activated before authorization procedures are completed. Similarly, All access are immediately revoked for users who terminated employment. Authorized users are assigned group and role membership, and account access authorizations (e.g., privileges) and other attributes for each account.
• Access restriction testing frequency: At least once a year
• Management access authentication: Other
• Description of management access authentication: S&P Global authenticates users when they access the service through a combination of username/password authentication and multi-factor authentication (MFA).; ; However for this engagement, we will be engaging the customer mainly through email and phone communications.

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: S&P Global’s Information Security policies and standards are based on the best practices recommendations for information security management as published in ISO/IEC-27002 and NIST 800 Standards.
• Information security policies and processes: SPGI’s Information Security Program mission is to protect customer information and the company’s reputation and brand through well established, uniform security practices while complying with legal requirements and industry best practices. This is accomplished by having a centralized accountability function with the goal of enhancing the company’s ability to: predict security events and their relative impact to SPGI environments; prevent attacks by augmenting the enterprise security posture; detect attacks that have evaded preventative measures; respond to security events for timely remediation; and improve/update the group’s capabilities and resiliency. The Chief Information Security Officer (CISO) manages and coordinates SPGI’s Information Security Program. The CISO reports to SPGI’s Chief Information Officer (CIO) who is a member of the Operating Committee and reports to the President and Chief Executive Officer (CEO) of SPGI.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: We follow robust configuration and change management process. The components of S&P Global's services are tracked throughout their lifetime using a configuration management database (CMDB). The CMDB maintains record of components, including hardware, software, and network devices. Each component is assigned a unique identifier and its attributes, such as version, configuration settings, and dependencies, are documented. This allows for accurate tracking and management of components throughout their lifecycle. Before implementing any changes, S&P Global assesses them for potential security impact. This assessment involves evaluating the security implications of the proposed changes, including any potential vulnerabilities or risks that may arise.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: S&P Global's Network Vulnerability Assessment Standard is designed to identify risks affecting the infrastructure of the organization and provide actionable advice to efficiently and effectively address the risk. The Network Vulnerability assessment identifies both patch-related and configuration-related vulnerabilities. Scans occur both within and without the environment. All applications will go through the threat modeling, static vulnerability assessments, dynamic vulnerability assessments (for web applications and web APIs), and manual and penetration tests if deemed necessary, during the SDLC.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: S&P Global has Cyber Incident Response Program that is managed by the Information Security Monitoring & Cyber Incident Response Team (“CIRT”) in conjunction with the Security Operations centre (SOC) where security analysts monitor security events 24x7 and escalate validated or suspicious security incidents for further probing and invoke Incident Management Procedure as necessary. The CIRT is responsible for triaging, responding to and resolving security incidents. The Cyber Incident Response Plan is intended to include all necessary processes, procedures, internal and external communication strategies, provisions for business continuity, and steps to limit disruptions in service. This plan is rehearsed annually.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: The Cyber Incident Response Team (CIRT) along with Privacy/Legal team is responsible for engaging the necessary business, risk management, compliance stakeholders, customers, employees, and regulators based on the nature of the incident, legal requirements, and industry practices in accordance with the Cybersecurity Incident Response Plan. In accordance with contractual commitments or regulatory obligations, the Company may have to report InfoSec or Data Incidents to clients or customers.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  The risks and impacts of climate change pose a substantial threat to communities and ecosystems worldwide. At S&P Global, we recognize that we must do our part to address this growing crisis, as the wellbeing of our people and business is inextricably linked to the health of the communities where we live and work. In 2021, we announced our goal of achieving net-zero emissions by 2040, which included near-term 2025 targets validated by the Science Based Targets initiative (SBTi). Our approach is informed by the latest climate science aimed at limiting global warming to 1.5°C and aligns with best practice of avoiding and lowering greenhouse gas (GHG) emissions by carefully tracking and disclosing our performance, implementing energy reduction initiatives and transitioning to low-carbon energy sources. For our impact report, please refer to the link - https://www.spglobal.com/en/who-we-are/corporate-responsibility/impact-report/index For our TCFD report, please refer to the link - https://www.spglobal.com/en/who-we-are/corporate-responsibility/tcfd-report-2023.pdf

  Covid-19 recovery

  The S&P Global Foundation responded by channeling $4.5 million in global grants for COVID-19 relief efforts, supporting first responders, helping the hungry, providing medical supplies and meeting other critical needs, as well as providing critical aid for small businesses to help address the strain of economic uncertainty. • We provided hospitals and governments free access to Panjiva supply chain data relating to ventilators and personal protective equipment. • Across the globe, S&P Global team members responded too, volunteering their time and donating funds to the S&P Global Foundation to help meet the needs of their local communities. In India, during a lockdown period, our CRISIL team used their corporate kitchen to serve 10,000 meals per day to Mumbai’s most vulnerable. And in the U.S., colleagues in our California, Colorado and New York offices got to work, 3D-printing face shields for local healthcare workers. For more details, please refer to the link - https://www.spglobal.com/en/who-we-are/corporate-responsibility/cr-spotlight-covid-19

  Tackling economic inequality

  The S&P Global Supplier Diversity Program provides fair and equal procurement opportunities for all capable, competitive suppliers. We welcome companies managed or led by members of all underrepresented groups, including women, veterans and other historically disadvantaged populations, to apply. Partnering with diverse suppliers is one way that we are living out our overall commitment to fostering a diverse, equitable and inclusive workplace and community. Please refer https://www.spglobal.com/en/who-we-are/diversity-equity-inclusion/supplier-diversity

  Equal opportunity

  S&P Global is an equal opportunity employer and all qualified candidates will receive consideration for employment without regard to race/ethnicity, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, marital status, military veteran status, unemployment status, or any other status protected by law.

  Wellbeing

  S&P Global provides colleagues with a comprehensive, competitive benefits package that includes a host of programs, resources, and incentives to enable informed decisions and healthy lifestyles. Our global benefits differ from country to country, but specific offerings include flexible work environments and programs designed to promote our people’s physical, financial, mental, and emotional health. To support a safe and healthy work environment, the company maintains a rigorous management system. Our facilities worldwide follow internally and externally audited occupational health and safety policies in line with ISO 45001 and ISO 14001 standards. All of our office locations follow ISO 45001, with our London office formally certified in ISO 45001. Of our office area, 49% is covered by ISO 14001 standards. For more details, please visit - https://www.spglobal.com/en/who-we-are/corporate-responsibility/impact-report/our-people/employee-health-safety-and-wellbeing.

Pricing

• Price: £35,000 a licence
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at dpearcey@spglobal.com. Tell them what format you need. It will help if you say what assistive technology you use.