On 23rd September 2024, we made some changes to the standardised control framework within Risk Ledger.

We do this periodically to ensure the framework stays relevant, useful, and practical for all users of the Risk Ledger platform.

All changes have been automatically implemented within the platform and are clearly marked, with a full audit history kept within your activity feed.

This page provides you with a summary of the changes that have been made. If you'd like to see the exact changes in detail, please send us a message and we can provide this information in spreadsheet format.

There is nothing you need to do immediately. You can continue using Risk Ledger in exactly the same way as before. Once the changes are in place, you may wish to do the following:

Initially, you may notice a very small increase in compliance scores for your suppliers. This is because the new controls will default to 'Not required' in your policies until you choose otherwise.

As technology develops, we must continually assess how best to protect against associated risks. Often, existing security controls and techniques can be effectively applied to emerging technologies. Occasionally, however, a new technology is widely adopted which is sufficiently different that it requires consideration of additional risks and mitigating controls — either for the technology itself or in the way that it’s used. The recent increased usage of Machine Learning and Generative Artificial Intelligence (AI) models is one such change.

We have introduced a new Artificial Intelligence domain into our Core Framework. The controls within this domain are designed to help suppliers to manage the risks associated with the use of AI within their organisations and help clients to understand the potential risks they are exposed to through the use of AI in their supply chains.

We have been receiving consistent feedback (albeit small numbers) explaining some of the discussions clients and suppliers are having about whether a supplier should answer the Software Development domain, or not. Scoping questions are designed to mould the framework around the supplier’s environment and activities - to support suppliers to understand what controls they should consider. This should be independent of the client’s requirements.

The previous wording of the Software Development scoping question did not make this clear. We have updated the scoping question to clarify that any supplier who develops or programs software should be considering relevant controls for secure software development and therefore should answer this domain.

The Network & Cloud Security domain has been reviewed & updated to make it clear that these controls apply in all circumstances where a supplier manages their own environments, regardless of whether these are on-premise closed networks, cloud-hosted environments or a hybrid combination of these technologies.

There has been an increased focus on Operational Resilience recently, particularly within Finance and CNI sectors. As such, we have reviewed how we can support our customers in assessing how their supply chains are impacting their operational resilience. As part of this, we are making some updates to the core framework: we will be adding specific controls around RTOs and RPOs as well as highlighting the date of the last disaster recovery rehearsal.

We will continue to explore opportunities for supporting customers with managing and improving their operational resilience.

You may have already noticed that we've moved the Financial Risk and Environmental, Social & Governance domains away from the Core Framework and redefined them as Add-Ons. This means you can now choose whether each of your suppliers is required to answer these domains or not.

We're thrilled to announce that this week, we'll be releasing another update to the structure of the framework: Framework Sizes. This new feature will allow you to choose whether each of your suppliers should answer the full core framework or a smaller version designed for smaller, less mature suppliers. More to come on this!
​