On 23rd September 2024, we will be making some changes to the standardised controls framework within Risk Ledger.

We do this periodically so that the framework stays relevant, useful and practical for all users of the Risk Ledger platform.

All changes will be handled automatically within the platform and marked clearly with a full audit history kept within your activity feed.

This page gives you a summary of the changes that are coming.

If you have already submitted your assessment and your profile is up to date, you do not have to make any changes until your next 6 monthly re-assessment is due or one of your clients asks you to complete a new control question.

You will need to answer the new control question(s) before you can submit your next re-assessment.

If you have not yet submitted your assessment, you will need to answer the new control question(s) before you submit.

As technology develops, we must continually assess how best to protect against associated risks. Often, existing security controls and techniques can be effectively applied to emerging technologies. Occasionally, however, a new technology is widely adopted which is sufficiently different that it requires consideration of additional risks and mitigating controls — either for the technology itself or in the way that it’s used. The recent increased usage of Machine Learning and Generative Artificial Intelligence (AI) models is one such change.

We have introduced a new Artificial Intelligence domain into our Core Framework. The controls within this domain are designed to help suppliers to manage the risks associated with the use of AI within their organisations and help clients to understand the potential risks they are exposed to through the use of AI in their supply chains.

We have been receiving consistent feedback (albeit small numbers) explaining some of the discussions clients and suppliers are having about whether a supplier should answer the Software Development domain, or not. Scoping questions are designed to mould the framework around the supplier’s environment & activities - to support suppliers to understand what controls they should consider. This should be independent of the client’s requirements. The previous wording of the Software Development scoping question did not make this clear. We have updated the scoping question to make it clear that any supplier who develops or programs software should be considering relevant controls for secure software development and therefore should answer this domain.

The Network & Cloud Security domain has been reviewed & updated to make it clear that these controls apply in all circumstances where a supplier manages their own environments, regardless of whether these are on-premise closed networks, cloud-hosted environments or a hybrid combination of these technologies.

There has been an increased focus on Operational Resilience recently, particularly within Finance and CNI sectors. As such, we have reviewed how we can support our customers in assessing how their supply chains are impacting their operational resilience. As part of this, we are making some updates to the core framework: we will be adding specific controls around RTOs and RPOs as well as highlighting the date of the last disaster recovery rehearsal.

We will continue to explore opportunities for supporting customers with managing and improving their operational resilience.

You may have already noticed we’ve recently moved the Financial Risk and Environmental, Social & Governance domains away from the Core Framework and redefined them as Add-Ons. This means clients will now be able to choose whether each of their suppliers is required to answer these domains, or not.

In the next few weeks, we will be announcing another update to the structure of the framework: the ability for clients to choose whether each of their suppliers should answer the full core framework or a smaller version designed for smaller or lower risk suppliers. More to come on this!