Why have we released Framework Sizes?
Following the release of Add-on Domains, we have now launched Framework Sizes.
The previous version of the Risk Ledger framework was standardised for all suppliers but needed flexibility for organisations of different sizes and maturity levels - especially in cases where the framework size needed adaptability for supplier onboarding and engagement (particularly for smaller or less mature suppliers).
What does it involve?
Framework Sizes involves introduces two depths of assessment: Small and Full. This approach allows for flexibility whilst maintaining standardisation across security domains. The new sizes enable suppliers to efficiently complete assessments tailored to their size and maturity, whilst offering clients with a more customisable purpose-fit approach to gathering the right information from their suppliers.
The 2 Framework Sizes are:
Small (44 control questions)
The small framework is designed for smaller or less mature suppliers, allowing them to engage more easily with your third-party risk management process. It's suitable for suppliers who may have limited resources or are in the early stages of developing their security practices.
Full (192 control questions)
The full framework is designed for larger or more critical suppliers, providing you with a comprehensive view of their security posture. This size is ideal for suppliers who handle sensitive data, provide critical services, or have mature security processes in place.
💡 If you’d like to see the exact content of each size please send us a message and we can provide this in spreadsheet format.
How to set Framework Sizes when sending a connection request to an existing supplier
It’s easy to set a Framework Size during the usual connection request flow:
Navigate to Suppliers → Add Supplier
Find the supplier you wish to connect with and click on their profile
On the supplier's profile, click the Add Supplier button
Within the connection workflow, you'll be prompted to select which Framework Size you'd like to apply to the supplier's assessment:
How to change a supplier’s Framework Size after initial set up
Changing a supplier's Framework Size allows you to adjust the scope of assessment questions based on your evolving relationship with the supplier or changes in their risk profile. This flexibility enables you to:
Focus on the most relevant security questions for each supplier
Reduce the assessment scope for smaller or lower-risk suppliers, encouraging their engagement
Increase the assessment depth for critical or high-risk suppliers
When you change the Framework Size:
For the supplier: They will be notified to complete any new questions if moving to a larger framework, or their assessment scope will be reduced if moving to a smaller framework.
For you (the client): You'll gain a more appropriately tailored view of your supplier's security posture, allowing for more efficient risk management.
Here's how to change a supplier's Framework Size:
Go to Suppliers → All Suppliers and select a supplier
On the Overview page, locate the Framework Size section in the right-side column
Click the Edit icon (pencil symbol) next to Framework Size
4. In the pop-up window, select the desired Framework Size for your supplier:
How to set global defaults for Framework Sizes
Go to Settings → Framework & Add-ons
In this section, you'll be able to specify which Framework Size you'd like to be the default for all of your suppliers.
💡 Setting global defaults means that the Framework Size will be pre-filled when you send a connection request to a supplier. However, you can override this default for individual suppliers as described in previous sections. Remember, changing global defaults will only affect new supplier connections going forward, not existing ones.
How suppliers are notified about changes to their required Framework Size
When a client changes the required Framework Size for a supplier (e.g., from Small to Full), the supplier is notified in two ways:
Email Notification: The supplier will receive an email informing them of the changes to their required Framework Size.
2. Activity Feed: Suppliers can track all change requests by following these steps:
a. Go to Clients → Activity
b. Here, all changes are logged in an audit trail, including Framework Size
modifications.
What happens when you change a supplier's Framework Size?
Changing a supplier's Framework Size allows you to tailor your risk assessment process, but it's important to understand how this affects your existing policies, risks, and compliance scores. Here's what you need to know:
Controls required by a policy but not present in the new framework will not contribute to compliance.
Risks open on controls not in the new (smaller) Framework Size will be automatically closed, but don’t worry you can still access these.
If moving to a lower Size, the following elements related to removed controls will be affected: Exceptions, Risks, Remediations, Discussions will be closed.
You'll see a confirmation prompt before making changes:
Upgrading to Full Framework Size:
Supplier will be notified to complete the new framework
Compliance score may change immediately
Downgrading to Small Framework Size
Risks associated with removed controls will be closed
Discussions related to removed controls will be archived
Remediations linked to removed controls will be closed
💡 Remember: These changes ensure that assessment and compliance are based on the appropriate Framework Size for each supplier.
How to submit responses for new Framework Size requirements
If you're a supplier who has completed the Small Framework and your client requests you to complete the Full Framework:
You'll receive a notification by email about the change.
When you access your Assessment page, you'll see a banner at the top indicating the new requirements:
Below this banner, complete the additional questions in your assessment, following the same process you used for the Small Framework.
💡 If there is anything we haven't covered, please feel free to contact us at support@riskledger.com or alternatively, select the Chat icon in the bottom right corner.