Why Cheshire Constabulary was looking for a new third-party risk management solution?
Cheshire Constabulary was looking for a new tool to help it automate its third-party risk management programme as much as possible. Their main pain point prior to adopting Risk Ledger was that there was not enough budget for additional human resources, and even that would have not allowed it to make its TPRM programme more efficient and streamlined, as it was simply too manual and spreadsheet-based. Other more specific factors that influenced Cheshire Constabulary’s decision to choose Risk Ledger, included the following:
- Cheshire Constabulary was facing an audit by the Information Commissioner’s Office (ICO) and wanted to ensure it could demonstrate TPRM best practice and regulatory compliance.
- Its IT security team was also looking for new ways to help it enhance cross-team collaboration, especially with procurement.
- It wanted to be able to work with and monitor the security of its suppliers on a more continuous basis, going beyond mere point-in time assessments.
Key Benefits
“If a supplier decided, for example, to start using a data centre in a problematic jurisdiction, we didn't have any visibility of that unless they told us...the benefit of Risk Ledger is that we are now informed automatically if an important security control like this changes.”
- Stuart Rogers, Head of IT & Information Security, Cheshire Constabulary
Facilitating better cross-team collaboration with procurement
Using Risk Ledger allowed Cheshire Constabulary’s IT security team to improve cross-team collaboration on managing third-party supplier risk. Previously, documents and spreadsheets had to be shared manually with procurement and suppliers via email. This complicated the process of vetting and onboarding new suppliers.
With Risk Ledger, all information on suppliers, including financial, business resilience, and data privacy-related information, is available centrally on one platform, and is instantly accessible by all who need it. The data can be filtered by tags and policies, providing an ability to easily retrieve the information needed, simplifying processes.
“From a third-party risk perspective there have been concerns about foreign suppliers, both from a security and ethical point-of-view that we need to be on top of. The good thing is you have a range of questions covering this in Risk Ledger…in addition you can cover the financial side and environmental aspects as well.”
-Stuart Rogers, Head of IT & Information Security, Cheshire Constabulary
Compliance & Reporting
Before adopting Risk Ledger, Cheshire Constabulary was concerned about facing an audit by the Information Commissioner’s Office (ICO) and wanted to ensure it could demonstrate best practice and regulatory compliance.
With Risk Ledger, Cheshire Constabulary can now create tailored reports filtered by policies, tags, risk profiles or compliance scores, and for specific security domains or controls across their entire supplier base, making the preparation of risk assessments, but also reporting to regulators, much easier.
“The other thing I was conscious of was that we were going to get audited by the Information Commissioner's Office. Based on audits that they'd already carried out in other forces, this was a particular area I knew they were looking at.”
-Stuart Rogers, Head of IT & Information Security, Cheshire Constabulary
Risk Ledger’s standardised assessment framework
In the past, it would take Cheshire Constabulary’s IT security leader a lot of time identifying the exact questions that they wanted to ask and assure suppliers against, and then to discuss these questions with their suppliers.
Cheshire Constabulary can now use Risk Ledger’s standardised risk assessment framework, which maps against all major international security standards, including ISO27001, NIST CSF, NCSC CAF, Cyber Essentials, and others. It is updated every 6 months to keep on top of any new regulatory requirements. This means Cheshire Constabulary no longer has to spend the time on updating and reviewing the assessments themselves.
“It was also up to me to understand which questions I wanted to ask, and which questions do I need to adapt or tweak over time. So from a management perspective, having a tool where those questions are regularly reviewed and updated is hugely time saving.”
-Stuart Rogers, Head of IT & Information Security, Cheshire Constabulary
Continuous monitoring of suppliers’ security controls
The ICO wanted to understand what police forces were doing to ensure a more continuous monitoring of third-party risks that goes beyond just one-off assessments.
With Risk Ledger, suppliers and their clients are connected on the same platform, where they can communicate and collaborate at all times. Clients are also informed automatically when any of the security controls of their suppliers have changed, through weekly updates and activity feeds provided by Risk Ledger. Since suppliers are reviewed by multiple clients, based on the same data points, this data also becomes qualitatively better over time.
“It was common across the board [among many police forces], when bringing in new suppliers, that we looked at their IT security, contracts etc. at key points in time but lacked resources to continually follow-up and monitor what was happening thereafter.”
-Stuart Rogers, Head of IT & Information Security, Cheshire Constabulary
