Risk Ledger Case Study: The Civil Aviation Authority
Who is the Civil Aviation Authority (CAA)?
The Civil Aviation Authority is the UK’s independent aviation regulator that oversees and regulates all aspects of civil aviation in the United Kingdom. It works to ensure that the aviation industry meets the highest safety standards, and that consumers have choice, get value for money, and are protected and treated fairly when they fly. It also ensures the aviation industry manages security risks effectively and manages the environmental impact of aviation on local communities and the wider population.
The importance of supply chain risk management in the aviation industry
The aviation industry, especially airlines and airports, have extensive supply chains and relationships with third parties; from technology and other service providers to aircrafts to labour. The risk of supply chain attacks that could come and affect organisations directly is high.
As a regulatory body, the CAA is responsible for ensuring the aviation industry is adhering to the highest international safety standards. Given this responsibility, Matt Taylor, the Chief Information Officer at the CAA, was keen to ensure that the CAA’s supplier risk management and assurance programme would not just meet basic compliance and regulatory standards, but become exemplary for the whole industry.
For the CAA, this meant rethinking and then transforming its existing supplier risk management programme to enhance its overall security maturity.
Problems and challenges of the CAA’s supply chain risk management process
Prior to using Risk Ledger, the CAA had common challenges of manual third party risk management processes that are time consuming and ineffective. It had no way of continuously monitoring its suppliers’ security postures. The CAA’s supplier security due diligence was principally focussed on assessing the potential security risks posed by new suppliers before onboarding them.
The process consisted of providing suppliers with a set security questionnaire. These questionnaires, while comprehensive, were essentially spreadsheet-based and thus highly time-consuming both for the suppliers to complete, but especially for the CAA to review. The process also involved a lot of back and forth between the CAA and its suppliers to ascertain the information provided and obtain necessary clarifications and evidence where needed. This introduced a key challenge for the CAA – onboarding new suppliers quickly became an extremely time-consuming undertaking that slowed down procurement processes, and that could also not be easily scaled in the future.
It also meant that the CAA was only able to prioritise larger and more important suppliers when it came to ongoing monitoring or risk management oversight.
The CAA’s goals for upgrading its TPRM programme
So it was time for a change, and to upgrade its TPRM programme. The CAA’s search for solutions was guided specifically by the following goals:
Automation of supply chain management processes
Given the extremely time- and resource-consuming nature of manual third party risk management processes, the CAA was keen to automate processes, including the onboarding of suppliers or being made aware of any changes in their security postures, as well as obtaining a better overview of all its suppliers’ controls as much as possible. This would be crucial in order to be able to scale up its programme, but in a cost-effective manner, and to enable its information security team to increase efficiencies by reducing the burden the old processes placed on it.
Continuous monitoring of suppliers’ security posture
The second major goal of the CAA’s efforts to overhaul its TPRM programme was to go beyond having to rely on regular, but always just point-in-time, assessments of its suppliers. While the CAA regularly engaged with some of its more critical suppliers, it wanted to get into a position where it could continuously monitor the controls of a much larger number of suppliers, and incorporate more suppliers in its third-party risk management programme. Achieving this would allow the CAA to gain a better understanding of its overall supplier ecosystem as well as to know immediately when a suppliers’ security posture has changed, or if a security breach could pose a threat to the CAA’s own systems and data.
These considerations led the CAA to consider using Risk Ledger’s third-party risk management platform.
The Risk Ledger Solution
It quickly became clear that using Risk Ledger would allow the CAA to achieve its two main goals and qualitatively take its supply chain risk management efforts to the next level, by automating risk assessments, enhancing collaboration with suppliers, improving cross team collaboration and providing better reporting and insights capabilities.
I’ll be honest. This is probably a better tool than any other tools that I have used.... there are tools that I have used that I don’t wanna use ever again.
-Matangi Patel, Information Security Officer, The CAA
Risk Ledger is an online supply chain security platform where suppliers and clients work together to get a comprehensive overview of their entire supply chains.
Matt Taylor remarked on the efficiency improvements made:
The amount of time it would’ve taken to do what Risk Ledger does, especially to that level of detail, is more than a full-time hire’s work.
By Using Risk Ledger, the CAA benefited from the following:
A standardised framework
The security controls Risk Ledger assesses suppliers against are based on Risk Ledger’s unique Supplier Assessment Framework, which has been created against industry best practice and maps against multiple compliance and regulatory standards, including ISO 27001, Cyber Essentials, the NIST Cybersecurity Framework & the NCSC Cyber Assessment Framework. Since suppliers on Risk Ledger are all assessed against this Framework, this further enables organisations like the CAA to have a clear standardised baseline to benchmark all its suppliers against.
As part of our strategy to improve our security maturity, we wanted to implement an ongoing and continuous monitoring system - Risk Ledger helped us do that.
-Matt Taylor, Chief Information Officer, The CAA
Risk Ledger is free to use for suppliers, and significantly reduces the burden on suppliers of having to do often thousands of risk assessments for different clients throughout the year by allowing them to share their Risk Ledger assessment even with clients outside of Risk Ledger. This makes it easier for clients to convince their suppliers that are not already on Risk Ledger to onboard on the platform and take their security assessments seriously. In turn, this allows clients to get an up-to-date, full inventory of all their suppliers with consistently maintained risks.
Since suppliers’ security profiles are continuously monitored by many of their clients simultaneously, this also means that the information they provide is always under scrutiny, maintaining quality, accuracy and timeliness. Data is thus transformed to real time, removing yearly repeated workflows and allowing the value proposition to compound each year.
So by adopting Risk Ledger, the CAA was able to obtain, for the first time, the ability to continuously monitor its suppliers’ security posture at all times directly on the platform. The CAA is now able to see in real-time when one of its suppliers’ security postures has changed, or if critical controls are no longer in place and could pose a threat to the CAA. This provided the CAA with the added assurance that it can now more easily stay on top of its supply chain security efforts.
Improved communication with suppliers
Risk Ledger also offers on-platform communication tools that allow clients to communicate and collaborate with their suppliers to encourage closer collaboration and better relations with them.
Being able to facilitate communications with suppliers directly on the platform itself, rather than having to rely on emails, has been a key timesaver for the CAA and has enhanced collaboration with its suppliers, while also providing users with an audit trail of their conversations to be accessible at all times. As Matangi Patel, Information Security Officer at the CAA, revealed about her experience using the communication function on Risk Ledger:
I think that is really useful and I have not seen this in any other tools that I have used.
Speeding up the procurement cycle
Since Risk Ledger embeds itself across Security, Procurement, Compliance & Legal, this also improves cross team collaboration, creating powerful value loops. On average, the use of Risk Ledger reduces procurement cycles from 9 months to under 4 weeks.
This ability to work more closely with other teams also benefited the CAA. By now being able to quickly review a new supplier’s security posture and identify whether there is anything that requires immediate attention, the process of reviewing suppliers was speeded up, and thus also the procurement cycle.
Great user experience and ease of reporting
The CAA also found the Risk Ledger platform exceeded its expectations in terms of its ease of use and user friendly UI. The information security team can now easily produce reports and pull data from the platform, as Matangi Patel highlighted:
The interface and dashboard exceeded initial expectations — it was great to have the ability to have a snapshot of all suppliers. The ability to pull a quick report is very useful, and gives me a lot of confidence when people ask how we’re managing supply chains.
Matangi Patel also stressed that the Knowledge Base provided within the platform is extremely useful, allowing users to get quick reminders of what specific controls are all about and “pick out support information when I don’t know what a definition means."
...two years later
Overall, using Risk Ledger has greatly enhanced the CAA’s confidence in its supply chain risk management programme and bolstered its reputation. In the words of its Chief Information Officer:
The fact that we have something like Risk Ledger that can give us good supply chain risk assurance is quite important in terms of our own reputation as a regulatory authority. We can hold our head up because we’re prioritising security ourselves.
Based on its positive experiences with Risk Ledger to date, the CAA has now also brought its Data Protection Officer in to further enhance collaboration, going through the relevant controls on data protection in Risk Ledger’s framework together to identify the relevant questions, from the DPO’s perspective, that suppliers should be asked, and turning less relevant questions off, which Risk Ledger allows users to do. This means that when answers from suppliers are specifically relevant from a data protection and privacy perspective, these controls and suppliers’ status against them can now be shared directly with the CAA’s DPO through the Risk Ledger platform.
At Risk Ledger we are excited to continue to work with the CAA and its great team, and we are excited to see how Risk Ledger can continue to expand and help the CAA’s departments assess its suppliers and engage in more effective and efficient supplier risk management.
-Haydn Brooks, CEO, Risk Ledger