Affinity water is the largest water-only supplier in the UK - providing nearly 1 billion litres of water every day to approximately 3.6 million customers in and around London, UK.
As an Operator of Essential Services, Affinity Water have to comply with the EU's Network and Information Systems (NIS) Directive which requires them to scrutinise the security controls of their third parties. They also have to comply with the GDPR as the data controller for millions of customers' Personally Identifiable Information.
Affinity Water have hundreds of third parties ranging from long-term legacy suppliers to those onboarded recently for fixed-term projects.
The Risk Ledger platform allows Affinity Water to identify, measure and manage supply chain risks by running a semiautomated, security-led, third-party risk management programme at scale for a low per supplier cost.
Using the platform and the Risk Ledger supplier framework, Affinity Water are able collect data about how their suppliers implement over 200 risk controls, supported by verifiable evidence of implementation. The controls cover 12 risk domains and suppliers only need to provide information about the controls relevant to them.
Affinity Water's suppliers are continuously monitored by the Risk Ledger platform and each supplier must re-attest to the accuracy of the data at least every 6 months. Additionally, Affinity Water are informed if a supplier's risk controls fall below the approved level of implementation.
"What I love about using Risk Ledger to manage our third-party security risk management programme, is that it does exactly what it says on the tin. It is so easy for us to engage our suppliers for a security review at the click of a button if they are already on the Risk Ledger platform. Even if a supplier isn't already on the platform, I just need a contact email to get started.
When it comes to reviewing suppliers, I can't overstate how much time Risk Ledger saves us by avoiding spreadsheets and countless emails going back and forth. The workflows are simple and it is really useful to have assessment responses, discussions, contextual notes and compliance scores all in one place so the whole process is smoother and more efficient. Our whole team, including colleagues from other departments like procurement and legal, can be added as users to collaborate on the process which also makes it easier to project manage.
Overall, using Risk Ledger has helped us to run an efficient third-party security risk management process and frees up my time to focus on other security priorities."
The Head of Information Security wanted to:
Critical national infrastructure (CNI) are the assets, systems, and networks deemed essential for the functioning of a country and its economy by its government with direct national security implications.\
Critical national infrastructure is commonly defined to encompass the following sectors: Energy, transportation, telecommunications, water supply, emergency services, government, health services, and financial services.\
Ensuring the cyber security of critical national infrastructure is important because these assets, systems, and networks are often targets of attacks by hackers, which could cause significant disruptions to the functioning of a country and its economy. Attacks can undermine critical services, cause damage to infrastructure, compromise sensitive data or even lead to serious economic and financial crises and worse.
No organisation is an island.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
