CAA Builds Trust with Advanced Risk Management
Civil Aviation Authority Enhances TPRM via Risk Ledger
Community
Aviation
Territory
United Kingdom
CAA Builds Trust with Advanced Risk Management
Civil Aviation Authority Enhances TPRM via Risk Ledger
The Civil Aviation Authority is the UK’s independent aviation regulator that oversees and regulates all aspects of civil aviation in the United Kingdom. It works to ensure that the aviation industry meets the highest safety standards, and that consumers have choice, get value for money, are protected and treated fairly when they fly. It also ensures the aviation industry manages security risks effectively and manages the environmental impact of aviation on local communities and the wider population.
The aviation industry, especially airlines and airports, have extensive supply chains and relationships with third parties; from technology and other service providers to aircrafts to labour. The risk of supply chain attacks that could come and affect organisations directly is high.
As a regulatory body, the CAA is responsible for ensuring the aviation industry adheres to the highest international safety standards. Given this responsibility, Matt Taylor, the Chief Information Officer at the CAA, didn't want CAA’s supplier risk management and assurance programme to just meet basic compliance and regulatory standards, but become exemplary for the whole industry.
And this meant reimagining and transforming its existing supplier risk management programme.
Before Risk Ledger, the CAA faced common challenges of manual third party risk management processes, that it is time consuming and ineffective. It had no way of continuously monitoring its suppliers’ security postures. The CAA’s supplier security due diligence was principally focussed on assessing the potential security risks posed by new suppliers before onboarding them.
The process consisted of providing suppliers with a set security questionnaire. These questionnaires, while comprehensive, were essentially spreadsheet-based and thus highly time-consuming both for the suppliers to complete, but especially for the CAA to review. The process also involved a lot of back and forth between the CAA and its suppliers to ascertain the information provided and obtain necessary clarifications and evidence where needed. This introduced a key challenge for the CAA – onboarding new suppliers quickly became an extremely time-consuming undertaking that slowed down procurement processes, and that could also not be easily scaled in the future.
It also meant that the CAA could only prioritise larger and more important suppliers when it came to ongoing monitoring or risk management oversight.
So it was time for a change, and to upgrade its TPRM programme. The CAA’s search for solutions was guided specifically by the following goals:
Given the extremely time- and resource-consuming nature of manual third party risk management processes, the CAA was keen to automate various processes, including:
1. Onboarding of new suppliers
2. Getting notified of any changes to suppliers' security postures
3. Obtaining a better overview of all its suppliers’ controls
Automation was key to scaling up their TPRM programme in an efficient and cost-effective manner, while actively reducing the burden of old processes.
The second goal of the CAA’s efforts to overhaul its TPRM programme was to go beyond having to rely on regular, but always just point-in-time, assessments of its suppliers. While the CAA regularly engaged with some of its more critical suppliers, they wanted to position themselves to continuously monitor the controls of a much larger number of suppliers, and incorporate more suppliers in its third-party risk management programme.
Achieving this would allow the CAA to gain a better understanding of its overall supplier ecosystem as well as to know immediately when a suppliers’ security posture has changed, or if a security breach could pose a threat to the CAA’s own systems and data.
These considerations led the CAA to consider using Risk Ledger’s third-party risk management platform.
It quickly became clear that using Risk Ledger would allow the CAA to achieve its two main goals and take its supply chain risk management efforts to the next level.
I’ll be honest. This is probably a better tool than any other tools that I have used.... there are tools that I have used that I don’t want to use ever again.
-Matangi Patel, Information Security Officer, The CAA
With Risk Ledger, they could automate risk assessments, enhance collaboration with suppliers, improve cross team collaboration and have better reporting and insights capabilities.
Matt Taylor remarked on the efficiency improvements made:
The amount of time it would’ve taken to do what Risk Ledger does, especially to that level of detail, is more than a full-time hire’s work.
Risk Ledger is an online supply chain security platform where suppliers and clients work together to get a comprehensive overview of their entire supply chains. By using Risk Ledger, the CAA benefited from the following:
Risk Ledger offers a unique Supplier Assessment Framework for clients to assess their suppliers. It was created based on industry best practice and maps against multiple compliance and regulatory standards, including ISO 27001, Cyber Essentials, the NIST Cybersecurity Framework & the NCSC Cyber Assessment Framework.
Since suppliers on Risk Ledger are all assessed against this Framework, this further enables organisations like the CAA to have a standardised baseline to benchmark all its suppliers.
As part of our strategy to improve our security maturity, we wanted to implement an ongoing and continuous monitoring system - Risk Ledger helped us do that.
-Matt Taylor, Chief Information Officer, The CAA
Risk Ledger is free for suppliers. It also significantly reduces the burden on suppliers who often have to complete thousands of risk assessments for different clients throughout the year, by allowing them complete the assessment once and share it with all their clients, even those not yet on the Risk Ledger network.
This makes it easier for clients to convince their suppliers that are not yet on Risk Ledger to join the network and take their security assessments seriously. In turn, this allows clients to get an up-to-date, full inventory of all their suppliers with consistently maintained risks.
Since suppliers’ security profiles are continuously monitored by many of their clients simultaneously, the information suppliers provide is always under scrutiny, maintaining quality, accuracy and timeliness. Data is thus transformed to real time, removing yearly repeated workflows and allowing the value proposition to compound each year.
With Risk Ledger, the CAA was able to obtain, for the first time, the ability to continuously monitor its suppliers’ security posture at all times directly on the platform. The CAA is now able to see in real-time when one of its suppliers’ security postures has changed, or if critical controls are no longer in place and could pose a threat to the CAA. This provided the CAA with the added assurance that it can now more easily stay on top of its supply chain security efforts.
Risk Ledger also offers on-platform communication tools that allow clients to communicate and collaborate with their suppliers to encourage closer collaboration and better relations with them.
Being able to facilitate communications with suppliers directly on the platform itself, rather than having to rely on emails, has been a key timesaver for the CAA and has enhanced collaboration with its suppliers, while also providing users with an audit trail of their conversations to be accessible at all times. As Matangi Patel, Information Security Officer at the CAA, revealed about her experience using the communication function on Risk Ledger:
I think that is really useful and I have not seen this in any other tools that I have used.
Since Risk Ledger embeds itself across Security, Procurement, Compliance & Legal, this also improves cross team collaboration, creating powerful value loops. On average, the use of Risk Ledger reduces procurement cycles from 9 months to under 4 weeks.
This ability to work more closely with other teams also benefited the CAA. By now being able to quickly review a new supplier’s security posture and identify whether there is anything that requires immediate attention, the process of reviewing suppliers was speeded up, and thus also the procurement cycle.
The CAA also found the Risk Ledger platform exceeded its expectations in terms of its ease of use and user friendly UI. The information security team can now easily produce reports and pull data from the platform, as Matangi Patel highlighted:
The interface and dashboard exceeded initial expectations — it was great to have the ability to have a snapshot of all suppliers. The ability to pull a quick report is very useful, and gives me a lot of confidence when people ask how we’re managing supply chains.
Matangi Patel also stressed that the Knowledge Base provided within the platform is extremely useful, allowing users to get quick reminders of what specific controls are all about and “pick out support information when I don’t know what a definition means."
Overall, using Risk Ledger has greatly enhanced the CAA’s confidence in its supply chain risk management programme and bolstered its reputation. In the words of its Chief Information Officer:
The fact that we have something like Risk Ledger that can give us good supply chain risk assurance is quite important in terms of our own reputation as a regulatory authority. We can hold our head up because we’re prioritising security ourselves.
Based on their positive experiences with Risk Ledger, the CAA has now also brought its Data Protection Officer (DPO) in to further enhance collaboration, going through the relevant controls on data protection in Risk Ledger’s framework together to identify the relevant questions, from the DPO’s perspective, that suppliers should be asked, and turning less relevant questions off, which Risk Ledger allows users to do. This means that when answers from suppliers are specifically relevant from a data protection and privacy perspective, these controls and suppliers’ status against them can now be shared directly with the CAA’s DPO through the Risk Ledger platform.
At Risk Ledger we are excited to continue to work with the CAA and its great team, and we are excited to see how Risk Ledger can continue to expand and help the CAA’s departments assess its suppliers and engage in more effective and efficient supplier risk management.
-Haydn Brooks, CEO, Risk Ledger
No organisation is an island.
Monthly research, case studies and practical guides you won't find anywhere else.
Join thousands of security managers turning their TPRM programmes into success stories.
