Who is United Utilities?
United Utilities is a FTSE 100 company which manages and operates the regulated water and wastewater networks in North West England. United Utilities supports more than 22,000 jobs both directly and indirectly through its supply chain, and its purpose is to provide great water for a stronger, greener and healthier North West.
Problems and challenges facing United Utilities’ risk management programme
Prior to adopting Risk Ledger, United Utilities relied on a traditional TPRM process, using extensive manual spreadsheets. These spreadsheet-based questionnaires, made up of 300 control questions, were sent out to suppliers to complete. Upon receiving the answers back, United Utilities then had to review them in depth. This process would typically be done only once per supplier, during the onboarding process.
As pointed out by the Cyber Security Technical Assurance Manager at United Utilities: "We have been using the Cloud Security Alliance Star Framework Level 1 (CAIQ) to do our supplier management via spreadsheets. While this worked well for us, and increased our maturity, we found it was really time consuming to go through a lot of questions on an individual basis."
In practice, as the former Information Security Risk Assistant Manager at United Utilities attests to, this meant that: “On average it would take about a week, maybe more, to review a CAIQ assessment, because it was so heavy on excel, there was no automation or colour scales built in.”
Another issue was that “previously it was very difficult to see whether suppliers answered them wrong [questions in CAIQ], because there was no automation that would allow you to see whether they are compliant or not. It was a fully manual process. You had to review every single question in detail.”
This manual process did not only put a huge strain on United Utilities’ own security team, however. It also imposed a great burden on its suppliers, which had to go through hundreds of different questionnaires from different clients all the time.
United Utilities’ goals for upgrading its TPRM programme
Jon Wyatt, Chief Security Officer at United Utilities, and his team therefore set out to explore what viable options existed to take their third party risk management efforts to the next level. Their search was guided first and foremost by the need for a more automated solution that would simplify and speed up its TPRM programme. Its necessity to stay compliant with the Network and Information Systems Directive (NIS-D) was another crucial goal. United Utilities’ former Information Security Risk Assistant Manager highlights that:
NIS-D is a requirement for all companies that work with essential services. So it’s really important that we are able to show that we have assured them [their suppliers].
Another goal was to gain the ability to continuously monitor its suppliers’ security posture. In the words of its Cyber Security Technical Assurance Manager, the old process United Utilities used “was a point-in-time assessment, and we wanted to do a more continuous assessment.” The problem with traditional TPRM approaches such as spreadsheets is that it makes continuous monitoring almost impossible. At best, frequent, and equally painful manual reviews, would have to be conducted.
The former Information Security Risk Assistant Manager recalled how United Utilities first heard of Risk Ledger: "We have regular meetings with the security specialists within the water industry and it was mentioned that one of the other companies was already using Risk Ledger. They made the suggestion that maybe more of the industry use the same tool to drive the water industry to be more compliant as a whole and have better supply chain security, because we generally do use the same suppliers to deliver our services."
With the water industry thus having a range of shared suppliers, it makes a great deal of sense for companies not already doing so to also use Risk Ledger, as the majority of their suppliers already have security profiles on the platform which have already been assessed by their peers.
When asked what a contributing factor was during the sales process that made United Utilities choose Risk Ledger, United Utilities’ Cyber Security Technical Assurance Manager stressed that:
It was because other water companies were using you as well, and for all our industry to move all of our suppliers on the same platform, and getting these synergies, made a lot of sense.
Appreciating Risk Ledger
When United Utilities started using Risk Ledger, they quickly realised significant time and efficiency gains, reducing the amount of time spent on reviewing security assessments, improving engagement with their suppliers and further improving their reporting and compliance activities.
Compliance with NIS-D
Being able to demonstrate compliance with the Network and Information Systems Directive (NIS-D) was a crucial driver in exploring more automated TPRM solutions.
Adopting Risk Ledger allowed United Utilities to quickly and easily demonstrate to regulators that they are compliant with the Directive. The ability to categorise suppliers using tags and policies, search and look into specific risks and other criteria such as criticality ratings, has enabled United Utilities to generate more tailored reports.
United Utilities’ former Information Security Risk Assistant Manager noted: “We got a high level risk compliance score for each supplier, which is good because the regulation [NIS-D] requires providers of essential services to have a strong understanding of their supply chain risks”
Automating United Utilities’ TPRM programme
Moving from the CAIQ to Risk Ledger has also saved United Utilities significant time when reviewing responses or onboarding suppliers, and has given it a way to centralise its supplier assurance activities and data in one place. The time required to review supplier responses in particular has been significantly reduced.
Risk Ledger also saved United Utilities time reviewing new suppliers that were already on the platform, and improved the process for its suppliers. As United Utilities’ former Information Security Risk Assistant Manager explains:
When still using the CAIQ, suppliers were required to complete it regardless of whether they had previously completed it for another water company. With Risk Ledger, if a supplier has worked with another company on the network, we can gain access to their already completed questionnaire promptly. This also means that our suppliers no longer have to complete multiple questionnaires, and it saves us time waiting for their responses.
With Risk Ledger, United Utilities’ Cyber Security Technical Assurance Manager stresses, “we can now easily dive into the risk areas. Even though the team still reviews every single question just in case they answered it wrong, it’s still much faster. We can easily pinpoint the areas that are at risk and focus on these”.
The former Information Security Risk Assistant Manager adds that:
“Another good thing is that whereas in the past with CAIQ, if we approved somebody, there was no centralised database where we could go and say, right, that supplier has been approved by someone, and this is their compliance score.”
Setting flexible policies
Using Risk Ledger has also improved how United Utilities is able to report risk and compliance in its supply chain to its board and across the organisation. As the former Information Security Risk Assistant Manager points out: “Since we signed up for Risk Ledger, we have included supply chain compliance within our security scorecards. Including this information allows our board and risk groups to quickly assess any risks within our supply chain and to take appropriate action should a supplier not be meeting our security requirements.”
Speaking about other features and useful functionalities on Risk Ledger, United Utilities’ Cyber Security Technical Assurance Manager remarked:
I like the fact that the platform is searchable and that information is easy to retrieve. For me, it's also the individual policies that we can apply to our services, and they are so flexible for us. That is probably the key feature. It's about the fact that policies are specific to what we need them to be, and it's easy. The tagging, the labelling and the meta information is also really good.
Better engagement with suppliers
Last but not least, using Risk Ledger has improved United Utilities’ engagement and relationship with many of its suppliers. United Utilities’ Cyber Security Technical Assurance Manager highlighted that with the old manual process, “there were quite a few companies [suppliers] that refused to do a spreadsheet”.
Risk Ledger was specifically created to support better client-supplier engagement and to enhance collaboration, and it does so not least by significantly reducing the burden imposed on suppliers as a result of traditional TPRM approaches. With Risk Ledger, suppliers only have to do one assessment, and then keep this assessment up to date. They can share this assessment with all their clients, significantly reducing the time they have to spend on client assurance requests.
The standardised assessment framework created by Risk Ledger with the help of experts from the National Cyber Security Centre also has another benefit. According to United Utilities’ Cyber Security Technical Assurance Manager:
It makes our conversations with everybody a lot easier. Your assessment framework allows us to argue this is the standard how you do supply chain risk management. This is across the enterprise, not just cloud security. So it allows us to argue this is not us doing this. This is how it should be done.
…the future
Based on its positive experience with Risk Ledger to date, United Utilities now plans to increase the scope of its supplier assurance programme and to fully integrate Risk Ledger directly into its tender management process. As United Utilities’ former Information Security Risk Assistant Manager points out: “The reason we want all our tenders to go through Risk Ledger is because once a supplier goes through a tender, then they be required to go through our assurance process in any case, so we thought by initially putting them through the process, it would save time for them and for us reviewing them.”
United Utilities also plans to broaden its user base, including members of its procurement team as well as its environmental team, which deals specifically with ESG-related compliance requirements, as set by the industry regulator OFWAT, and which is one of Risk Ledger’s security domains that it assures suppliers against.
