ScotRail wanted to significantly upgrade their third-party risk management (TPRM)
programme, which was largely a manual process.
The main aims of ScotRail when looking for a new solution included:
The key benefits ScotRail has derived from adopting Risk Ledger:
One of the key wins for ScotRail after adopting Risk Ledger was time savings. Their supplier onboarding process is now quicker with the introduction of centralised supplier risk management through the Risk Ledger tool. ScotRail now finds assessing their existing suppliers much easier thanks to Risk Ledger's intuitive platform.
"I think it definitely helped improve the supplier assessment process..."
-Kathleen Gay, Procurement & Contracts Business Partner, ScotRail
ScotRail has also started to explore how to use Risk Ledger directly in their tender process, leveraging Risk Ledger's labelling and policy features to draw up specific parameters to make the process more streamlined.
"We found that using Risk Ledger is spreading security awareness across the business, and we have gained a lot more knowledge about what sort of technical controls are appropriate."
-Mandi Turner, Information Governance Manager, ScotRail
ScotRail's communications with their suppliers became significantly easier since using Risk Ledger. Risk Ledger's unique social network model means clients and their suppliers both use the same platform, where they are encouraged to work closely together and can communicate directly.
"Being able to speak to suppliers directly on the platform about a specific control or question has saved me time I would normally spend going back and forth by email."
-Judith King, Information Security Manager, ScotRail
Risk Ledger also facilitates better communication within organisations, as different departments can all work together on assessing a supplier on the same platform.
"In terms of cyber security, we are definitely getting more granular information from our suppliers."
-Judith King, Information Security Manager, ScotRail
Risk Ledger's leading standardised risk assessment framework maps against all major international security standards, including ISO27001, NIST CSF, NCSC CAF, Cyber Essentials, and others. It is updated every 6 months to keep abreast of new regulatory requirements. This provides ScotRail with a single source of truth for benchmarking and producing meaningful risk scores.
"Risk Ledger gives us an even playing field, and we are able to compare things equally across our supply chain."
-Mandi Turner, Information Governance Manager, ScotRail
Although Risk Ledger's framework is standardised, organisations still have flexibility with regard to what security controls they would like to exclude from their reviews through the use of flexible policies.
"Having the ability to selectively mark individual responses as exempt, or request further information is very useful."
-Mandi Turner, Information Governance Manager, ScotRail
Risk Ledger uses its emerging threats feature to quickly notify all 5500+ organisations on its platform when a new emerging supply chain attack such as Log4J or MOVEit Transfer emerges. Suppliers are asked whether they are affected and about the
current status of their response. Connected clients can then view this data and the responses, and visualise how their supply chains might be impacted, and collaborate with any affected parties directly on the platform to remediate any problems.
"I would highlight the use of the emerging threats tab. For example when the Log4J incident happened, it was much simpler to understand our supply chain's position and response."
-Judith King, Information Security Manager, ScotRail
No organisation is an island.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
