Frequently asked questions

Traditional supply chain security relies on Third Party Risk Management (TPRM) processes, including questionnaires, periodic assessments, and risk scoring. Active Supply Chain Security (ASCS) moves beyond traditional TPRM's static, siloed, compliance-focused approach to deliver standardised assessments, continuous network visibility, proactive threat management, and collaborative defence across the entire supply chain ecosystem.

Active Supply Chain Security delivers systemic risk reduction and enhances resilience across your whole software supply chain by providing: 

‍

• Standardised supplier security assessments at scale. 
• Full visibility of your entire software supply chain, including nth party connections. 
• Continuous monitoring and real-time insights on concentration risks, nth-party dependencies and emerging threats. 
• Collective defence with security teams and software suppliers working together.

Yes - Active Supply Chain Security builds resilience against AI-powered attacks in your supply chain. ASCS provides AI governance controls as part of the standardised supplier assessment framework (see Risk Ledger’s AI domains here). ASCS also gives you continuous visibility over nth party vulnerabilities, enables intelligence sharing with ecosystem partners and provides real-time insights to help you limit the cascading impacts of AI-powered breaches.

The best active supply chain security systems include these four key features in one centralised platform: 

‍

• Standardised supplier security assessments aligned to relevant and up-to-date regulations. 
• A living supply chain map of your interconnected nth-party relationships.
• Continuous monitoring and real-time alerts on concentration risks, nth-party dependencies and emerging threats. 
• Seamless collaboration and intelligence sharing capabilities between security teams and suppliers.

Yes - traditional third-party risk management (TPRM) is not designed for today’s interconnected supply chains. TPRM was created for a simpler world where suppliers were treated as isolated entities, risk was assessed periodically, and compliance was the primary objective. 

ASCS is built for today’s interconnected reality. Its unified network-first approach reveals hidden concentration risks, provides nth-party visibility, and enables collaborative defence across your entire supply chain - because in modern supply chain security, every link matters.

Yes - ASCS enables you to see supply chains as they truly exist. With thousands of organisations mapped on a living network, you get a full picture of your nth tier connections at a glance and can uncover hidden dependencies deep in your supply chain, track changing supplier relationships, identify concentration risks and spot emerging threats in real-time.

TPRM software was built for a simpler world. Its static approach, limited visibility, and lack of collaboration are not just operational gaps, but fundamental flaws. In particular: 

‍

• TPRM’s point-in-time assessments can’t keep up with real-time threats.
• TPRM’s endless questionnaires waste time and generate incomparable data.
• TPRM’s check-box compliance drains resources without reducing risk.
• TPRM’s limited visibility does not reveal concentration risks or deep supply chain threats. 
• TPRM’s model prioritises self-protection over network resilience.

Yes - the new Active Supply Chain Security framework has four key pillars. 

‍

1. Standardisation at scale - Share one supplier profile across many clients, creating a common language of risk and eliminating duplicated effort.
2. Network-first visibility - See your supply chain as a living network of interconnected relationships, not a static list.
3. Continuous monitoring & insights - Identify concentration risks, nth-party dependencies, and emerging threats in real-time.
4. Collective defence - Enable security teams and suppliers to share intelligence, respond as one ecosystem and build network-wide resilience.

By standardising supplier data, connecting thousands of organisations onto a living network, and overlaying proactive threat intelligence, Risk Ledger’s four-stage approach is transforming fragmented TPRM into ASCS. Risk Ledger’s ASCS platform provides: 

‍

1. Standardised assessment frameworks across all suppliers in your ecosystem.
2. Supply chain visualisation with thousands of organisations mapped onto a living network. 
3. Early warning signals on new vulnerabilities and emerging threats. 
4. Seamless collaboration and intelligence-sharing with the wider ecosystem.

The result? With Risk Ledger, you can Defend-as-One.

Active Supply Chain Security (ASCS) is not a third-party risk management (TPRM) upgrade, but a fundamentally different approach to supply chain security. While ASCS uses a TPRM engine as its base, an ASCS-optimised platform is needed to provide:

‍

• Standardisation at scale
• Network-first visibility
• Continuous monitoring & insights
• Collective defence

One weak link in the supply chain can bring downstream production to a grinding halt. For example, the 2025 Jaguar Land Rover breach stopped production for five weeks, affecting 5000 businesses across the supply chain. ASCS prevents costly operational downtime by enhancing protection for every link in the supply chain with real-time detection of emerging threats, proactive threat management and rapid incident response across the network.

Each of the four pillars of ASCS minimises wasted effort and maximises supply chain resilience, delivering key benefits to security leaders, security analysts and suppliers. 

‍

• Security leaders - Get live visibility of systemic risks and confidently report to boards and regulators. 
• Security analysts - Free up your time from chasing supplier assessments and reviewing incomparable data to focus on actual risks.
• Suppliers - Share one security profile with every client, transforming assurance from a deal blocker to sales enabler.

As ASCS relies on organisations and suppliers proactively working together, the main risk of ASCS is low supplier adoption and engagement. At Risk Ledger, we encourage supplier adoption with free value: free supplier profile to share, free scanning data and free access to an extensive knowledge base to learn about security controls. We’re also constantly improving the supplier experience - from onboarding to use - and offer tailored advice to supplier teams to boost engagement. That’s why 15,000+ suppliers actively use the platform (as of March 2026).

ASCS builds resilience across the entire supply chain by improving third party risk data and intelligence sharing within the ecosystem. 

Standardised assessment frameworks aligned to regulations create a common language of risk and provide audit-ready evidence for boards and regulators. Continuous updates to security profiles and network monitoring provides real-time intelligence on supply chain risks. Proactive threat detection and seamless supplier collaboration enables you to remediate vulnerabilities early and share information on security incidents, alerts and risks.

Today’s corporate supply chains are no longer simple lists of vendors — they’re sprawling, complex, interconnected webs that have become the biggest attack surface in cybersecurity (85% of UK cyber security professionals experienced a supply chain cyber security incident in 2025). Modern supply chain attackers target obscure nth-parties and the disruptions cascade through the supplier ecosystem. E.g. The Log4j cyber incident cascaded through 60% of corporate networks with 800,000 attacks in 72 hours.

ASCS reduces third party risk by transforming TPRM from a siloed, reactive function into a proactive cyber defence discipline. The four key pillars of ASCS reduce third party risk:

‍

• Standardising security assessments makes it easier and faster for suppliers to complete and regularly update their security profile, improving the reliability of security info.
• Visualising the supplier network enables you to spot concentration and nth party risks. 
• Continuously identifying threats underpins proactive mitigation of third party risk. 
• Collectively defending the ecosystem builds resilience across all network partners.

Yes - ASCS’s standardised assessment framework includes controls on AI governance, so organisations can ensure their third party suppliers have resilient AI security postures. For example, Risk Ledger’ ASCS-focused platform includes 15 AI domain controls, which check if suppliers’ use of AI data, models and services.

Security reviews no longer kill your deal momentum, but help you close faster. Instead of answering the same security questions for every client, suppliers complete one profile and share it with all customers. 

With ASCS, you'll also foster greater trust and collaboration with your clients. Combine your assessment outcomes from multiple clients, learn where your vulnerabilities lie and proactively work with clients to remediate them, demonstrating security leadership and building trust along the way.

Yes - ASCS is the only supply chain security approach that delivers continuous visibility, proactive threat management, and collaborative defence across the entire supply chain ecosystem. Instead of compliance box-ticking, security leaders and risk management teams need ASCS to proactively reduce third-party risk, protect their ecosystem and strengthen industry-wide resilience.

Most supply chain security vendors offer platforms based on outdated third-party risk management (TPRM) processes. Risk Ledger’s platform is optimised for Active Supply Chain Security (ASCS). By standardising supplier data, connecting thousands of organisations onto a living network, and overlaying proactive threat intelligence, Risk Ledger’s four-stage approach delivers:

‍

1. Standardised Assessment Frameworks
2. Supply Chain Visualisation
3. Proactive Threat Management 
4. Defend-as-One capability 

‍

That’s how Risk Ledger enhances supply chain security for 16,000+ organisations.

Yes - Risk Ledger maps supply chain dependencies as they truly exist, uncovering hidden nth-party relationships and pinpointing concentration risks. With full visibility of your changing nth tier connections, you can proactively take action to avoid cascading failures before they happen.

Risk Ledger maps thousands of organisations on one ever-growing network. This gives you the full picture of your nth tier connections and a bird's-eye view of your entire network’s concentration risks. For instance, Schroders Personal Wealth achieved 95% visibility of its 200-strong supplier network with Risk Ledger.

Delivering true Active Supply Chain Security (ASCS) involves four key stages:

‍

• Standardising security assessments - Creates a common language of risk that speeds up information sharing, improves the quality of security data, simplifies compliance and reduces duplicated effort.
• Visualising the supplier network - Maps supply chains, uncovers hidden nth-party relationships and highlights concentration risks. 
• Continuously identifying threats - Pinpoints new vulnerabilities, emerging threats and real-time attacks. 
• Collectively defending the ecosystem - Enables intelligence-sharing, optimises resources, and enhances security for every organisation in the industry.

Each pillar of Active Supply Chain Security (ASCS) limits the cyber risk of onboarding new vendors and working with existing vendors. 

‍

• Standardisation → Clarity and efficiency on vendor cyber risk profiles at scale.
• Network-first visibility → Live visibility of nth-party dependencies and vendor concentration risks.
• Continuous monitoring → Real-time threat identification and mitigation of vendor cyber risks. 

Collective defence → Vendors and organisations proactively addressing threats together as a community.

No - traditional third-party risk management (TPRM) relies on periodic, point-in-time assessments, which leaves your organisation blind to changes in supplier’s risk profiles, so you only discover a weakness after it has been exploited. 

Only Active Supply Chain Security (ASCS) provides live network visibility, continuous monitoring and real-time alerts of emerging threats, enabling proactive threat management across the supply chain ecosystem.

Instead of completing unique questionnaires for every client, suppliers create one standardised profile and share it across the entire network. As a supplier, you should also:

‍

• Update your security profile whenever your security posture changes.
• Add critical suppliers to your security profile to give clients more visibility into their supply chains.
• Share your profile proactively with prospects.
• Respond to discussions and remediation requests directly with client security teams.
• Respond quickly when incidents occur to let clients know if you're impacted and to what extent.

The more suppliers on the network, the more secure the supply chain. With ASCS, suppliers complete, maintain and share one security profile, so the whole supply chain benefits from knowing their up-to-date security posture. These profiles are also aligned to regulations, improving industry-wide compliance. 

‍

In addition, suppliers should follow ASCS best practices, including: 

‍

• Updating your profile whenever your security posture changes.
• Identifying weak points in your security posture with free external monitoring scans.
• Communicating directly with clients by responding to discussions and remediation requests.

The very act of joining an ASCS platform, creating a profile and collaborating with other organisations in the network helps to reduce third party risk. But suppliers can also follow best practices to enhance network-wide security and give a clearer picture of the entire supply chain, including: 

• Adding as much information as they can to their profile (i.e. product level answers and information on critical third parties)
• Updating profiles regularly if there are changes to a control or certification.
• Responding to emerging threats quickly with as much detail as possible.

First, get started with a free ASCS platform, such as Risk Ledger. 

‍

With Risk Ledger, you get started in just three steps: 

‍

1. Create a free Risk Ledger supplier profile
2. Complete a short security questionnaire (approx. 20 mins)
3. Respond to any follow-up questions from your client’s security team

‍

You then create one security profile and share it with all your existing partners on the platform.