Client FAQs

Is Risk Ledger a secure platform?

Ensuring the security of our platform and its users is central to what we do at Risk Ledger. We maintain strict security and confidentiality controls to ensure that your information remains secure. You can review Risk Ledger's security assessment yourself using the platform! Just request access by emailing support@riskledger.com.

Privacy:

The only data visible to organisations you are not connected with is your company’s name and the country it is registered in to allow connection requests to be sent and accepted.

Security:

• Encryption - All data sent to and from Risk Ledger is encrypted in transit. Our website, application and API are served over TLS/SSL, achieving A+ on Qualys SSL labs. We also encrypt all data at rest with the industry-standard AES-256.
• Cloud Infrastructure - Risk Ledger services and data are hosted within hardened cloud infrastructure, managed using Infrastructure-as-Code processes. We operate over two availability zones, with robust monitoring in place. Amazon Web Services (AWS) is our primary cloud provider.
• Authentication - Risk Ledger enforces strong authentication for both our users and employees, to protect our customers and their data. Multi-Factor Authentication (MFA) is mandatory to access the product and all our internal systems.
• Independent Security Testing - Risk Ledger undergoes regular vulnerability scanning and penetration tests by independent third-parties, testing our security controls against industry standards. In addition, all our employees complete regular information security training.

For further information on our security and privacy policy please visit the below pages:

https://riskledger.com/privacy

https://riskledger.com/terms.pdf

https://riskledger.com/security

Why should we be running a Third-Party Risk Management programme?

Over 60% of organisations have experienced a security breach caused by a third party and managing this risk has become mission critical to organisations in every industry.

Running a third-party risk management (TPRM) programme allows you to identify and understand the risks in your supply chain. Risk Ledger gives you access to real-time information directly from your suppliers in order to help you mitigate these risks and perform continuous due diligence on your suppliers.

Running a third-party risk management programme may be required by your clients or be a regulatory requirement in your industry. E.g. the NIS directive in the EU.

How is Risk Ledger different from other Third-Party Risk Management platforms?

Risk Ledger provides the tools you need to run a comprehensive, security-led, third-party risk management programme against your entire supply chain.

The Risk Ledger platform is the only solution that moves away from point-in-time assessments and provides you with real-time, actionable data collected directly from suppliers - allowing you to continuously identify, measure and actively manage a comprehensive set of third-party risks at scale and for a low, per-supplier cost.

Our unique network model gives you visibility of supply chain risks beyond third parties to fourth, fifth and sixth parties too.

Using Risk Ledger helps you to increase supplier engagement with your third-party risk management programme by making it simple, free and fast for them to engage, respond and improve.

How much does it cost to use Risk Ledger?

We have a tiered pricing model depending on the benefits you want to take advantage of and the size of your supply chain. For full information on our pricing please contact us.

Risk Ledger is free for suppliers, so when you invite an organisation to review they will not need to pay to respond or engage with you in any way.

Will we still get value if our suppliers are not on Risk Ledger already?

Yes. It is not a problem if your suppliers are not already on the platform. On average it takes 10 business days from the time a supplier is invited to having a completed profile - much quicker than a manual process.

You can simply invite your suppliers to the platform using an email address, either individually or in bulk, and we will support the supplier(s) to onboard.

The number of suppliers maintaining a completed assessment on the platform is growing at an exponential rate so you will be able to connect with and review a good proportion of your third parties almost instantaneously.

Why do I need to provide a mobile number to sign up?

As a security focused business, it is really important to us that your organisation and personal details are kept secure when you use the Risk Ledger platform. Multi-factor authentication (MFA) is one of the best ways to do this for any user account. You can read a bit more about why this is important in this article by the National Cyber Security Centre.

Switch to an Authenticator app:

If you prefer not to use a mobile number once signed up, you are able to go to your account "Settings" > "My Account" > "Configure 2FA" and connect your chosen authenticator app to the account. See this article for a list of Authenticator apps.

Supplier FAQs

Why are we asked to complete a risk assessment for our client?

The Risk Ledger assessment gives your clients assurance that your organisation maintains an appropriate level of risk controls in order to protect both yourself, and them, from cyber incidents.

You have been asked to complete an assessment by your client because third-party risk management is:

• the best way to maintain a resilient supply chain;
• a requirement of regulations in your client's industry;
• a requirement of a security or business resilience certification your client holds;
• a policy mandated internally by your client as a condition of doing business with a third party; or
• a combination of the above.

You can read more about the importance of managing supply chain security risks in this article from the National Cyber Security Centre (NCSC).

Do we have to pay to use Risk Ledger?

No, Risk Ledger is free and always will be free for suppliers to join and use the platform to showcase their security regime to clients.

Is Risk Ledger a secure platform?

Ensuring the security of our platform and its users is central to what we do at Risk Ledger. We maintain strict security and confidentiality controls to ensure that your information remains secure. You can review Risk Ledger's security assessment yourself using the platform! Just request access by emailing support@riskledger.com.

Privacy:

We have strict privacy and confidentiality clauses in place in our Terms of Service that ensure that the data uploaded to Risk Ledger remains safe and is not shared with any Third Parties unless your organisation gives explicit permission by granting other organisations access via a connection request.

As an organisation on Risk Ledger, only authorised users on your account can decide to share your assessment with another organisation on the platform and accept connection requests.

The only data visible to other organisations you are not connected with is your company’s name and the country it is registered in to allow connection requests to be sent and accepted.

Security:

• Encryption - All data sent to and from Risk Ledger is encrypted in transit. Our website, application and API are served over TLS/SSL, achieving A+ on Qualys SSL labs. We also encrypt all data at rest with the industry-standard AES-256.
• Cloud Infrastructure - Risk Ledger services and data are hosted within hardened cloud infrastructure, managed using Infrastructure-as-Code processes. We operate over two availability zones, with robust monitoring in place. Amazon Web Services (AWS) is our primary cloud provider.
• Authentication - Risk Ledger enforces strong authentication for both our users and employees, to protect our customers and their data. Multi-Factor Authentication (MFA) is mandatory to access the product and all our internal systems.
• Independent Security Testing - Risk Ledger undergoes regular vulnerability scanning and penetration tests by independent third-parties, testing our security controls against industry standards. In addition, all our employees complete regular information security training.

For further information on our security and privacy policy please visit the below pages:

https://riskledger.com/privacy

https://riskledger.com/terms.pdf

https://riskledger.com/security

Will my Risk Ledger assessment be visible to others on the platform?

Your Risk Ledger assessment is only visible to the organisations you chose to share it with - nobody else. You are in complete control of your profile and data on Risk Ledger.

Organisations on Risk Ledger can request access to your assessment by sending you a connection request on the platform. They will only gain visibility of your assessment if and when an authorised user on your account has accepted the request.

The only data visible to other organisations you are not connected with is your company’s name and the country it is registered in to allow connection requests to be sent and accepted.

We have very strict confidentiality and data protection in place at Risk Ledger. Visit the links below for more information on this:

https://riskledger.com/privacy

https://riskledger.com/terms.pdf

Can I share my Risk Ledger assessment with other clients?

Yes, once you have completed your supplier assessment, you can take advantage of the free tools we have designed to ensure your Risk Ledger assessment is the last one you ever have to complete.

You can share access to your Risk Ledger assessment at the click of a button with any other client who requires you to complete a security risk assessment so you can avoid manual spreadsheets and long email conversations about the assessment.

There are two ways in which you can share your Risk Ledger assessment, even if your client isn't a Risk Ledger user themselves:

• Connection Request - You can send and receive connection requests through the platform. Simply accept connection requests from your clients to grant them access to your assessment.

• Share assessment outside Risk Ledger - You can share your assessment with other organisations outside of Risk Ledger who may ask you to complete a supplier assessment by navigating to the "Share" button at the top of your Assessment page when you are logged in to Risk Ledger. The button will generate a new link to your assessment.

You can also provide a client contact's email address and the platform will send them the new link directly. Only your assessment answers and notes are shared with the link, but not any evidence.

To access your evidence, the client can sign up to Risk Ledger for free and connect with you through the platform.

A link expires in 1 month, but can be invalidated earlier if needed by clicking the bin icon.

What happens to my data if my client no longer uses Risk Ledger?

If your client stops using Risk Ledger or they delete the connection between your organisation and their organisation on the platform, you will no longer have an active connection with them on Risk Ledger. You can see and manage client connections while signed in to your Risk Ledger account in the "Clients" list.

Once a connection is no longer active, we keep an audit log for your client of your Risk Ledger assessment as it was at the point of deletion. This is to allow an audit trail of your client's third-party risk management activities to be maintained.

Only authorised users in your organisation manage your Risk Ledger account and data so your profile on the platform will exist unless you delete your account. As long as your organisation has an account, you can share access to your Risk Ledger assessment for the clients you choose - nobody else.

If a supplier deletes their account, all personal data is removed from Risk Ledger, and clients who were connected with that supplier have visibility of their supplier assessment as it was at the point of deletion for the purpose of an audit trail.

What happens to my data when we are no longer a supplier to a client?

When you are no longer a supplier to a client you or your client can delete your connection on Risk Ledger - just click the "Remove Client" button on the client overview page. Removing a client connection will have no impact on your connection with any other client who you are connected with on Risk Ledger.

Once a connection is deleted, your supplier profile will no longer be visible to that client. We do keep an audit log available for the client of the Risk Ledger assessment as it was at the point of deletion to ensure there is an audit trail.

Who should complete the Risk Ledger assessment on behalf of our organisation?

Clients will invite their main point of contact at your organisation, which tends to be a commercial contact. Once signed up, you are able to add an unlimited number of users to collaborate on completing the assessment. The first person to sign up on behalf of your organisation and users with 'admin' status can invite all relevant colleagues to complete sections of the assessment relevant to their role and expertise. This usually includes colleagues from the information/cyber security, IT and information governance teams.

You can see the full list of controls and domains covered in the Risk Ledger assessment here to guide you on who may need to be added as a user from your organisation to collaborate on the assessment.

Why do I have to sign up and create an account as a supplier?

We have designed the Risk Ledger platform to make it easier and faster to respond to client security due diligence and assurance assessments.

By allowing suppliers to create and manage an account on the platform, Risk Ledger gives you a user friendly way to complete, evidence and maintain a comprehensive security assessment once and then easily share it with any other client who requests information about your security programme - eliminating the need to repeat this task for every client. Read more about how Risk Ledger works for suppliers here.

Once your assessment is completed, the Risk Ledger platform facilitates easy private communication between you and your client(s) about your assessment, eliminating long and confusing email trails while keeping you up to date with the status of your assessment with each client you are connected with on the platform.

Why do I need to provide a mobile number to sign up?

As a security focused business, it is really important to us that your organisation and personal details are kept secure when you use the Risk Ledger platform. Multi-factor authentication (MFA) is one of the best ways to do this for any user account. You can read a bit more about why this is important in this article by the National Cyber Security Centre.

Switch to an Authenticator app:

If you prefer not to use a mobile number once signed up, you are able to go to your account "Settings" > "My Account" > "Configure 2FA" and connect your chosen authenticator app to the account. See this article for a list of Authenticator apps.

We have multiple products/legal entities. Do we need to make multiple profiles for each one?

The Risk Ledger supplier assessment looks at risk controls implemented on an organisational level so a new profile should only be created if the security regime and management of security controls differs substantially between related legal entities or product/service lines. If there are slight differences in the implementation of security risk controls across a portfolio of products/services or between legal entities, this can be recognised in the contextual notes section of your response for the relevant risk controls.

Example - Group organisation with multiple subsidiaries

If an organisation is structured as a Group with multiple subsidiaries, each subsidiary should be able to share the same assessment on Risk Ledger if the Group manages security centrally with a Group CISO and information security resources, reflecting the fact that the security regime and its management should be the same or significantly similar across the Group.

If the subsidiaries have autonomous or semi-autonomous security leadership and independent security regimes, each autonomous subsidiary or cluster of subsidiaries sharing the same security leadership should complete their own assessment on Risk Ledger to reflect their independent security posture.

Example - An organisation has a portfolio of different products and services

If all products and service lines are developed and delivered under the same or a very similar security regime, you should be able to maintain one Risk Ledger supplier assessment to share with clients using any of your products or services. Where there are slight differences in the risk controls and policies implemented in the delivery of different products and services, you can highlight this in the contextual notes of the relevant risk controls or in direct discussions with your clients on the platform.

If your products and services are developed in distinct security environments, you should complete a new supplier assessment on Risk Ledger for each distinct security environment.

If you are unsure on how to proceed, please don't hesitate to get in touch with us directly and we'd be happy to help.

Can I add my colleagues to work on the assessment together?

Yes, you can quickly add users to your account. To add users you will just need the email address of the colleague you would like to add.

To add a user navigate to your account Settings > Users > Add Users

Avoid adding users via shared or group email accounts.

You can provide access to the platform for multiple users by adding each one using a direct email address.

The assessment autosaves so multiple users can collaborate on the assessment at the same time without losing any progress.

What happens if I answer "No" to a question?

The assessment is not in a pass/fail format and your answers will be compared with your clients' security policies . This allows you and your clients to have greater visibility of any gaps and to work collaboratively to remediate them.

Additionally, if you do answer 'No' to a question, you are able to add context to this answer in the notes section.

If one of your clients do require remediation of a security control, they can request this through the platform and you will be notified.

Can we use Risk Ledger to run assurance against our own suppliers?

Yes, Risk Ledger allows you to switch between a Supplier and a Client view, meaning that you can switch between sharing your own assessment and running assurance on your own Suppliers. Get in touch with the team to find out more!