Calculating Supplier Compliance
Client Supplier Compliance
Written by Frederico Mazzone
Created on April 16, 2020
Modified on November 24, 2020

Clients and Suppliers

Each organisation on Risk Ledger can be a Client, Supplier, or both.

Clients use Risk Ledger to run their security assurance programmes and evaluate their Suppliers.

Suppliers complete an assessment once on Risk Ledger for all their Clients to review.

For best results, organisations use Risk Ledger as a Client and Supplier, to simultaneously manage their Suppliers’ security and manage their own security for their Clients.

Supplier Assessment

Every Supplier completes their Assessment, which is based on Risk Ledger’s Supplier Assessment Framework; it consists of many Controls which altogether evaluate the security posture of a Supplier. The Controls are themselves organised under related Domains.

Each Control asks a specific question about the Supplier’s security and requires a certain answer in order for the Supplier to be compliant with that Control. The Supplier can also attach files and comments to elaborate on their Answer and provide evidence.

Each Supplier completes their Assessment only once for all their Clients to review, This results in a single place for Suppliers to manage their security instead of completing and sending many questionnaries to many Clients, saving both sides a lot of time.

Client Policies

Clients can often have thousands of Suppliers, so it’s important to group them to efficiently run security assurance efficiently. The Client applies Tags to each of their Suppliers to determine 3 properties of each Supplier:

  • Criticality: how critical the Supplier is to the running of the Client’s business
  • Confidentiality: how sensitive the Client’s information is which the Supplier holds or has access to
  • PII: whether the Supplier holds any Personally-Identifiable Information of the Client

Clients can then create their own Policies. Each Policy specifies which Controls that Policy will require the affected Suppliers to comply with, along with any specific number or date associated with that Control’s requirement. The Suppliers that are affected is determined by the Tags that the Policy specifies.

Clients then create their own Policies which apply to certain Tags, which will apply the Policies to any Suppliers which fall under any of those Tags.

Compliance

Compliance is calculated between each Client-Supplier connection, meaning a Supplier could comply with some of its Clients’ Policies while not complying with other Clients. Each Control’s Compliance is calculated individually and also aggregated for an overall Compliance, so it’s common that Suppliers will have only partial Compliance to all their Clients’ Policies.

In the example below, the compliance of Button Corp (the Supplier) is being calculated against the policies of Acme Inc (their Client). Some Controls are compliant, whereas others aren’t, and they add up to a final Compliance score.

The Compliance of a Control between a Client and Supplier can also be affected by a Modification that the Client can apply, enabling Clients to have fine-grained control over the compliance of individual Suppliers.

There are two kinds of Modifications:

  • Exemption: The Client acknowledges that the Supplier is non-compliant with one (or more) of the Client’s Policies, but the Exemption overrides that calculation and states that the Supplier is compliant with the Control.
  • Non-Compliance: The opposite situation of the Exemption; the Client acknowledges that the Supplier is compliant with all the Client’s Policies, but the Non-Compliance Modification overrides that calculation and states that the Supplier is actually not compliant with the Control.

The example below expands on the scenario above; Acme Inc (the Client) has now applied two Non-Compliances and one Exemption, affecting the Compliance of Button Corp (the Supplier) against Acme Inc’s Policy.

A Client may have multiple Policies being applied to a Supplier; in such a case, if multiple Policies require a certain Control then the Supplier must comply with all the Control’s requirements from all Policies being applied to them. In other words, the Supplier must comply with the strictest requirement specified by the Policies in order to be compliant on that Control.

The graph below summarises the entire Compliance calculation process of a specific Answer on a Control, between a Client and a Supplier: