We see compliance as a journey. Vulnerabilities can appear at any time from multiple sources e.g. internal teams, partners, software providers etc.. Managing risk in Open Source Software should be a continuous process not a one-off audit/remediate exercise. Communicating to key stakeholders on regular basis is imperative for a sound software supply chain strategy. Updating the policies aligned with your organisation's governance policies, legislation, and market changes.