Hi,
Severity should be the primary label applied to every issue in order to prioritize against other issues, as well as set and establish goals for remediation timing and resource allocation. As you stated, there may be severity metrics of Severe, High, Moderate, Low. While every organization will need to adjust their tolerances, it is best to establish a simple matrix similar to below:
|
Severity
|
Remediation Target
|
Indicators (any can be true)
|
Examples
|
|
Severe
|
<24 hours
|
- Critical vendor interruptions
- Potential for customer impact
- Potential for operational impact
- Potential for data loss
|
- Any vendor who has had or caused security breaches or data loss
- Critical vendor service/system interruption reported
- Termination – You haven't received the formal certificate of destruction (COD) from a vendor that was hosting data
|
|
High
|
Up to 1 week
|
- Non-critical vendor interruptions
- Due diligence findings for critical vendors
|
- Via due diligence – Critical Vendor has disaster recovery findings/failures/delayed remediation
|
|
Moderate
|
Up to 30 days
|
- Due diligence findings for all non-critical vendors
- Risk monitoring signals for any vendor
|
- Deterioration in your vendor's financial condition
- Performance has been degrading over several cycles and/or contractual obligations are not being met
|
|
Low
|
60-90 days
|
- Noncritical vendors only
- No potential for customer impact
- No potential for operational impact
- No potential for data loss
|
- Low-risk vendor – contractual execution delay
|
I hope this is helpful. I'd be interested to learn other community members' metrics used.