Risk Assessments

 View Only
  • 1.  Labeling or categorizing remediation plans?

    This message was posted by a user wishing to remain anonymous
    Posted 07-06-2022 04:19 PM
    This message was posted by a user wishing to remain anonymous

    Hello Community!

    Have any other firms explored categorizing or assigning labels/groupings to types of remediation plans? Today we leverage (Control, Policy, and Management Action) and are not receiving many benefits or driving action. 

    Curious if others have gone down this path with any success?



  • 2.  RE: Labeling or categorizing remediation plans?

    Posted 07-13-2022 08:22 AM

    In reading your question, I have a few thoughts regarding how you group and manage your remediation plans. It may not be how you are grouping them but how they are being communicated, tracked, and reported. First, regarding controls, it might be more effective to include these on your open issues list or report. Most organizations are reviewing and acting on open issues on a pretty regular basis.

    As for Management Actions, I would include this list as a regular item in your risk committee reports and the quarterly board report if you have one.

    As for your policy, you are probably updating it annually. In this case( as for most things), people tend not to pay attention or act on something until they have a set timeframe or due date. So about 60 days out from the formal policy review, publish the list of all policy remediation to the appropriate stakeholders and ask for feedback.

    Hopefully, sharing your remediation plans where and when they will be most effective will help. Still, I would like to hear from other members.