This message was posted by a user wishing to remain anonymous
Thank you so much for your explanation and example.
Original Message:
Sent: 12-18-2023 01:15 PM
From: Graig Cameron
Subject: Issue Management
Hi,
Severity should be the primary label applied to every issue in order to prioritize against other issues, as well as set and establish goals for remediation timing and resource allocation. As you stated, there may be severity metrics of Severe, High, Moderate, Low. While every organization will need to adjust their tolerances, it is best to establish a simple matrix similar to below:
Severity | Remediation Target | Indicators (any can be true) | Examples |
Severe | <24 hours | - Critical vendor interruptions
- Potential for customer impact
- Potential for operational impact
- Potential for data loss
| - Any vendor who has had or caused security breaches or data loss
- Critical vendor service/system interruption reported
- Termination – You haven't received the formal certificate of destruction (COD) from a vendor that was hosting data
|
High | Up to 1 week | - Non-critical vendor interruptions
- Due diligence findings for critical vendors
| - Via due diligence – Critical Vendor has disaster recovery findings/failures/delayed remediation
|
Moderate | Up to 30 days | - Due diligence findings for all non-critical vendors
- Risk monitoring signals for any vendor
| - Deterioration in your vendor's financial condition
- Performance has been degrading over several cycles and/or contractual obligations are not being met
|
Low | 60-90 days | - Noncritical vendors only
- No potential for customer impact
- No potential for operational impact
- No potential for data loss
| - Low-risk vendor – contractual execution delay
|
I hope this is helpful. I'd be interested to learn other community members' metrics used.
Original Message:
Sent: 12-12-2023 02:49 PM
From: Anonymous Member
Subject: Issue Management
This message was posted by a user wishing to remain anonymous
Hello,
How do you define/determine the severity metrics of the issues in third party risk management. For example, what is the difference between a high severity issue and a Moderate severity issue? Any examples?
Thanks