Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Issue Management

    This message was posted by a user wishing to remain anonymous
    Posted 12-12-2023 03:05 PM
    This message was posted by a user wishing to remain anonymous

    Hello,

    How do you define/determine the severity metrics of the issues in third party risk management. For example, what is the difference between a high severity issue and a Moderate severity issue? Any examples?

    Thanks



  • 2.  RE: Issue Management

    Posted 12-18-2023 01:18 PM

    Hi, 

    Severity should be the primary label applied to every issue in order to prioritize against other issues, as well as set and establish goals for remediation timing and resource allocation. As you stated, there may be severity metrics of Severe, High, Moderate, Low. While every organization will need to adjust their tolerances, it is best to establish a simple matrix similar to below:

     

    Severity

    Remediation Target

    Indicators (any can be true)

    Examples

    Severe

    <24 hours
    1. Critical vendor interruptions
    2. Potential for customer impact
    3. Potential for operational impact
    4. Potential for data loss
    • Any vendor who has had or caused security breaches or data loss
    • Critical vendor service/system interruption reported
    • Termination – You haven't received the formal certificate of destruction (COD) from a vendor that was hosting data

    High

    Up to 1 week
    1. Non-critical vendor interruptions
    2. Due diligence findings for critical vendors
    • Via due diligence – Critical Vendor has disaster recovery findings/failures/delayed remediation

    Moderate

    Up to 30 days
    1. Due diligence findings for all non-critical vendors
    2. Risk monitoring signals for any vendor
    • Deterioration in your vendor's financial condition
    • Performance has been degrading over several cycles and/or contractual obligations are not being met

     

    Low

    60-90 days
    1. Noncritical vendors only
    2. No potential for customer impact
    3. No potential for operational impact
    4. No potential for data loss
    • Low-risk vendor – contractual execution delay

     

     

    I hope this is helpful. I'd be interested to learn other community members' metrics used. 


    Original Message


  • 3.  RE: Issue Management

    This message was posted by a user wishing to remain anonymous
    Posted 12-18-2023 01:46 PM
    This message was posted by a user wishing to remain anonymous

    Hi Graig,

    Thank you so much for your explanation and example.


    Original Message