Which statement BEST describes the use of risk based decisioning in prioritizing gaps identified at a critical vendor when defining the corrective action plan?
A.
The assessor determined that gaps should be analyzed, documented, reviewed for compensating controls, and submitted to the business owner to approve risk treatment plan
B.
The assessor decided that the critical gaps should be discussed in the closing meeting so that the vendor can begin to implement corrective actions immediately
C.
The assessor concluded that all gaps should be logged and treated as high severity findings since the assessment was performed on a critical vendor
D.
The assessor determined that all gaps should be logged and communicated that if the gaps were corrected immediately they would not need to be included in the findings report
According to the Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, risk based decisioning is the process of applying risk criteria to prioritize and address the gaps identified during a third-party risk assessment1. The assessor should analyze the gaps based on the impact, likelihood, and urgency of the risk, and document the findings and recommendations in a report. The assessor should also review the existing or proposed compensating controls that could mitigate the risk, and submit the report to the business owner for approval of the risk treatment plan. The risk treatment plan could include accepting, transferring, avoiding, or reducing the risk, depending on the risk appetite and tolerance of the organization1.
The other statements do not reflect the best use of risk based decisioning, as they either ignore the risk analysis and documentation process, or apply a uniform or arbitrary approach to prioritizing and addressing the gaps. The assessor should not decide or conclude on the risk treatment plan without consulting the business owner, as the business owner is ultimately responsible for the third-party relationship and the risk management decisions1. The assessor should also not communicate that the gaps would not be included in the report if they were corrected immediately, as this could compromise the integrity and transparency of the assessment process and the report2.
References:
1: Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, pages 29-30, 33-34
2: Third-Party Risk Management: Final Interagency Guidance, page 10
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit