According to the Certified Third Party Risk Professional (CTPRP) Job Guide, one of the key tasks of a third party risk professional is to “manage the corrective action process for identified issues and ensure timely resolution” (p. 10). This task involves the following steps:
Document the findings and recommendations from the assessment and communicate them to the appropriate stakeholders
Review the findings and recommendations with the line of business (LOB) and obtain their risk acceptance or rejection
If the LOB accepts the risk, document the rationale and approval in the risk register
If the LOB rejects the risk, work with the vendor to develop a remediation plan that addresses the root cause and mitigates the risk
Monitor the progress and completion of the remediation plan and verify the effectiveness of the corrective actions
Update the risk register and the vendor profile with the results of the remediation
Therefore, the statement that best represents the roles and responsibilities for managing corrective actions is C, as it reflects the need to review the findings and need for remediation with the LOB for risk acceptance before sharing the remediation plan with the vendor. This ensures that the LOB is aware of the risks and their impact, and that the vendor is committed to resolving the issues in a timely and satisfactory manner.
References:
CTPRP Job Guide, Shared Assessments, 2020
Best Practices Guidance for Third Party Risk, Global Association of Risk Professionals (GARP), 2019
Simple Guide for Corrective and Preventative Action (CAPA), Qualcy eQMS, 2020
[The Three Key Parts of an EHS Corrective Action Plan], EHS Daily Advisor, 2021
