Manage vendor risk assessment issues and remediation

Issues and tasks are created on-demand before the assessment is closed, usually during the Generating Observations state. The vendor risk analyst and the vendor work together to achieve closure on non-compliance.

Remediating an issue marks an intention to fix the underlying issue causing the control failure or risk exposure. Accepting an issue marks an intention to create an exception for a known control failure or risk. Controls that are Accepted remain in a non-compliant state until the control is reassessed. In this way, the issue can be used to document observations during audits.