Remediation Actions
Remediation actions are tasks created to address risks or gaps identified during vendor risk assessments. They track follow-up work required to reduce vendor risk, such as requesting additional documentation, implementing security controls, or addressing compliance gaps.
Action statuses
Each remediation action has one of four statuses:
Open — Action created but not yet started.
In Progress — Action is currently being worked on.
Completed — Action has been successfully completed. The system automatically sets a completion date.
Cancelled — Action was cancelled and will not be completed.
Priority levels
Remediation actions are classified by priority:
| Priority | Description |
|---|---|
| Critical | Urgent action required, high impact on risk reduction |
| High | Important action, significant risk impact |
| Medium | Standard priority action |
| Low | Lower priority action, can be deferred if needed |
Creating remediation actions
Navigate to the assessment
Go to a vendor risk assessment detail page. Access it from the vendor detail page, Assessments tab, then click View Details on an assessment.
Open the remediation tab
Click the Remediation Actions tab in the assessment detail page.
Add a new action
Click Add Remediation Action and fill in the form:
| Field | Description |
|---|---|
| Title | Clear, descriptive title (e.g., “Request SOC 2 Type II Report”) |
| Description | Detailed description of what needs to be done and why |
| Priority | Critical, High, Medium, or Low (default: Medium) |
| Due Date | Optional target completion date |
| Assigned To | Optional team member assignment |
Link to a question response (optional)
If the action is related to a specific questionnaire response, link it to that response for better traceability.
Save the action
Click Create. The action appears in the remediation actions list with status Open.
Managing remediation actions
From the Remediation Actions tab, you can view all actions organized by status. Each action card shows the title, description, status badge, priority badge, due date, assigned team member, and completion date (if completed).
To update status, click on an action and change it: Open to In Progress when work begins, In Progress to Completed when finished, or any status to Cancelled if no longer needed. You can also edit the title, description, priority, due date, and assignment at any time by clicking the edit icon.
Common use cases
Remediation actions commonly fall into three categories. Documentation requests ask vendors to provide certifications, audit reports, or security documentation (e.g., “Request SOC 2 Type II Report” — Priority: High, Due: 30 days). Security control implementations require vendors to implement specific controls (e.g., “Implement Multi-Factor Authentication” — Priority: Critical, Due: 60 days). Policy updates require vendors to update procedures or policies (e.g., “Update Incident Response Policy” — Priority: Medium, Due: 90 days).
Best practices
Create actions for specific, actionable items rather than vague goals. Link actions to specific questionnaire responses when possible for better traceability. Set realistic due dates based on action complexity and vendor response time. Assign actions to specific team members for accountability. Update status regularly as work progresses to maintain accurate tracking. Use priority levels to help team members focus on critical items first.