Back to M2.3.3 - P1- RISK TREATMENT PLAN
The purpose of risk treatment plans is to document how the chosen risk treatment options will be implemented. The information provided in treatment plans should include:
- A. The reasons for selection of treatment options
- B. The controls that have been identified to implement the selected risk treatment option(s)
- C. The identified risk reduction or other modification that is intended to be achieved by the identified control(s), also called residual risk
- D. Those who are accountable for approving the plan
- E. Those responsible for implementing controls and the overall plan
- F. Proposed actions to achieve this implementation
- G. Priorities of implementation
- H. Resource requirements including contingencies
- I. Target dates for control implementation
- J. Interdependencies of control implementation (when the implementation of a control requires the complete implementation of another control)
- K. Performance measures and constraints (which can also be documented elsewhere); and
- L. Reporting and monitoring requirements
The risk treatment plan should be integrated with the management processes of the entity and discussed with appropriate stakeholders.
Management should be aware of the nature and extent of the residual risk after risk treatment and should accept the residual risks. The residual risk should be documented and subjected to monitoring, review and, where appropriate, further treatment.
Back to M2.3.3 - P1- RISK TREATMENT PLAN
