Module 31: Risk Treatment Plans
Deciding to mitigate a risk means nothing if nobody tracks whether it actually happens. A Risk Treatment Plan documents:
- What will be done
- Who will do it
- When it will be done
- How effectiveness will be measured
- What residual risk remains
- When escalation is required
CRISC evaluates whether treatment is structured — not informal.
What the exam is really testing
When treatment plans appear, CRISC is asking:
- Is there a formal remediation plan?
- Is ownership clearly assigned?
- Are timelines defined?
- Is progress monitored?
- Is residual risk reassessed?
- Is escalation triggered when deadlines slip?
A response without a plan is incomplete.
Components of a risk treatment plan
A mature plan includes:
- Risk description (from risk register)
- Selected response strategy (avoid, mitigate, transfer, accept)
- Control(s) to be implemented
- Assigned risk/control owner
- Implementation milestones
- Target completion date
- Resource allocation
- Monitoring metrics
- Residual risk estimate
- Escalation criteria
If timelines or ownership are missing, governance maturity is weak.
Treatment plan vs issue management
They are related — but different.
Risk Treatment Plan:
Addresses identified risk exposure proactively.
Issue Management:
Addresses control failures or deficiencies reactively.
Treatment plans may create new issues if poorly executed.
CRISC tests the difference.
Monitoring progress
Treatment plans must include:
- Defined milestones
- Status tracking
- Periodic review
- Reporting to governance bodies
If deadlines are repeatedly missed without escalation, governance discipline fails.
Residual risk during implementation
Important nuance:
Until treatment is complete, residual risk remains.
If mitigation is delayed:
- Residual risk may increase.
- Escalation may be required.
- Interim compensating controls may be necessary.
CRISC frequently tests failure to reassess during delays.
Example scenario (walk through it)
Scenario:
A high residual risk is identified. Management approves mitigation but does not assign an owner or timeline.
What is the PRIMARY governance weakness?
A. Incomplete risk treatment plan
B. Weak inherent risk
C. Excessive appetite
D. Poor threat modeling
Correct answer:
A. Incomplete risk treatment plan
Without ownership and timeline, treatment lacks accountability.
Second scenario
A treatment plan includes control implementation milestones but does not define how effectiveness will be measured.
What critical component is missing?
A. Avoidance strategy
B. Risk transfer agreement
C. Performance metrics
D. Threat landscape analysis
Correct answer:
C. Performance metrics
Treatment plans must include measurable success criteria.
Escalation triggers
Treatment plans should define:
- Escalation threshold if deadlines are missed
- Escalation threshold if cost overruns occur
- Escalation threshold if residual risk remains above tolerance
- Governance reporting frequency
If escalation criteria are undefined, accountability is weak.
Risk acceptance treatment plan
Even when accepting risk:
- Documentation required
- Owner defined
- Review date defined
- Conditions for reconsideration documented
Acceptance is still a treatment decision.
CRISC tests formal acceptance discipline.
The most common exam mistakes
Watch for answer choices that close a risk after control implementation but before validation. The exam also punishes ignoring deadline slippage and failing to update the risk register. Treatment is not a one-time decision — CRISC evaluates follow-through.
Now consider this
A mitigation project is delayed six months due to budget constraints. Residual risk exceeds tolerance during the delay. Leadership is aware but takes no action.
What governance principle is MOST compromised?
A. Threat modeling
B. Control classification
C. BIA alignment
D. Escalation discipline
Correct answer:
D. Escalation discipline
Residual risk exceeding tolerance requires escalation and formal review.
Quick knowledge check
1) What is the MOST critical element of a risk treatment plan?
A. Control technology name
B. Assigned ownership and timeline
C. Industry benchmark
D. Encryption algorithm
Answer & reasoning
Correct: B
Ownership and accountability drive execution.
2) If mitigation is delayed and residual risk exceeds tolerance, what must occur?
A. Ignore if temporary
B. Escalate and reassess exposure
C. Close risk
D. Transfer risk
Answer & reasoning
Correct: B
Tolerance breaches require escalation.
3) A risk is accepted without defining a review date. What governance gap exists?
A. Weak threat modeling
B. Poor inherent risk scoring
C. Excessive mitigation
D. Lack of formal monitoring and reassessment
Answer & reasoning
Correct: D
Acceptance must include periodic review.
Final takeaway
Risk treatment plans must be:
- Documented
- Owned
- Time-bound
- Measurable
- Monitored
- Escalated when required
- Integrated into risk register
Decision without execution is noise.
A decision without execution is noise. The exam cares about structured follow-through, not one-time approval.