Module 31: Risk Treatment Plans

CRISC Domain 3 — Risk Response and Reporting Section C 10–12 min read
Choosing a response is a decision.
Executing it is governance.

A Risk Treatment Plan documents:

  • What will be done
  • Who will do it
  • When it will be done
  • How effectiveness will be measured
  • What residual risk remains
  • When escalation is required

CRISC evaluates whether treatment is structured — not informal.

What the exam is really testing

When treatment plans appear, CRISC is asking:

  • Is there a formal remediation plan?
  • Is ownership clearly assigned?
  • Are timelines defined?
  • Is progress monitored?
  • Is residual risk reassessed?
  • Is escalation triggered when deadlines slip?

A response without a plan is incomplete.

Components of a risk treatment plan

A mature plan includes:

  • Risk description (from risk register)
  • Selected response strategy (avoid, mitigate, transfer, accept)
  • Control(s) to be implemented
  • Assigned risk/control owner
  • Implementation milestones
  • Target completion date
  • Resource allocation
  • Monitoring metrics
  • Residual risk estimate
  • Escalation criteria

If timelines or ownership are missing, governance maturity is weak.

Treatment plan vs issue management

They are related — but different.

Risk Treatment Plan:
Addresses identified risk exposure proactively.

Issue Management:
Addresses control failures or deficiencies reactively.

Treatment plans may create new issues if poorly executed.

CRISC tests the difference.

Monitoring progress

Treatment plans must include:

  • Defined milestones
  • Status tracking
  • Periodic review
  • Reporting to governance bodies

If deadlines are repeatedly missed without escalation, governance discipline fails.

Residual risk during implementation

Important nuance:

Until treatment is complete, residual risk remains.

If mitigation is delayed:

  • Residual risk may increase.
  • Escalation may be required.
  • Interim compensating controls may be necessary.

CRISC frequently tests failure to reassess during delays.

Example scenario (walk through it)

Scenario:
A high residual risk is identified. Management approves mitigation but does not assign an owner or timeline.

What is the PRIMARY governance weakness?

A. Weak inherent risk
B. Incomplete risk treatment plan
C. Excessive appetite
D. Poor threat modeling

Correct answer:

B. Incomplete risk treatment plan

Without ownership and timeline, treatment lacks accountability.

Slightly harder scenario

A treatment plan includes control implementation milestones but does not define how effectiveness will be measured.

What critical component is missing?

A. Avoidance strategy
B. Performance metrics
C. Risk transfer agreement
D. Threat landscape analysis

Correct answer:

B. Performance metrics

Treatment plans must include measurable success criteria.

Escalation triggers

Treatment plans should define:

  • Escalation threshold if deadlines are missed
  • Escalation threshold if cost overruns occur
  • Escalation threshold if residual risk remains above tolerance
  • Governance reporting frequency

If escalation criteria are undefined, accountability is weak.

Risk acceptance treatment plan

Even when accepting risk:

  • Documentation required
  • Owner defined
  • Review date defined
  • Conditions for reconsideration documented

Acceptance is still a treatment decision.

CRISC tests formal acceptance discipline.

The most common exam mistakes

Candidates often:

  • Assume treatment ends with control implementation.
  • Forget to track progress.
  • Ignore deadline slippage.
  • Close risk prematurely.
  • Fail to update risk register.
  • Overlook residual risk reassessment.

CRISC evaluates follow-through.

Slightly uncomfortable scenario

A mitigation project is delayed six months due to budget constraints. Residual risk exceeds tolerance during the delay. Leadership is aware but takes no action.

What governance principle is MOST compromised?

A. Threat modeling
B. Escalation discipline
C. BIA alignment
D. Control classification

Correct answer:

B. Escalation discipline

Residual risk exceeding tolerance requires escalation and formal review.

Quick knowledge check

1) What is the MOST critical element of a risk treatment plan?

A. Control technology name
B. Assigned ownership and timeline
C. Industry benchmark
D. Encryption algorithm

Answer & reasoning

Correct: B

Ownership and accountability drive execution.

2) If mitigation is delayed and residual risk exceeds tolerance, what must occur?

A. Ignore if temporary
B. Close risk
C. Escalate and reassess exposure
D. Transfer risk

Answer & reasoning

Correct: C

Tolerance breaches require escalation.

3) A risk is accepted without defining a review date. What governance gap exists?

A. Weak threat modeling
B. Lack of formal monitoring and reassessment
C. Excessive mitigation
D. Poor inherent risk scoring

Answer & reasoning

Correct: B

Acceptance must include periodic review.

Final takeaway

Risk treatment plans must be:

  • Documented
  • Owned
  • Time-bound
  • Measurable
  • Monitored
  • Escalated when required
  • Integrated into risk register

Decision without execution is noise.

CRISC rewards structured follow-through — not one-time approval.

Next Module Module 32: Data Collection, Aggregation, Analysis & Validation