Risk Treatment Plan

The Basics of a Risk Treatment Plan

A risk treatment plan (RTP) is an essential part of an organization’s InfoSec program. In fact, ISO 27001 requires an RTP while SOC 2 and other frameworks ask for similar documentation. 

A solid risk assessment and risk treatment process produce a stable InfoSec program. It’s like spending money on an alarm system and only protecting half your doors. Or buying a security camera and pointing it at the wall. Your risk assessment tells you where your risks are so you can protect them and mitigate them. It can also help you save money by not spending on protection mechanisms you don’t need. 

So let’s look at the bigger picture and explore risk treatment plans. 

What Is Risk Management?

Risk management is the identification, evaluation, and prioritization of risks. Followed by the coordinated and economical application of resources to minimize, monitor and control the probability or impact of unfortunate events. 

See, during a risk assessment, you identify your risks and determine the potential impact they could have on your business. Risk treatment is about determining how to treat your risks based on the potential impact. Do you avoid or accept the risk? How do you mitigate that risk? What controls do you use to bring them to an acceptable level of risk? We get into the nitty-gritty below.

Types of Risk

During the risk assessment, you identify lots of uncertainties. They fall into two kinds of risk. First, there’s inherent risk. That’s the amount of risk that exists in the absence of controls. It’s based on likelihood and impact. What are the chances of something happening and how bad would it be? 

For example, when you drive, you accept the risk of a car accident. However, depending on your mental state, road conditions and experience level, the likelihood of your risk fluctuates. Unfortunately, there are no controls you can put in place to change that.

Then there are the residual risks. This is the risk that remains after you apply a safeguard or control. When you drive, you wear a seatbelt and follow the rules of the road. This mitigates and reduces your risk. 

Inherent and residual risks exist everywhere and InfoSec is no exception. You always need to accept some level of risk in business to operate. Your customer’s expectations and your management team’s risk tolerance will influence your acceptable risk levels. 

What Is a Risk Treatment Plan?

This is a comprehensive project plan for implementing risk treatment recommendations. Risk treatment recommendations are a list of safeguards or processes that may be implemented and operated to reduce the likelihood and/or impact of inherent and residual risks. 

Risk treatment involves developing a range of options for mitigating the risk. Then you’ll assess those options and prepare a plan of attack through your risk treatment strategy. and start implementing controls. The highest-rated risks should be addressed as a matter of urgency.

Impact is the harm that may be suffered when a threat compromises an information asset. Likelihood is how often the risk event might happen. Impact plus likelihood equals inherent risk. This little equation establishes the priority for control measures to treat different risks.

There are three standard levels:

  • High risk: Expected to occur often
  • Medium risk: Expected to occur occasionally
  • Low risk: Expected to occur rarely

There are as many levels as your company wants to define. But by applying a level to each risk you identified in your risk assessment, you can balance your books. In general, the cost of managing the risks needs to be proportionate to the benefits. And assigning risk levels supports prioritizing your resources.

PS: Want to streamline risk identification and conduct better assessments, faster? Download The Art of the Enterprise IT Risk Assessment and learn how to get executive buy-in and create a more effective risk management practice across your team and organization.

Developing a Risk Treatment Plan

After you determine the level, it’s time to tackle the treatment plan for each risk level. For risks flagged as ‘high,’ you need to create a treatment plan. But for risks rated as ‘low,’ there may be low lift improvement opportunities. You can develop a treatment plan at your discretion.

Depending on the type of risk, there are four risk treatment options:

  • Accept: To acknowledge the risk but decide that any actions to avoid or mitigate the risk will be too costly or time-consuming. The benefits don’t exceed the cost.
  • Transfer: To take action(s) by transferring the risk to another entity (e.g., an insurance company or having AWS instead of your own data center with servers, physical security measures, etc.).
  • Mitigate: To take action(s) to minimize the potential impact of any given risk by implementing mitigating controls.
  • Avoid: To take action(s) that will eliminate the risk in its entirety.

Effective risk treatment relies on attaining buy-in from key stakeholders and developing realistic objectives and timelines for implementation.

Management ultimately determines which risk levels need to be addressed by a treatment plan. For example, for risks rated ‘high,’ a treatment plan is mandatory. However, for risks rated as ‘low’ treatment plans are optional.

Documenting a Risk Treatment Plan

For each risk recognized in your risk assessment, you need to have a document, digital or print, that outlines your program. 

First, you’ll specify your chosen risk treatment option (accept, transfer, mitigate, avoid, etc.). Next, you’ll outline your approach to treat the risk, highlighting any relationships or interdependencies with other risks. It’s also important to assign responsibility. Having a designated person accountable for monitoring and reporting on the progress of the RTP implementation disperses the workload and keeps everyone on track. Lastly, you set the deadlines. Risks are not created equal. If there’s a long game to play with a risk, document your steps and interim measures. Showing it’s a work in progress is always a good idea.

Implementing and Monitoring a Risk Treatment Plan

Remember the accountable person you named in all that documentation you did? That’s the person in charge of coordinating activities and implementing the risk treatments. They’re responsible for ensuring tasks are executed on time.

Food for thought:

  • Structure: Are there enough people and adequate time to support your risk treatment plan?
  • Financing: Is there enough money? If there are constraints, is there a process to prioritize controls with the greatest need or cost-benefit?
  • Communication with stakeholders: How will you keep all parties informed and aligned? 

You’ll also need to create a process for monitoring and reviewing risks. Building both monitoring and reviewing into business as usual activities makes life a lot easier and helps you recognize indicators if the risk increases or decreases.

Risk Is Everywhere

In both personal and professional life, everything involves risk. The risk treatment plan you put in place better prepares your business for whatever curveballs are thrown your way. From data breaches to power outages, your risk treatment plan sets you up for success.

Think of Tugboat Logic as your seat belt. 

Tugboat Logic’s risk survey generates an accurate list of risks specific to your business and connects them to your controls. Scoping and risk workshops can take days—sometimes longer. But our platform gets you through the process in minutes, without compromising quality.

You don’t have to waste time and energy ensuring your team uses the same impact and risk criteria. With Tugboat Logic, we’ve standardized everything for you. Or you can customize criteria and apply standards that meet your own preferences, so everyone is on the same page.

Get a free trial or contact one of our representatives at