Arisk treatment plan(sometimes called a risk response plan) describes how selected risk treatments will be implemented, by whom, and by when. For the plan to be actionable and enforceable, every significant risk and its treatment must have a clearly assignedrisk owner.
CRISC guidance emphasizes that:
Accountability for risk treatment lies with the risk owner.
A risk treatment planprimarily provides treatment for identified risk that exceeds risk tolerance and should specify responsibility for implementing the chosen risk treatment.
Ensuring accountability and ownership is critical for the effectiveness of the risk management program.
While items such as financial impact and risk register references are useful supporting information, theone element that must be presentfor each treated risk is the person or roleresponsiblefor making sure the treatment is implemented and monitored.
Therefore:
A. Risk owner— REQUIRED in every risk treatment plan entry.
B. “Senior management” is too generic; they may approve the plan but are not always the specific treatment owners.
C. “Risk register details” are normally linked to or referenced, but they are not the keymust-havefield for effective execution.
D. “Risk financial impact” is important for prioritization and cost–benefit analysis, but without an owner, nothing guarantees action.
This is consistent with CRISC’s treatment-plan guidance that risk treatment plans“primarily specify the responsibility for implementing the chosen risk treatment and provide treatment for identified risk that exceeds risk tolerance.”
Submit