SW-IMS-FRM-004
Risk Treatment Plan Template
Version
1.0
Owner
Risk Manager
Effective Date
TBD
Review Date
TBD
Risk Treatment Plan Template
Purpose
This template is used to plan and track risk treatment actions for risks identified in the Integrated Risk Register (SW-IMS-FRM-005). It provides a structured approach to addressing risks that require treatment beyond existing controls.
Instructions
- Complete one Risk Treatment Plan for each risk requiring additional treatment
- Reference the Risk ID from the Integrated Risk Register
- Define specific, measurable treatment actions with clear ownership
- Monitor implementation progress and verify effectiveness
- Update the Integrated Risk Register upon completion
Section 1: Risk Identification
| Field | Details |
|---|---|
| Risk ID | [From Risk Register: R-YYYY-NNN] |
| Risk Category | [ ] Quality [ ] Environmental [ ] Information Security [ ] Strategic [ ] Operational [ ] Financial |
| Plan Created By | |
| Plan Created Date | [YYYY-MM-DD] |
| Last Updated | [YYYY-MM-DD] |
Risk Description
Risk Statement:
[Copy from Risk Register: "If [event/condition], then [consequence], resulting in [impact]"]
Risk Owner: _____________________
Section 2: Current Risk Assessment
2.1 Inherent Risk (Before Treatment)
| Assessment Factor | Rating | Notes |
|---|---|---|
| Likelihood | [ ] Very Unlikely (1) [ ] Unlikely (2) [ ] Possible (3) [ ] Likely (4) [ ] Very Likely (5) |
|
| Impact | [ ] Negligible (1) [ ] Minor (2) [ ] Moderate (3) [ ] Major (4) [ ] Critical (5) |
|
| Risk Score | [Likelihood × Impact] |
2.2 Existing Controls
What controls are currently in place?
| Control | Type | Effectiveness |
|---|---|---|
| [ ] Preventive [ ] Detective [ ] Corrective |
[ ] Effective [ ] Partially Effective [ ] Ineffective |
|
| [ ] Preventive [ ] Detective [ ] Corrective |
[ ] Effective [ ] Partially Effective [ ] Ineffective |
|
| [ ] Preventive [ ] Detective [ ] Corrective |
[ ] Effective [ ] Partially Effective [ ] Ineffective |
2.3 Residual Risk (With Current Controls)
| Assessment Factor | Rating | Notes |
|---|---|---|
| Likelihood | [ ] Very Unlikely (1) [ ] Unlikely (2) [ ] Possible (3) [ ] Likely (4) [ ] Very Likely (5) |
|
| Impact | [ ] Negligible (1) [ ] Minor (2) [ ] Moderate (3) [ ] Major (4) [ ] Critical (5) |
|
| Residual Risk Score | [Likelihood × Impact] |
Is additional treatment required?
- Yes - residual risk exceeds risk appetite
- Yes - required by compliance/regulation
- Yes - cost-effective improvements available
- No - residual risk is acceptable as-is
Section 3: Treatment Strategy
3.1 Treatment Option Selected
Primary treatment approach:
- Avoid: Eliminate the risk by not undertaking or continuing the activity
- Reduce: Implement controls to reduce likelihood or impact
- Transfer: Share risk with third party (insurance, outsourcing, contract)
- Accept: Acknowledge risk and take no further action (with justification)
Rationale for chosen treatment:
[Why is this the most appropriate treatment option? Consider cost, feasibility, effectiveness.]
3.2 Target Risk Level
After implementing this treatment plan, what is the target residual risk?
| Factor | Target Rating |
|---|---|
| Target Likelihood | [ ] Very Unlikely (1) [ ] Unlikely (2) [ ] Possible (3) [ ] Likely (4) [ ] Very Likely (5) |
| Target Impact | [ ] Negligible (1) [ ] Minor (2) [ ] Moderate (3) [ ] Major (4) [ ] Critical (5) |
| Target Risk Score | [Likelihood × Impact] |
Is this target within Swedwise's risk appetite? [ ] Yes [ ] No
Section 4: Treatment Actions
4.1 Planned Actions
| # | Action Description | Type | Responsible Person | Target Date | Resources Required | Estimated Cost | Status |
|---|---|---|---|---|---|---|---|
| 1 | [ ] Preventive [ ] Detective [ ] Corrective |
[ ] Not Started [ ] In Progress [ ] Complete [ ] On Hold [ ] Cancelled |
|||||
| 2 | [ ] Preventive [ ] Detective [ ] Corrective |
[ ] Not Started [ ] In Progress [ ] Complete [ ] On Hold [ ] Cancelled |
|||||
| 3 | [ ] Preventive [ ] Detective [ ] Corrective |
[ ] Not Started [ ] In Progress [ ] Complete [ ] On Hold [ ] Cancelled |
|||||
| 4 | [ ] Preventive [ ] Detective [ ] Corrective |
[ ] Not Started [ ] In Progress [ ] Complete [ ] On Hold [ ] Cancelled |
*Add rows as needed.
4.2 Action Dependencies
Are there dependencies between actions?
[e.g., Action 2 depends on completion of Action 1; Actions must be implemented in sequence]
Dependencies on other projects/initiatives:
[e.g., Requires budget approval, depends on system upgrade project, waiting for vendor]
4.3 Total Resources Required
| Resource Type | Requirement | Source/Notes |
|---|---|---|
| Budget | ||
| Staff Time | [Person-days] | |
| Technology/Tools | ||
| External Support | [Consultants, vendors] | |
| Training | ||
| Other |
Total Estimated Cost: _____________________
Budget Approved? [ ] Yes [ ] No [ ] Pending
Approved By: _____________________ Date: __________
Section 5: Success Criteria
5.1 Measurable Outcomes
How will we know if this treatment is successful?
| Success Criterion | Measurement Method | Target | Baseline |
|---|---|---|---|
5.2 Key Performance Indicators (KPIs)
KPIs to monitor risk treatment effectiveness:
| KPI | Target | Frequency | Owner |
|---|---|---|---|
| [ ] Daily [ ] Weekly [ ] Monthly [ ] Quarterly |
|||
| [ ] Daily [ ] Weekly [ ] Monthly [ ] Quarterly |
Section 6: Implementation Tracking
6.1 Progress Updates
| Date | Update | Progress % | Issues/Blockers | Updated By |
|---|---|---|---|---|
6.2 Issues and Risks
Implementation challenges encountered:
| Issue | Impact | Mitigation | Status |
|---|---|---|---|
| [ ] Open [ ] Resolved |
|||
| [ ] Open [ ] Resolved |
Section 7: Verification and Closure
7.1 Implementation Verification
All actions completed? [ ] Yes [ ] No
Completion Date: __________
Verified By: _____________________ Date: __________
7.2 Effectiveness Assessment
Reassess residual risk after implementing treatment actions:
| Factor | Post-Treatment Rating | Previous Residual Rating |
|---|---|---|
| Likelihood | [ ] Very Unlikely (1) [ ] Unlikely (2) [ ] Possible (3) [ ] Likely (4) [ ] Very Likely (5) |
|
| Impact | [ ] Negligible (1) [ ] Minor (2) [ ] Moderate (3) [ ] Major (4) [ ] Critical (5) |
|
| New Residual Risk Score |
Did we achieve the target risk level? [ ] Yes [ ] No
If no, what additional actions are needed?
[Either revise this treatment plan or accept higher residual risk with justification]
7.3 Effectiveness Evidence
Evidence that treatment actions are working:
[e.g., Monitoring data, audit results, incident reduction, test results]
7.4 Lessons Learned
What did we learn from this risk treatment?
[Insights for future risk management, what worked well, what could be improved]
7.5 Ongoing Monitoring
How will this risk continue to be monitored?
| Monitoring Activity | Frequency | Responsible Person |
|---|---|---|
7.6 Treatment Plan Closure
Closed By: _____________________ Date: __________
Risk Register Updated? [ ] Yes [ ] No
Status:
- Complete - Target risk level achieved; ongoing monitoring in place
- Complete with Exceptions - See notes
- Deferred - Actions postponed; risk accepted until: __________
- Cancelled - Risk no longer relevant or treatment approach changed
Notes for Users
When to Create a Risk Treatment Plan
Create a treatment plan when:
- A risk exceeds Swedwise's risk appetite/tolerance
- Regulatory or contractual requirements mandate additional controls
- Cost-effective risk reduction opportunities exist
- Risk assessment identifies inadequate or missing controls
- Management or stakeholders request formal risk treatment
Treatment Plan vs. Corrective Action
- Risk Treatment Plan: Proactive—addresses potential future events
- Corrective Action (SW-IMS-FRM-003): Reactive—addresses actual nonconformities
Prioritization
Focus treatment efforts on:
- Critical/High risks: Those with highest risk scores
- Compliance risks: Those with regulatory/contractual consequences
- Quick wins: Low-effort, high-impact treatments
- Strategic risks: Those affecting business objectives
Treatment Plan Lifecycle
- Identify: Risk assessment identifies need for treatment
- Plan: Complete this template (Sections 1-5)
- Approve: Obtain budget/resource approval
- Implement: Execute actions; track progress
- Verify: Confirm implementation and measure effectiveness
- Monitor: Ongoing monitoring of residual risk
- Review: Periodic reassessment (minimum annually)
Integration with Risk Register
- Treatment plans are linked to risks via Risk ID
- Update the Integrated Risk Register (SW-IMS-FRM-005) when:
- Treatment plan is created
- Actions are completed
- Residual risk rating changes
- Treatment plan is closed
Document Control
| Version | Date | Author | Changes | Approved By |
|---|---|---|---|---|
| 1.0 | [TBD] | Risk Manager | Initial template creation | [TBD] |
Next Review Date: [TBD]
Document Classification: Internal
Document Owner: Risk Manager