Powered by
Use this risk treatment plan template to document, assign, and track treatment actions within risk and compliance teams.
Why SafetyCulture digital checklists?
Free to use for up to 10 users
Eliminate paperwork with digital checklists
Generate reports from completed checklists
In this article
Published 15 Jun 2026
Article by
6 min read
A risk treatment plan template is a structured document used to record how your organization plans to respond to identified risks by linking each risk to a treatment decision, an owner, and a review schedule.
Most organizations complete a risk assessment first to identify and rate hazards, then use the treatment plan to decide what to do about them. The template is where strategy becomes action: it captures who's responsible for each risk, what they'll do about it, and when it needs to be done.
A well-built risk treatment plan template gives auditors and managers everything they need to confirm that risks are being actively managed — not just recorded. Each field serves a specific accountability purpose.
A complete template should include:
Risk ID and description — A unique identifier and brief summary of the risk, linked back to your risk register entry
Risk rating — The inherent risk score (likelihood × impact) carried over from your risk assessment, used to prioritize treatment effort
Treatment option selected — Whether the risk will be mitigated, avoided, transferred, or accepted (see below)
Treatment actions and controls — The specific steps or controls being implemented to address the risk
Risk owner — The person accountable for the overall risk
Action owner — The person responsible for completing the treatment actions (this can be a different person from the risk owner)
Due dates — Deadlines for completing each treatment action
Review schedule — How often the treatment status will be reassessed
Residual risk rating — The expected risk level after treatment is in place
Treatment status — Open, in progress, closed, or overdue
Approver sign-off — Confirmation from a manager or Information Security Management System (ISMS) owner that the treatment plan has been reviewed and accepted
A risk treatment plan without assigned owners is just a list. Ownership is what turns documentation into action.
Your template should distinguish between two roles: the risk owner — the person accountable for managing the risk at an organizational level — and the action owner — the person completing the specific treatment task. On a construction site, for example, the EHS manager might own the risk of a fall hazard, while a site supervisor owns the action of installing guardrails by a specific date.
Set a review date for each treatment action, not just a due date. Risks change — what's acceptable today may not be next quarter. Status fields (open, in progress, closed, overdue) let managers see at a glance where the plan is stalling before an audit surfaces it.
Platforms like SafetyCulture let you assign actions directly within the template, send automated reminders as due dates approach, and generate a real-time view of treatment status across the organization — replacing the manual spreadsheet follow-up that typically falls through the cracks.
ISO/IEC 27001:2022 requires organizations to produce a risk treatment plan as a core deliverable of the ISMS. It's not optional, and auditors will look for it specifically during certification and surveillance audits.
For ISO 27001, your template needs to go further than the baseline fields above. Auditors check that each risk treatment decision is traceable from the risk assessment through to a specific control — and that the control appears in both the treatment plan and the Statement of Applicability.
The risk assessment process — identifying information assets, threats, and vulnerabilities — feeds directly into the treatment plan. Teams that use digital risk assessment tools can carry identified risks straight into the treatment template, reducing manual re-entry and the misalignment that comes from working across separate spreadsheets.
For ISO 27001 specifically, add these fields to your standard template:
Annex A control reference — the control(s) from ISO/IEC 27001 Annex A selected to address the risk (e.g., A.8.24 for encryption)
Statement of Applicability alignment — confirm the control is included in your SoA; any mismatch between the treatment plan and the SoA is a common audit finding
Treatment justification — a short explanation of why this treatment option was selected, particularly for accepted risks
Evidence of control implementation — documentation confirming the control is in place (e.g., configuration records, training logs, policy acknowledgments)
Residual risk approval — sign-off from leadership confirming the residual risk level is within the organization's defined risk appetite
AS/NZS ISO 31000:2018, the Australian and New Zealand adoption of the international standard, follows the same risk treatment principles — making this template structure equally applicable for ANZ organizations operating under local compliance frameworks or government procurement requirements.
Static spreadsheet templates work until they don't. Once a risk treatment plan involves multiple owners, departments, and review cycles, a shared Excel file becomes difficult to keep current and almost impossible to audit reliably. SafetyCulture's digital risk treatment plan template solves this by bringing everything into one place.
What the template lets you do:
Document treatment decisions — Record how each risk will be handled, with full context and reasoning in a structured format.
Assign actions to named owners — Every treatment action is linked to a responsible person, so accountability is clear from the start.
Track completion status — Monitor progress across all treatment actions in real time, without chasing updates manually.
Automate notifications — Owners receive automatic reminders as due dates approach, keeping treatment plans on track.
Maintain a full audit trail — Every update is timestamped, giving you a reliable record without any additional effort.
This template also sits alongside SafetyCulture's risk assessment templates and risk matrix tools, so the full risk management workflow — from identification through to treatment and review — runs through a single platform. Thermosash, a New Zealand glass manufacturer, used this connected approach to build their entire ISO certification system around SafetyCulture, fast-tracking a process that typically takes years.
For teams managing risk across multiple sites or business units, SafetyCulture's operational risk management tools provide visibility across the entire risk landscape, not just individual treatment plans.
To get a better understanding of how this template is used, here is a sample risk treatment plan:
Search, filter, and customize 60,000+ templates across industries and use cases.
