Powered by
Document, assign, and track risk treatment decisions using digital ISO 31000 risk treatment plan templates.
Why SafetyCulture digital checklists?
Free to use for up to 10 users
Eliminate paperwork with digital checklists
Generate reports from completed checklists
Published 26 Jun 2026
Article by
5 min read
Under ISO 31000:2018, a risk treatment plan template is a structured record of how each identified risk above the accepted tolerance threshold will be addressed, by whom, and by when. It's the output of the risk evaluation stage — the point at which decisions about treatment options turn into assigned, time-bound actions.
A risk treatment plan is not the same as a risk register. The register logs all identified risks and their current status. The treatment plan is the action document — it records the treatment decision, specific controls, named owner, deadline, and residual risk for each risk that requires active management. The register is the input; the treatment plan is the output.
An ISO 31000-compliant treatment plan template captures more than just treatment choices. Each entry needs enough detail to demonstrate that risks are being managed and monitored, which is why it should include fields such as:
Start with the risk context. A well-structured template pulls directly from the risk assessment: risk ID, description, risk category, and the inherent risk rating — the combined likelihood and consequence score before any controls are applied.
This connection matters. Without it, the treatment plan is a standalone document. With it, auditors can trace each treatment decision back to the risk that triggered it.
ISO 31000:2018 defines four treatment approaches. The template captures which one applies to each risk, and why:
Avoid — Eliminate the activity or condition that creates the risk entirely
Reduce/Modify — Implement controls to lower the likelihood, the consequence, or both
Transfer/Share — Shift the exposure to a third party through insurance, contracts, or joint arrangements
Retain/Accept — Take no further action, with a documented rationale confirming the risk falls within tolerance
The selection alone isn't enough. The rationale field — why this option was chosen for this specific risk — is what separates a defensible treatment record from a compliance checkbox.
This is the accountability layer. A named individual (not a department, not a function) is assigned as treatment owner with responsibility for implementing the agreed controls by a set deadline.
The template captures the specific control actions required, the resources needed, and the target completion date. For risk analysis teams managing multiple risks simultaneously, this section creates the workload visibility needed to track progress without chasing people for updates.
Platforms like SafetyCulture let teams digitally assign these actions directly from the template, sending automatic notifications to the treatment owner and surfacing overdue items on a live dashboard.
After controls are applied, the template records the post-treatment outcome: revised likelihood, revised consequence, and the residual risk level. The final field confirms whether that residual risk sits within the organization's accepted risk appetite.
This sign-off step is often skipped in paper-based processes — but it's one of the fields auditors specifically look for. It demonstrates that the organization didn't just act on a risk; it verified that the action was sufficient.
A risk treatment plan starts where the risk assessment process ends. For each risk that scores above the accepted tolerance threshold in the evaluation stage, carry across the risk ID, description, and inherent risk rating.
Risks within tolerance don't need treatment plan entries — recording that no further action is required against those items is sufficient. This keeps the template focused on risks that actually need active management.
For each risk in the template, select one of the four ISO 31000 treatment options and complete the rationale field. The rationale explains why this approach fits the specific risk — a cost-benefit consideration, an alignment with the organization's risk appetite, or a regulatory requirement that shapes the choice.
Organizations can combine options for high-consequence risks. A critical operational risk might be both reduced through engineering controls and transferred via insurance coverage. Both should be documented.
With the treatment option confirmed, populate the accountability fields. Assign the treatment to a named individual — "the safety team" or "operations management" creates no real accountability. Set specific control actions with measurable success criteria, an implementation deadline, and a scheduled review date.
When Thermosash Group built their ISO compliance system in SafetyCulture, they achieved ISO certification in six months. As mentioned in their customer story, their experience reflects what structured digital documentation can do for any organization working toward ISO compliance — when every action has a named owner and a clear audit trail, certification becomes a documentation exercise rather than a scramble.
To gain a better understanding of how this template is used and how it functions for creating risk treatment plans for ISO 31000, check this sample report:
Preview Sample Risk Treatment Plan Template ISO 31000 PDF Report
Search, filter, and customize 60,000+ templates across industries and use cases.
