Risk Mitigation Plan: 8 Components With Treatment Selection Framework

Key Takeaways

A risk mitigation plan is the documented set of actions, owners, budgets, timelines, and success criteria designed to reduce identified risks to within the organization’s risk appetite. ISO 31000:2018 Clause 6.5 (Risk Treatment) defines the process: select treatment options, prepare and implement treatment plans, assess treatment effectiveness, and determine whether residual risk is tolerable.

A complete risk mitigation plan contains eight components: risk context summary, prioritized risk inventory, treatment selection rationale, action plans with SMART criteria, resource allocation, implementation timeline, monitoring and KRI framework, and review and update schedule.

The four treatment options for negative risk are: Avoid (eliminate the risk source), Reduce (decrease likelihood or consequence through controls), Share/Transfer (shift part of the risk to a third party), and Accept (retain the risk within appetite). Most risks require a combination of options rather than a single response.

Treatment selection must be driven by cost-benefit analysis, not default preferences. A $500K control investment to reduce a $50K expected annual loss destroys value. The Expected Monetary Value (EMV) framework provides the quantitative basis for treatment decisions: invest in treatment only when the treatment cost is less than the risk reduction benefit.

Every treatment action must specify five mandatory fields: owner (single accountable person), action description (specific and measurable), budget, target completion date, and expected residual risk after implementation. Plans missing any field are aspirational statements, not executable commitments.

The risk mitigation plan is a living document. ISO 31000 Clause 6.6 (Monitoring and Review) requires continuous tracking of treatment effectiveness, new risks introduced by treatments, and changes in the risk environment that may invalidate existing plans. Quarterly reviews and annual comprehensive reassessment are minimum cadences.

A 90-day roadmap takes your organization from risk assessment results to a funded, owned, and monitored risk mitigation plan with board visibility.

A risk assessment without a mitigation plan is a diagnostic without a prescription. The assessment identifies what could go wrong, measures the likelihood and consequences, and prioritizes the risks that exceed the organization’s appetite.

The mitigation plan converts those priorities into funded, owned, time-bound actions that reduce residual risk to acceptable levels. ISO 31000:2018 Clause 6.5 (Risk Treatment) provides the process framework.

The COSO ERM framework Principle 13 (Implements Risk Responses) provides the governance context.

The gap between assessment and action is where most organizations stall. Risks are scored and heat-mapped, but treatment plans lack specificity.

Actions say “improve controls” without naming the control, the owner, or the budget. Timelines are absent or unrealistic. Monitoring is annual rather than continuous.

The result: risks sit in the register unchanged from quarter to quarter, and the board receives the same heat map with the same red zones meeting after meeting.

This guide provides the eight components every risk mitigation plan needs, a treatment selection framework with cost-benefit analysis, a worked example threading a single risk through the full planning process, and a 90-day implementation roadmap.

Each component produces a specific deliverable that satisfies ISO 31000 requirements and audit committee expectations.

Building a credible Risk Mitigation Plan starts with understanding that a Risk Mitigation Plan is not a compliance artifact but an operating blueprint. The Risk Mitigation Plan below aligns every treatment action to ISO 31000 and COSO ERM so your board sees a clear link between risk exposure and funded response.

The Eight Components of a Risk Mitigation Plan

#	Component	Purpose	Key Content
1	Risk Context Summary	Anchors the mitigation plan to the organization’s strategic environment, risk appetite, and the assessment that produced the risks being treated.	Scope of the assessment. Date of the assessment. Risk appetite thresholds by category. Scoring methodology used. Number of risks identified and their distribution across priorities.
2	Prioritized Risk Inventory	Lists the risks that require treatment, ranked by the gap between residual risk score and appetite threshold. Excludes risks within appetite (accepted).	Risk ID, description (cause-event-consequence), risk category, inherent score, residual score, appetite threshold, gap, priority ranking, risk owner.
3	Treatment Selection Rationale	Documents why each treatment option was selected (avoid, reduce, share, accept) and the cost-benefit analysis supporting the decision.	Treatment option selected. Alternatives considered and why they were rejected. EMV calculation. Cost of treatment vs. risk reduction benefit. Expected residual risk after treatment.
4	Action Plans (SMART)	Specifies the exact actions required to implement each treatment. Each action meets SMART criteria: Specific, Measurable, Achievable, Relevant, Time-bound.	Action description. Owner (single accountable person). Budget. Start date. Target completion date. Expected residual risk after implementation. Dependencies. Success criteria.
5	Resource Allocation	Aggregates the budget, personnel, and technology requirements across all treatment actions. Confirms that total resource demand is within the organization’s capacity.	Total mitigation budget. Personnel allocation (FTEs or hours). Technology/tool requirements. External costs (consulting, insurance, vendor services). Funding source and approval status.
6	Implementation Timeline	Maps all treatment actions onto a calendar showing dependencies, milestones, and the critical path. Identifies which treatments must be completed before others can begin.	Gantt chart or milestone table. Dependencies between treatments. Critical path. Quarterly milestones. Board reporting dates for progress updates.
7	Monitoring and KRI Framework	Defines how treatment effectiveness will be measured, which KRIs will be tracked, and what triggers re-evaluation of the treatment plan.	KRI for each treated risk with RAG thresholds. Monitoring frequency (continuous, monthly, quarterly). Treatment effectiveness review criteria. Trigger conditions for plan re-evaluation.
8	Review and Update Schedule	Specifies when the mitigation plan will be reviewed, by whom, and what conditions trigger an interim review outside the regular schedule.	Quarterly progress review by risk committee. Annual comprehensive reassessment. Interim review triggers: significant risk event, M&A, strategy change, regulatory change, treatment failure.

Before selecting treatments, your Risk Mitigation Plan must capture the four options and the decision criteria that justify each choice. A disciplined Risk Mitigation Plan documents the rationale so auditors, the risk committee, and the board can trace every decision back to evidence.

Treatment Selection Framework

ISO 31000 Clause 6.5.1 states that selecting the most appropriate risk treatment option involves balancing the potential benefits of each option against the costs and efforts of implementation.

The four treatment options are not mutually exclusive; most risks require a combination.

The Four Treatment Options

Option	What It Does	When to Select	Cost Profile	Example
Avoid	Eliminates the risk by removing its source, discontinuing the activity, or changing the objective. The risk ceases to exist.	The risk exceeds appetite by a wide margin. No cost-effective treatment can reduce it sufficiently. The activity generating the risk is not essential to strategic objectives.	Variable. May involve opportunity cost of abandoning an activity or market. No ongoing treatment cost because the risk is eliminated.	Cancel a product launch into a market where regulatory compliance is unachievable within the planned timeline and budget.
Reduce (Likelihood)	Implements preventive controls that decrease the probability of the risk event occurring. Addresses root causes.	The risk has identifiable causes that can be addressed through controls, process redesign, training, or technology. The cost of reduction is less than the expected loss reduction.	Upfront investment in controls (technology, training, process redesign). Ongoing maintenance cost. ROI measured by reduction in incident frequency.	Deploy multi-factor authentication to reduce the likelihood of unauthorized system access from 3 (Possible) to 1 (Rare).
Reduce (Consequence)	Implements mitigating controls that limit the damage when the risk event occurs. Addresses the impact chain.	The risk event cannot be fully prevented, but its consequences can be contained through preparedness, response capability, or recovery mechanisms.	Upfront investment in response/recovery capabilities. Ongoing maintenance and testing cost. ROI measured by reduction in loss severity per event.	Develop and test a business continuity plan that reduces the financial impact of a data center outage from $5M to $500K.
Share / Transfer	Shifts part of the risk to a third party through insurance, contracts, outsourcing, joint ventures, or hedging. Does not eliminate the risk; it reallocates the financial or operational burden.	The organization lacks the expertise or capacity to manage the risk efficiently. A third party can absorb the risk at a lower cost. Insurance is available and cost-effective relative to expected losses.	Insurance premiums. Contract costs. Revenue sharing with partners. Note: ISO 31000 states that sharing risk does not eliminate accountability.	Purchase cyber liability insurance with a $10M policy limit and $100K deductible to transfer the financial impact of a data breach.
Accept	Retains the risk without additional treatment. Formally acknowledges that the residual risk is within appetite or that treatment costs exceed the expected benefit.	Residual risk is within the organization’s appetite threshold. The cost of any treatment exceeds the expected loss reduction. The risk is inherent to the organization’s core business and cannot be further reduced without disproportionate cost.	No treatment cost. Ongoing monitoring cost for KRIs. Contingency reserve (optional) for accepted risks above a specified threshold.	Accept a low-probability reputational risk from normal competitive activity. Monitor quarterly through social sentiment KRI.

Cost-Benefit Analysis: The EMV Framework

Every treatment decision should be supported by a cost-benefit analysis. The Expected Monetary Value (EMV) framework provides the quantitative basis.

The decision rule: invest in treatment when the treatment cost is less than the risk reduction benefit (the difference between the EMV before and after treatment).

Metric	Formula	Example Calculation
EMV Before Treatment	Probability x Impact (financial)	Probability: 40% (0.40). Impact: $2M. EMV = 0.40 x $2,000,000 = $800,000 per year.
Treatment Cost	One-time implementation cost + annual operating cost (annualized)	Implementation: $200K. Annual operating: $50K. Total annualized cost (3-year horizon): $200K/3 + $50K = $117K per year.
EMV After Treatment	Reduced probability x Reduced impact	New probability: 10% (0.10). New impact: $1.5M (consequence also reduced). EMV = 0.10 x $1,500,000 = $150,000 per year.
Risk Reduction Benefit	EMV Before – EMV After	$800,000 – $150,000 = $650,000 per year.
Net Benefit	Risk Reduction Benefit – Treatment Cost	$650,000 – $117,000 = $533,000 per year. Treatment is cost-justified.
Benefit-Cost Ratio	Risk Reduction Benefit / Treatment Cost	$650,000 / $117,000 = 5.6x. Ratios above 1.0 indicate the treatment creates value.

Organizations that skip cost-benefit analysis risk two failures: over-investing in low-value treatments (spending $500K to mitigate a $50K annual expected loss) or under-investing in high-value treatments (declining a $100K control that would prevent $2M in expected annual losses).

The EMV framework prevents both. For risks where quantitative data is unavailable, use a qualitative cost-benefit assessment: rank the treatment cost as Low/Medium/High and the risk reduction as Low/Medium/High, then select treatments where the reduction exceeds the cost.

Worked Example: Building a Mitigation Plan for a Cyber Risk

Component	Content	Output
1. Context	Annual enterprise risk assessment (March 2025). Scope: all business units globally. Cyber risk appetite threshold: residual score must not exceed 12 on 25-point matrix. Scoring: 5×5 matrix (likelihood x impact). Assessment identified 65 risks across all categories; 12 exceed appetite thresholds.	Context summary document establishing the assessment parameters and the cyber risk appetite at 12.
2. Risk Inventory	Risk CYB-003: “Ransomware attack exploiting unpatched critical vulnerability in customer-facing web application [Cause] leads to encryption of production database and exfiltration of 500K customer records [Event], resulting in $4.8M average breach cost, 72-hour service outage, and regulatory investigation [Consequence].” Inherent: L5 x I5 = 25. Current controls: endpoint detection (reduces L to 4), daily backups (reduces I to 4). Residual: L4 x I4 = 16. Appetite: 12. Gap: 4 points. Priority: #3 of 12 risks above appetite.	Risk register entry CYB-003 with full scoring, current controls, and gap-to-appetite calculation.
3. Treatment Selection	Option A: Reduce likelihood by deploying automated patch management (reduces unpatched window from 30 days to 48 hours). Reduces L from 4 to 2. Option B: Reduce consequence by deploying network segmentation (isolates customer database from general network). Reduces I from 4 to 3. Option C: Transfer by purchasing cyber insurance ($10M policy, $250K annual premium). Selected: A + B + C (combination). EMV before: 0.60 x $4.8M = $2.88M/yr. EMV after: 0.10 x $2.4M = $240K/yr. Reduction: $2.64M/yr. Total treatment cost: $380K/yr. Benefit-cost ratio: 6.9x.	Treatment selection document: three treatments selected with EMV analysis showing 6.9x benefit-cost ratio. Expected residual: L2 x I3 = 6 (within appetite of 12).
4. Action Plans	Action 4a: Deploy automated patch management across all customer-facing systems. Owner: CISO. Budget: $180K implementation + $60K/yr. Start: April 1. Complete: June 30. Success: 95% of critical patches applied within 48 hours. Action 4b: Implement network segmentation for customer database tier. Owner: VP Infrastructure. Budget: $250K implementation + $30K/yr. Start: April 15. Complete: August 31. Success: customer database isolated; penetration test confirms no lateral movement path. Action 4c: Purchase cyber insurance. Owner: Risk Manager. Budget: $250K annual premium. Start: April 1. Complete: April 30 (policy binding). Success: $10M policy with ransomware and breach coverage confirmed.	Three SMART action plans with owners, budgets, timelines, dependencies, and success criteria.
5. Resources	Total Year 1 cost: $180K + $250K + $250K + $60K + $30K = $770K. Personnel: 2 FTE-months (IT security), 1 FTE-month (infrastructure), 0.5 FTE-months (risk management). Technology: patch management platform license, network segmentation hardware/software. External: insurance broker, penetration testing vendor. Funding: approved from IT security budget ($430K) and risk management budget ($340K).	Resource allocation table showing total cost, personnel, technology, and external requirements with funding sources.
6. Timeline	April: Patch management procurement + insurance binding. May-June: Patch management deployment and testing. April-July: Network segmentation design and build. August: Network segmentation testing and go-live. September: Post-implementation penetration test. October: First quarterly review of treatment effectiveness.	Milestone timeline with dependencies (segmentation testing depends on patch management completion to avoid change conflicts).
7. KRIs	KRI-1: % of critical vulnerabilities patched within 48 hours (target: 95%; Amber: 85-95%; Red: <85%). KRI-2: Number of unpatched critical vulnerabilities on customer-facing systems (target: 0; Amber: 1-3; Red: >3). KRI-3: Mean time to detect (MTTD) for ransomware indicators (target: <1 hour; Amber: 1-4 hours; Red: >4 hours). KRI-4: Cyber insurance policy status (target: active with no exclusions triggered).	KRI dashboard entries for CYB-003 with RAG thresholds and monitoring frequencies.
8. Review	Quarterly review: October 2025, January 2026, April 2026. Annual reassessment: March 2026. Interim trigger: any cyber incident affecting customer-facing systems triggers immediate plan review. Reviewer: CISO presents to risk committee. Board reporting: quarterly via the enterprise risk report.	Review schedule with responsible parties and interim triggers defined.

Control Types for Risk Reduction

When the selected treatment is “Reduce,” the mitigation plan must specify the type of control being implemented. ISO 31000 defines a control as “a measure that modifies risk.” Controls fall into three categories based on when they act in relation to the risk event.

Control Type	When It Acts	What It Does	Examples
Preventive	Before the risk event occurs.	Reduces the likelihood of the risk event by blocking or deterring the causal factors. Addresses root causes.	Access controls (authentication, authorization). Segregation of duties. Input validation. Training programs. Pre-approval workflows. Physical barriers. Policy enforcement.
Detective	During or immediately after the risk event occurs.	Identifies that a risk event has occurred or is occurring. Enables rapid response to contain the consequences. Does not prevent the event.	Monitoring systems (SIEM, IDS/IPS). Reconciliation processes. Exception reporting. Audit trails. Anomaly detection algorithms. Surveillance systems. Whistleblower hotlines.
Corrective (Recovery)	After the risk event has occurred.	Restores operations and reduces the long-term impact of the risk event. Prevents recurrence through root cause remediation.	Business continuity plans. Disaster recovery procedures. Incident response playbooks. Root cause analysis processes. Corrective action plans. Insurance claims. Legal remediation.

A robust mitigation plan deploys controls from all three categories in a layered defense. Preventive controls reduce the probability of the event. Detective controls reduce the time to identify the event (limiting damage accumulation).

Corrective controls reduce the duration and severity of the impact. The bow-tie analysis technique visualizes this layering: preventive controls appear on the left side of the bow-tie (between causes and the event), detective controls appear at the event node, and corrective controls appear on the right side (between the event and consequences).

Aligning the Mitigation Plan to ISO 31000 and COSO ERM

Plan Component	ISO 31000:2018 Clause	COSO ERM 2017 Principle
1. Context Summary	Clause 6.3: Scope, Context, and Criteria. The organization defines the context within which risk treatment decisions are made.	Principle 6: Analyzes business context. Principle 7: Defines risk appetite.
2. Risk Inventory	Clause 6.4: Risk Assessment (identification, analysis, evaluation results).	Principle 10: Identifies risk. Principle 11: Assesses severity. Principle 12: Prioritizes risks.
3. Treatment Selection	Clause 6.5.1: Selecting treatment options involves balancing potential benefits against costs and efforts.	Principle 13: Implements risk responses (accept, avoid, pursue, reduce, share).
4. Action Plans	Clause 6.5.2: Preparing and implementing risk treatment plans that explain the rationale, describe proposed actions, assign responsibilities, and set timelines.	Principle 13: Implementation requires specific actions, owners, and measurable outcomes.
5. Resource Allocation	Clause 5.4.4: The framework component requires allocation of appropriate resources for managing risk.	Principle 5: Attracts, develops, and retains capable individuals. Governance includes resource allocation.
6. Timeline	Clause 6.5.2: Treatment plans must include a timeline for completion of actions and performance measures.	Principle 13: Risk responses must have defined implementation timelines.
7. KRI Framework	Clause 6.6: Monitoring and review should be a planned part of the risk treatment process to ensure treatments remain effective.	Principle 16: Reviews risk and performance. Principle 14: Develops portfolio view for ongoing monitoring.
8. Review Schedule	Clause 6.6: The organization determines when and how monitoring/review occurs, including frequency and responsibility.	Principle 17: Pursues improvement in ERM through continuous review and maturity assessment.

Putting a Risk Mitigation Plan into action requires a 90-day roadmap with clear ownership, budget approval, and KRI monitoring. Treat the Risk Mitigation Plan as a living system: review it monthly, update it quarterly, and reassess it annually so the plan evolves with the threat landscape.

Implementation Roadmap

Phase	Actions	Deliverables	Success Metrics
Days 1-30: Plan Design	Review risk assessment results and identify all risks above appetite. Rank risks by gap-to-appetite. Select treatment options for each risk using the cost-benefit framework. Draft action plans with SMART criteria. Assign owners. Aggregate resource requirements. Build the implementation timeline.	Draft risk mitigation plan (all 8 components). EMV analysis for top 10 risks. SMART action plans for all risks above appetite. Resource allocation summary. Implementation timeline with milestones.	All risks above appetite have treatment options selected. EMV analysis completed for top 10. Action plans meet SMART criteria (owner, budget, timeline confirmed). Total resource demand within capacity.
Days 31-60: Approve and Launch	Present the mitigation plan to the risk committee for review. Incorporate feedback. Obtain budget approval for treatment investments. Launch the first wave of treatment implementations (highest-priority risks). Establish KRI monitoring for treated risks. Brief treatment owners on their responsibilities and reporting requirements.	Approved risk mitigation plan. Budget allocation confirmed. First-wave treatments commenced. KRI monitoring active for top 10 risks. Owner briefing sessions completed.	Risk committee approves the plan. Budget allocated by finance. At least 3 treatment actions commenced. KRI baselines established. All owners confirmed understanding of responsibilities.
Days 61-90: Monitor and Report	Track implementation progress against the timeline. Produce the first monthly treatment progress report. Identify and resolve implementation blockers. Complete the first KRI monitoring cycle. Prepare the first quarterly board risk report showing treatment progress and residual risk trajectory.	Monthly treatment progress report. First KRI monitoring results. Blocker resolution log. First quarterly board risk report including treatment progress, residual risk trajectory, and any re-prioritization recommendations.	Monthly report delivered on schedule. At least 50% of Day 1-90 milestones achieved. KRI monitoring producing data for all treated risks. Board report delivered with treatment progress section.

Common Pitfalls and How to Avoid Them

Pitfall	Root Cause	Remedy
Treatment actions say “improve controls” without specificity	Risk owners do not know what specific controls to implement. The plan uses vague language because the treatment design work was deferred.	Require five mandatory fields for every action: owner, specific action description, budget, target date, expected residual risk. Reject plans missing any field.
All risks treated with the same strategy (default to Reduce)	The treatment selection process does not consider alternatives. Avoid, Share, and Accept are not evaluated because the culture defaults to “add more controls.”	Mandate that the treatment selection rationale documents all four options and explains why the selected option was chosen. Include the EMV analysis to justify the decision quantitatively.
Treatment cost exceeds risk reduction benefit	No cost-benefit analysis was performed. A $500K control was approved to mitigate a $50K annual expected loss because “it’s the right thing to do.”	Require EMV analysis for all treatments costing >$50K. The benefit-cost ratio must exceed 1.0 for approval. Exceptions require risk committee justification.
Mitigation plan exists but nobody monitors implementation	The plan was approved and filed. No follow-up mechanism tracks whether actions were completed, on time, and effective.	Establish monthly treatment progress reports to the CRO. Include treatment status in the quarterly board risk report. Link treatment completion to risk owner performance objectives.
New risks introduced by treatments are not assessed	A new technology control reduces one risk but creates a new dependency risk (vendor lock-in, system complexity, single point of failure).	ISO 31000 Clause 6.5 requires assessment of whether treatments introduce new risks. Add a “secondary risk assessment” field to every action plan. Identify and score any new risks the treatment creates.
Accepted risks are forgotten rather than monitored	Risks classified as Accept (within appetite) are removed from active management. When conditions change and these risks escalate, the organization is unprepared.	Maintain accepted risks in the register with quarterly KRI monitoring. Define escalation triggers that reclassify an accepted risk to “treat” if KRIs breach amber or red thresholds.

Looking Ahead: Risk Mitigation Trends 2025-2027

AI-assisted treatment optimization is emerging. Machine learning models can now analyze historical incident data, control effectiveness metrics, and cost data to recommend the most cost-effective treatment combination for a given risk profile.

These tools do not replace human judgment, but they reduce the analytical burden of EMV calculations across hundreds of risks and accelerate the cost-benefit analysis that drives treatment selection.

Continuous control monitoring is replacing periodic control testing. Instead of testing control effectiveness quarterly or annually, organizations deploy automated monitoring that verifies controls in real time.

A patch management control is monitored by a dashboard that shows patching compliance hourly, not by an annual audit that samples 25 systems. This shift means mitigation plan effectiveness is measured continuously rather than at discrete review points, enabling faster correction when treatments underperform.

Resilience-based mitigation is gaining traction alongside prevention-based mitigation. Recognizing that some risks cannot be prevented (zero-day cyber attacks, pandemics, geopolitical shocks), organizations are investing more heavily in corrective and recovery controls.

Business continuity plans, incident response playbooks, and crisis communication protocols are becoming standard components of mitigation plans rather than separate documents. The COSO ERM framework‘s emphasis on integrating risk with strategy means mitigation plans now address not just “how do we prevent this” but “how do we survive and recover when prevention fails.”

The organizations that build mitigation plans covering both prevention and resilience will outperform those that bet everything on keeping bad things from happening.

Ready to build a risk mitigation plan? Visit riskpublishing.com to access risk register templates, risk management technique guides, and KRI dashboard resources. Need a facilitated risk treatment workshop? Contact our consulting team to design a mitigation plan aligned to ISO 31000 and calibrated to your risk appetite.

References

1. ISO 31000:2018 Risk Management Guidelines — International Organization for Standardization

2. COSO ERM: Integrating with Strategy and Performance (2017) — Committee of Sponsoring Organizations

3. ISO 31000: Developing Your Risk Treatment Strategy — Ideagen

4. ISO 31000 Risk Management Framework Complete Guide — Protecht Group

5. ISO 31000 Framework Explained — MetricStream

6. The Basics of ISO 31000 Risk Management — Riskonnect

7. What Is ISO 31000? Effective Risk Management Strategy — UpGuard

8. ISO 31000 Explained: Risk Management for Modern Organizations — Pacific Certifications

9. ISO 31000 Risk Management Guide — RDR Global Partners

10. ISO 31000 Risk Management Principles — PECB

11. ISO 31000 VelocityEHS Guide — VelocityEHS

12. The State of Enterprise Risk Management, 2025 — Forrester Research

13. 2025 KPMG Risk and Resilience Survey — KPMG International

14. IEC 31010: Risk Assessment Techniques — International Electrotechnical Commission / ISO