What is the difference between Risk Treatment Plans and a Risk Registry?

This presentation reviews the differences between the Risk Treatment Plan and Risk Registry. We begin by reviewing the Risk Universe and the

COSO Enterprise Risk Management domains. Within the Risk Universe, we will walk through risks that impact the organization's ability to deliver products and services. The delivery of organizational products and services is contingent on how the organization manages the risks of six primary categories of assets, people, information, software, hardware, telecommunication, and facilities.

We then review the Risk Assessment Waterfall and discuss each step and the relationship of each step to one another and the overall process. Risk Assessment steps are as follows the scope of the risk assessment, identification of assets in scope, vulnerability analysis, impact analysis, threat analysis, control analysis, risk rating calculation for ranking and prioritization, Governance reporting, and Risk Treatment.

The output of the Risk Assessment goes into the Risk Treatment Plan (RTP). We spend some time explaining what data fields will be populated in the RTP and how these data points will be used by Risk Owners. The RTP will be used to make risk acceptance, risk avoidance, risk treatment decisions, and tracking and monitoring risk treatment plans until they are successfully completed. Once the RTP action plan has been completed it will be validated and closed.

Next, we switch to discuss the Risk Registry (RR) and how Enterprise Risk Management utilizes this document to track Enterprise risks. RR risks may change but unlike RTP risks, RR risks never go away. We revisit the Risk Universe and focus on eight critical points that shape Strategic Risk thinking and decision making. Once completed we review the Risk Registry data fields and discuss their relationships with each other. We will also discuss how the Executive Team and Board of Directors will use the RR data points to initiate the identification of trigger points and preapproved rapid responses actions plans to ERM threats.

Finally, we conclude with a review of Quality Management's Correct and Preventive Action Plan (CAPA). This is a useful document to record action plans, Governance of accountabilities for the ownership, Risk Management of treatment activities, Objective-Independent validation and verification, and testing of successful risk remediation activities.

Reference link: https://youtu.be/jhcwr4a0SXE