POAMs and Other Risk Treatment Documentation

Once you have performed a risk assessment, have developed your risk registers, and made decisions about risk treatment, you must make decisions about planned remediation activities. If you recall, risk treatment only provides the organization with an overall strategic assessment of the risk. Do you plan to accept it, modify it, remediate it, or transfer it? If you plan to accept the risk, you can note that in your risk register. If you plan to do anything else, you must articulate that plan.

In some organizations these might be called remediation plans or plans of action and milestones (POA&Ms) or Corrective Action Plans. As a note POA&Ms originated as a US federal term and are more closely related to what we described above as a Risk Register. In federal terms, the action plans are called Corrective Action Plans and are a part of POA&Ms. In private organizations the terms POA&M and Corrective Action Plans have been conflated a bit to mean Corrective Action Plan.

Regardless of what they’re called, the plans should state specifically how you plan to deal with the risk, contain anticipated milestones, and anticipated dates.