Skip to content
GRC ComplexitiesField guide

Propose a Risk Treatment Leadership Can Actually Read

Turn your risk register into a leadership proposal — translate risk data into treatment options, cite evidence behind each risk, and review before it goes up.

TT
Truvara Team
July 12, 2026
5 min read

The risk register holds everything: likelihood scores, control mappings, evidence links, residual risk ratings. It also holds far more detail than any executive will read before a decision meeting. The gap is not in the data — it is in the translation from a technical risk record into a treatment proposal designed for a decision.

What Leadership Needs to Decide

Leadership does not need to see every control mapped to every risk. They need three things: what changed, what it means, and what they are being asked to approve.

Decision needWhat it meansWhat to provide
What changedNew risks, escalated scores, expired treatmentsRisk summary — before and after
What it meansBusiness impact if untreatedImpact narrative in business terms
What they decideAccept, mitigate, transfer, or avoidTreatment options with recommended path

A treatment proposal that opens with a risk score table and control mapping buries the decision. One that opens with the change narrative, the business impact, and the treatment options places the decision where leadership expects it — first.

From Risk Register to a Readable Treatment

A risk register entry typically contains: risk ID, description, inherent likelihood and impact, control list, residual score, treatment owner, and treatment due date. That is the right structure for tracking. It is the wrong structure for a decision.

To convert a register entry into a treatment proposal, reshape the information:

  1. State the risk in business terms — "Third-party data processor has no contractual breach-notification clause" rather than "TPR-042: Vendor RM-03"
  2. Explain what changed — "Acquired last quarter; was not in scope for the annual vendor assessment"
  3. Show the current status — Risk score, affected systems, relevant framework criteria
  4. Present treatment options — For each option: what it involves, what it changes about the risk, the effort required
  5. Recommend a path — The treatment team's recommendation, with rationale

The difference is audience. The register is for the risk owner. The treatment proposal is for the decision-maker. The same data, reorganised and narrated, serves both without duplicating work.

Citing the Evidence Behind Each Risk

A risk treatment proposal is only as credible as the evidence behind each risk score. Leadership needs to know that the "high" rating on a vendor risk is supported by more than a compliance analyst's judgment — it should trace to:

  • Assessment findings — the vendor assessment that identified the gap
  • Incident records — any prior events related to the risk
  • Control evidence — which controls mitigate the risk and whether they operated effectively
  • Framework mappings — which criteria or controls the risk affects

Each risk in the proposal should carry a citation line: the evidence artifact, the control it supports, and the date it was collected. This does not mean the proposal reproduces the evidence. It means the proposal references it, so leadership can ask for the supporting detail if needed.

Review Before It Goes Up

A treatment proposal that reaches leadership with an error — wrong risk score, miscited evidence, missing option — loses credibility before the discussion starts. The review step is the safety net between the risk register and the boardroom.

The internal review checks:

  • Accuracy — do the risk scores match the register?
  • Completeness — are all treatment options presented, or was an option omitted?
  • Evidence support — does each cited artifact exist and support the claim?
  • Format — is the proposal readable at a glance?

The review is also the last chance to catch risks that have no treatment path. A risk with "no treatment identified yet" should be presented honestly as a monitoring item rather than omitted from the proposal. Leadership can decide to accept the monitoring period or assign resources to close the gap.

FAQ

How much detail does leadership actually need?

Enough to decide, not enough to audit. The proposal should state the risk, the business impact, and the treatment options — typically one page per risk. Supporting evidence (control logs, assessment reports, incident records) should be referenced, not reproduced. If leadership asks for details, they are in the appendix.

What if a risk has no treatment plan yet?

Present it honestly as a monitored risk with no current treatment. Leadership's options are to accept the monitoring period, assign resources to develop a treatment, or accept the risk as-is. Omitting the risk from the proposal because the treatment is not ready creates a blind spot.

How do I handle residual risk sign-off?

Residual risk sign-off is a leadership decision, documented as an acceptance record. The proposal should state the residual risk score after each treatment option and recommend which level of residual risk is acceptable. The sign-off itself is a separate artifact — the acceptance record, dated and signed.

What format should the proposal be in?

A format leadership already reads — DOCX for review with tracked changes, PDF for the final version, or a slide deck for discussion. The content matters more than the format. A well-structured DOCX with a summary page and risk-by-risk detail works better than a crowded slide deck that tries to fit every risk on one page.


A risk register holds the data, but leadership needs a decision-ready proposal. In Compass by Truvara, the agent drafts a risk-treatment plan from the register — each risk stated in business terms, treatment options presented, evidence cited — and proposes it as a pending change. The treatment decision and acceptance stay with leadership. Join the waitlist.


TT

Truvara Team

Truvara