GOV-007 Risk Treatment and Remediation Tracking
Description
Identified risks and control deficiencies have documented treatment plans with owners, target remediation dates, and current status. Progress against open findings is tracked and reported to management at defined intervals.
Rationale
Identifying and assessing risk has limited value unless treatment actions are assigned, tracked, and completed. A plan-of-action process closes the loop between assessment outputs and control improvement.
Framework Mappings (5)
| A&A-06 | Remediation | full |
| CA-5 | Plan of Action and Milestones | partial |
| PM-4 | Plan of Action and Milestones Process | full |
| RA-7 | Risk Response | full |
| CC4.2 | COSO Principle 17: Evaluates and Communicates Deficiencies | partial |
Evidence (2)
Plan of action and milestones (POA&M) or remediation tracker documenting open risk findings with owners, target dates, and current status.
Example: POA&M or remediation tracker (Jira board, GRC platform, or spreadsheet), showing each open finding from risk assessments or audits with: finding ID, description, assigned owner, target remediation date, current status, and management-reported aging.
Test: Request the current remediation tracker or POA&M. Verify: (1) findings from the most recent risk assessment and audit are present, (2) each finding has a named owner, (3) target remediation dates are set and non-expired items are on track or have documented extensions, (4) the tracker is reviewed and reported to management — confirm via meeting minutes or a status report referencing open items.
Management-level report on remediation progress showing aging, closure rates, and overdue items.
Example: Monthly or quarterly remediation status report (Confluence / GRC dashboard) submitted to the CISO or equivalent, listing total open findings, overdue items, and items closed in the reporting period.
Test: Request the last two remediation status reports. Verify: (1) reports were produced within the defined cadence, (2) open, overdue, and closed finding counts are present, (3) overdue items have documented extensions or escalations, (4) reports are addressed to or acknowledged by a named manager.
Questions (2)
Does your organization maintain a tracked plan of action for open risk findings and control deficiencies, with named owners and target remediation dates?
This may be a plan of action and milestones (POA&M), a remediation tracker, or equivalent — findings from risk assessments and audits should appear in it with current status.
How often is remediation progress against open risk findings reported to management?
Regular management-level reporting (monthly or quarterly) with aging, closure rates, and overdue items is the expected practice.