You are here:
Risk Treatment for IT Compliance
After a risk is scored, your team picks a strategy for handling it, such as mitigating the threat, accepting it, transferring it to a third party, or avoiding the activity that creates it. Each strategy can be associated with an Action Plan Template that turns the decision into a concrete set of tasks.
Required Editions
| Available in: Lightning Experience |
| Available in: Enterprise, Performance, and Unlimited Editions with Agentforce IT Service. |
When a risk is identified and scored, your organization must make a strategic decision on how to handle it. To accelerate this remediation phase, Agentforce IT Service provides four out-of-the-box Action Plan Templates categorized under the "Compliance" plan type.
These templates correspond to standard industry risk treatment strategies. When attached to a risk record, they automatically generate the specific baseline tasks your IT team needs to execute that strategy.
Mitigate (or Reduce) Risk
Use this template when you need to actively lower the threat's likelihood or impact to an acceptable level.
- When to use: The risk score is too high to ignore, but the underlying IT asset or business process is essential.
- What it does: Generates tasks focused on control identification and mapping. It prompts your team to either link existing safeguards from your Control Library to the risk or design and implement new protective measures (like deploying new security software or updating an incident response plan).
- Generated tasks:
- Identify and link existing controls from the Control Library to the risk.
- Design and implement new protective controls or technical safeguards.
- Update related incident response procedures.
- Schedule a follow-up evaluation to verify control effectiveness.
Accept Risk
Use this template when the cost or effort of mitigating the risk outweighs the potential damage of the threat itself.
- When to use: The risk has a very low residual score, or leadership formally acknowledges the vulnerability and accepts the potential consequences.
- What it does: Generates tasks focused on documentation and continuous monitoring rather than active remediation. It ensures the risk is officially acknowledged, a rationale is recorded, and a future review date is set.
- Generated tasks:
- Document the rationale for accepting the risk.
- Capture formal sign-off from leadership.
- Set the next review date for the accepted risk.
- Monitor for changes that could shift the risk posture.
Transfer Risk
Use this template when your organization wants to shift the financial or operational impact of the risk to a third party.
- When to use: You cannot fully mitigate the risk internally, but you can protect the business from the fallout.
- What it does: Generates tasks focused on external vendor management or legal safeguards, such as purchasing specialized cyber liability insurance or outsourcing the vulnerable IT process to a certified third-party vendor.
Avoid Risk
Use this template when a threat is simply too severe to accept, and it cannot be adequately mitigated or transferred.
- When to use: The vulnerability poses a critical, unacceptable danger to the organization.
- What it does: Generates tasks focused on completely discontinuing the activity that creates the risk. This might involve retiring a legacy server, decommissioning an outdated application, or halting a specific business process entirely.
- Create a Risk Treatment Plan for IT Compliance
Decide how your team will respond to a risk and put a plan in motion. Create a treatment plan to attach an Action Plan Template, kicking off the tasks your team needs to mitigate, accept, transfer, or avoid the risk.
