Risk Acceptance

What is Risk Acceptance?

Risk acceptance is a decision to accept risk instead of eliminating, avoiding, or mitigating it. Accepting the recognized risk without taking any mitigation measures usually means that the risk is within the risk tolerance level of the organization. When accepting risk, your organization should be prepared to live with the consequences.

When studying the concept of risk acceptance, two concepts need to be defined: tolerability and acceptability. 

Tolerability refers to the willingness to live with risk to ensure certain benefits so long that it will be adequately controlled. In this sense, tolerating a risk means that we do not consider it insignificant or something that we could or should ignore, but rather something that we should keep under review and reduce further if we can. 

Acceptability, on the other hand, means that for the business values and missions as they stand, we are prepared to take and accept the risk as is.

Risks are accepted in these two scenarios:

Risk Acceptance vs. Risk Avoidance

Risk Avoidance is a risk approach where mitigation or elimination of the risk is too costly or overwhelming, but the risk is too severe to be accepted. In a case like this, organizations will take the necessary steps to avoid the likelihood of the risk occurring at all. 

A simple example of this would be if an organization avoids opening a branch in a war zone due to the significant risks involved. Avoidance has the disadvantage of losing out on opportunities that can be gained by engaging in the activities that impose the risk; in some cases, however, this is the best business choice.

Risk acceptance is on the opposite side of the risk management spectrum. With risk acceptance, organizations will continue to operate despite the inherent risks. As we mentioned earlier, accepted risks are usually within the risk appetite and tolerance level of the business, at least for the short term.

4 Ways to Handle Risk

Risk management strategies generally use these common practices to deal with risks of various severities:

  • Avoid the risk by eliminating any vulnerable activities
  • Mitigate the risk by implementing security controls
  • Transfer the risk to an external party, i.e. insurance
  • Accept the risk

Critical and high risks factors should rarely be accepted and are usually not well-suited to avoidance or transfer without significant changes to your business operations. That leaves mitigation as the most likely choice for high-severity risks. 

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about Risk Acceptance

What are Residual Risks?

Residual risk is the risk that remains even after mitigation and controls have been implemented. 

When it comes to risk management, at some point the question of “When do we stop?” is going to be asked. Risk can never be fully eliminated, and residual risk will always be present. 

The point at which we stop mitigation efforts is defined by a risk acceptance form criterion, and, therefore, what is known as residual risk is the risk that remains after having introduced the relevant measures. Cybersecurity risk acceptance criteria are those used as the basis for decision-making and justification of acceptable risks. The residual risk is the risk that remains in a given context based on the current controls.

Are Residual Risks Always Accepted?

Residual risks are not always accepted risks. After identifying a risk mitigation plan, the residual risks are recalculated. The objective of the introduction of control is to eliminate or reduce identified risks. If the residual risks are acceptable due to the adopted corrective actions, then the residual risk is called an acceptable risk. If the risk is still above the threshold, a reassessment of the problem is warranted, and the introduction of new ideas to lower the risk is necessary.

This does not mean, however, that once accepted the risks will not change in forthcoming repetitions of the Risk Management life-cycle. Within the recurring phases and activities of the Risk Management processes the severity of these risks will be measured over time. If new assertions are made or changing technical conditions are identified, risks that have been accepted need to be reconsidered.

How Does Centraleyes Deal with Risk Acceptance?

Centraleyes aligns your risk management process with your compliance processes making it easy to accept low-priority risks and focus on mitigation controls of your most pressing risks.

On the Centraleyes platform, your organization can easily build a risk register and prioritize risks according to your risk exposure. You can click on a given risk, see what it is comprised of, and simply press the “Accept” button for any risk factor that you wish to tolerate or accept. 

Once the risk is accepted, its impact is excluded from the asset, group, and risk score calculations. 

Want to see it in action? Schedule a demo right here.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Want to talk to Centraleyes about Risk Acceptance?

Related Content

Authorization to Operate (ATO)

Authorization to Operate (ATO)

What is an ATO? An ATO is a hallmark of approval that endorses an information system…


What is StateRAMP? In 2011, the Federal Risk and Authorization Management Program (FedRAMP) laid the groundwork…
Segregation of Duties

Segregation of Duties

What is the Segregation of Duties? Segregation of duties (SoD) is like a game of checks…
Skip to content