Risk Acceptance (optional process)

Acceptance of residual risks that result from with Risk Treatment has to take pl
ace at the level of the executive management of the organization (see definition
s in Risk Management Process). To this extent, Risk Acceptance concerns the comm
unication of residual risks to the decision makers.
Once accepted, residual risks are considered as risks that the management of the
organization knowingly takes. The level and extent of accepted risks comprise o
ne of the major parameters of the Risk Management process. In other words, the h
igher the accepted residual risks, the less the work involved in managing risks
(and inversely).
This does not mean, however, that once accepted the risks will not change in for
thcoming repetitions of the Risk Management life-cycle. Within the recurring pha
ses and activities of the Risk Management processes (and in particular Risk Trea
tment as well as Monitor and Review) the severity of these risks will be measure
d over time. In the event that new assertions are made or changing technical con
ditions identified, risks that have been accepted need to be reconsidered.
Risk Acceptance is considered as being an optional process, positioned between R
isk Treatment and Risk Communication (more information here). This process is se
en as an optional one, because it can be covered by both Risk Treatment and Risk
Communication processes. This can be achieved by communicating the outcome of R
isk Treatment to the management of the organization. One reason for explicitly m
entioning Risk Acceptance is the need to draw management's attention to this iss
ue which would otherwise merely be a communicative activity.
In the attached inventories, Risk Acceptance has been included in the assessment
of methods and tools, as it might be a decision criterion for certain kinds of
organizations (e.g. in the financial and insurance sector, in critical infrastru
cture protection etc.).