7.Risk Acceptance Flashcards
Risk acceptance
Input
Risk treatment plan and residual risk assessment subject to the acceptance decision of the organization’s managers.
Action
The decision to accept the risks and responsibilities for the decision should be made and formally recorded.
Implementation guidance
Risk treatment plans should describe how assessed risks are to be treated to meet risk acceptance criteria.
It is important for responsible managers to review and approve proposed risk treatment plans and resulting residual risks, and record any conditions associated with such approval.
Risk acceptance criteria can be more complex than just determining whether or not a residual risk falls above or below a single threshold.
In some cases, the level of residual risk does not meet risk acceptance criteria because the criteria being applied do not take into account prevailing circumstances. For example, it can be argued that it is necessary to accept risks because the benefits accompanying the risks are very attractive, or because the cost of risk modification is too high.
Such circumstances indicate that risk acceptance criteria are inadequate and should be revised if possible. However, it is not always possible to revise the risk acceptance criteria in a timely manner.
In such cases, decision-makers can accept risks that do not meet normal acceptance criteria. If this is necessary, the decision-maker should explicitly comment on the risks and include a justification for the decision to override normal risk acceptance criteria.
Output
A list of accepted risks with justification for those that do not meet the organization’s normal risk acceptance criteria.
