Risk acceptance

It indicates the standard for evaluating the risk that is adopted by decision-makers. Some risks are accepted in case leaving the asset unprotected due to a specific risk is cheaper than making an effort to protect it.

This decision is not made out of ignorance, as all options are analyzed carefully before accepting the outcome. The most common criteria are the lower likelihood or low consequence where laws or regulations protect the data or resource, or there is no risk to human life or safety.

It is widely used and is not formally in ISO documents on risk management. Mitigating is one of the methods of lowering the threats to an acceptable level.

Any organization can respond to or treat it in any of the following ways –

• Acceptance

• Accordance

• Mitigation

• Transfer

For example - In any emergency, an organization might accept the risk associated with an unfiltered connection to external communication provided for a limited time and then avoid the risk by cutting the connection and applying security controls.

The regulators do not prefer such terms in the US and the UK. The AICE expressed its views and said risk tolerance is preferred over risk acceptance. 

Risk can be acceptable – which means not normally requiring further reduction; tolerable ( which means the threat is as low as reasonably practicable, taking costs and benefits into account) or unacceptable (higher risks need stringent control and are only permitted in exceptional circumstances).

Different levels of risks are determined by relating the term tolerance, justifiable and negligible. The higher level is unacceptable, and the lower is acceptable.

The applicable definition of risk is divided into four categories–

• Individual– The hazard posed to a single person.

• Societal – The danger to the group of people is often expressed regarding the frequency distribution of multiple causality events.

• Voluntary – It is tolerated by someone asking to obtain the benefits of an activity.

• Involuntary – The dangers imposed on someone who does not directly benefit from the activity.

Individual risk criteria – People are prepared to accept a wide range of perils depending on their perception and benefits from the activity. 

Sometimes people are exposed to situations with no or low control over such threats, and businesses need to set criteria to handle such involuntary sources. Public transportation like airports/air travel and railroads has predetermined criteria for handling such situations.

Safety is an important objective in society, but it is not the only one, and allocating resources to safety must be balanced with societal needs. 

Various government regulators have principles for risk acceptance criteria, and there is an international framework for liquidity risk measurement standards and monitoring.

Such factors depend on the legal framework of the society, and different legal frameworks may yield different criteria. A comparison of such regulations in the two European countries – the UK and the Netherlands is shown in legal and historical context.

There are also acceptance criteria for occupational accidents where companies with major industrial hazards must define the acceptance criteria for individual and societal risks.