Accepting Risk

What Does Accepting Risk Mean?

Accepting risk occurs when a business acknowledges that the potential loss from a risk is not great enough to warrant spending money to avoid it. Also known as “risk retention”, it is an aspect of risk management commonly found in the business or investment fields. It posits that small risks — ones that that do not have the ability to be catastrophic or otherwise too expensive — are worth accepting with the acknowledgement that any problems will be dealt with if and when they arise. Such a trade-off is a valuable tool in the process of prioritization and budgeting.

Risk acceptance or risk retention means the fact of accepting the identified risk and not taking any other action in order to reduce the risk because we can accept its impact, the possible consequences – we simply risk it.

Accepting Risk Explained

Risk acceptance is not really a mitigation strategy because accepting a risk does not reduce its effect. However, risk acceptance is a legitimate option in risk management. There are various reasons why companies may choose risk acceptance in certain situations. The most common reason is that the cost of other risk management options, such as avoidance or limitation, may outweigh the cost of the risk itself. There is no benefit in spending $100,000 to avoid a $10,000 risk. In cases where the cost outweighs the benefit, most organizations choose to accept a risk rather than spend time or money mitigating it.

Accepting a risk is sometimes referred to as the “do nothing” option. This may be a familiar concept for those of you familiar with project management fundamentals. As you develop your strategies, you should consider the implications of “doing nothing.” This can be a way of ensuring that you’re taking appropriate actions because if you consider the implications of accepting the risk, you can see the potential consequences and weight them out against other options.

Many businesses use risk management techniques to identify, assess and prioritize risks for the purpose of minimizing, monitoring, and controlling said risks. Most businesses and risk management personnel will find that they have greater and more numerous risks than they can manage, mitigate, or avoid given the resources they are allocated. As such, businesses must find a balance between the potential costs of an issue resulting from a known risk and the expense involved in avoiding or otherwise dealing with it. Types of risks include uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters, and overly aggressive competition.

Accepting risk can be seen as a form of self-insurance. Any and all risks that are not accepted, transferred or avoided are said to be “retained.” Most examples of a business accepting a risk involve risks that are relatively small. But sometimes entities may accept a risk that would be so catastrophic that insuring against it is not feasible due to cost. In addition, any potential losses from a risk not covered by insurance or over the insured amount is an example of accepting risk.

Risk Acceptance – Due to lack of execution

There are many risks that are defaulted to “do nothing” – not because of a conscious decision, but because after a risk has been identified, there is no plan for mitigation, or the execution of the plan is not scheduled. In a majority of the Threat & Risk Assessments, there is at least one risk identified for mitigation that is not scheduled and remains a risk for a year or more. Without a plan or schedule of execution, you have defaulted to the Risk Acceptance strategy.

Risk Acceptance – Due to lack of information

There are two reasons for this situation.

  • The risk or impacts are not communicated to the decision makers. Not communicating the risks may be because the risk is not known, but is often due to an unwillingness to share bad news.
  • The risk or impacts are unknown. If risks are not known, it is typically because a risk assessment was not done, was not sufficient, or the appropriate people were not included in the assessment and/or did not share information.

A quote I like is appropriate here – “Bad news does not get better with time.” An example of the lack of information: an IT Department told their business and management team that a recovery solution was in place and the technology could be recovered. In actuality, they had only done a proof of concept on the technology and there was only enough capacity to recovery 1 or 2 applications.

Risk Acceptance – Conscious Decision

Accepting the risk is an appropriate choice in many cases. Often the impact of an event and/or the likelihood of occurrence do not justify the high cost of mitigation. Acceptance of risk does not mean that organizations are not prepared or that there are no actions to be taken. There may not be any technology or process changes, but insurance needs, changes to corporate or local policies, and changes to recovery plans and communication plans are all considerations that must be addressed.

When addressing risk mitigation, remember Risk Acceptance is an option. “Do Nothing” can be the right solution. Due diligence should occur ensuring that the decision is not based on a lack of information or execution, but rather on a conscious and carefully considered plan.

Some Alternatives to Accepting Risk

In addition to accepting risk, there are a few ways to approach and treat risk in risk management. They include:

  • Avoidance: This entails changing plans to eliminate a risk. This strategy is good for risks that could potentially have a significant impact on a business or project.
  • Transfer: Applicable to projects with multiple parties. Not frequently used. Often includes insurance. Also known as “risk sharing.”
  • Mitigation: Limiting the impact of a risk so that if a problem occurs it will be easier to fix. This is the most common. Also known as “optimizing risk” or “reduction.”
  • Exploitation: Some risks are good, such as if a product is so popular there are not enough staff to keep up with sales. In such a case, the risk can be exploited by adding more sales staff.