How does an organization decide what is or is not an acceptable risk?
Risk is the part of everything an organization does. Risky elements that are acceptable in one situation might be unacceptable in another situation. The term “acceptable risk”, or residual risk, describes the likelihood of an event whose probability of occurrence is small, whose consequences are so slight, or whose benefits (perceived or real) are so great, that organizations are willing to take or be subjected to the risk that the event might occur.
During Risk mitigation planning, we identify, evaluate, and select options to classify risk as acceptable or not. Acceptability of risk involves consideration of various different factors including where and when the risk can occur, the probability of it to happen, and the severity of it. Other factors may be an organization’s legal and regulatory compliance responsibilities, its threat profile, and its business drivers and impacts. Defining the company’s acceptable risk level falls to management because they intimately understand the company’s business drivers and the corresponding impact if these business objectives are not met.
Acceptability of a risk basically depends on the acceptability of its consequences. If an organization choses to accept risk, measures should still be taken to properly document and revise assessment of the risk throughout the project. What was thought of as an acceptable risk may not have the same ranking during execution.