Risk Acceptance must be a conscious decision, not a default action due to lack of information or desire to act.
Risk Assessments and Risk Mitigation remain important topics in many association groups and business discussions. We are often asked to assist with formal risk assessments, as well as with individual components of an overall risk assessment. Over the last several months we have discussed different risk topics on our blog (Real Risks to an Organization, Maximize Compliance & Minimize Risk). These topics discuss how to prepare for or mitigate risks. One of the most used risk mitigation strategies is “do nothing – accept the risk.” Even if it is not thought of as one, it is a mitigation strategy and is often the most appropriate.
Questions regarding Risk Acceptance:
- Is insurance in place for those areas which would be impacted and are the risk categories covered?
- Is the actual impact understood?
- Is the true probability of an occurrence known?
- Are the risks which are accepted truly known or understood?
Risk Acceptance – Due to lack of execution
We find that there are many risks that are defaulted to “do nothing” – not because of a conscious decision, but because after a risk has been identified, there is no plan for mitigation, or the execution of the plan is not scheduled. In a majority of the Threat & Risk Assessments we perform, there is at least one risk identified for mitigation that is not scheduled and remains a risk for a year or more. Without a plan or schedule of execution, you have defaulted to the Risk Acceptance strategy.
Risk Acceptance – Due to lack of information
There are two reasons for this situation.
- The risk or impacts are not communicated to the decision makers.
- Not communicating the risks may be because the risk is not known, but is often due to an unwillingness to share bad news.
- The risk or impacts are unknown.
- If risks are not known, it is typically because a risk assessment was not done, was not sufficient, or the appropriate people were not included in the assessment and/or did not share information.
A quote I like is appropriate here – “Bad news does not get better with time.” An example of the lack of information: an IT Department told their business and management team that a recovery solution was in place and the technology could be recovered. In actuality, they had only done a proof of concept on the technology and there was only enough capacity to recovery 1 or 2 applications.
Risk Acceptance – Conscious Decision
Accepting the risk is an appropriate choice in many cases. Often the impact of an event and/or the likelihood of occurrence do not justify the high cost of mitigation. Acceptance of risk does not mean that organizations are not prepared or that there are no actions to be taken. There may not be any technology or process changes, but insurance needs, changes to corporate or local policies, and changes to recovery plans and communication plans are all considerations that must be addressed.
When addressing risk mitigation, remember Risk Acceptance is an option. “Do Nothing” can be the right solution. Due diligence should occur ensuring that the decision is not based on a lack of information or execution, but rather on a conscious and carefully considered plan.