Building an Effective Risk Acceptance Process
How a Formal Risk Acceptance Process Can Improve Risk Management Outcomes
A risk acceptance process designed to capture known risk that is unable to be effectively mitigated due to time, cost, or other factors is a key element to any Enterprise Risk Management (ERM) program.
As noted in the Core Strategies for Managing Business Risk article, the goal of risk management is not to eliminate all risk. However, not being able to identify and articulate key risks to the business creates a blind spot to the risk inherently impacting the organization.
Your organization’s risk governance process should define and establish a process that receives and processes requests from the business to accept a specific risk. While this process may differ widely across organizations of disparate size and in different industries, risk acceptance processes should include the following elements:
Key Elements of a Risk Acceptance Process
Any risk acceptances should be documented.
Be tied to a specific risk or risks across the enterprise.
Articulate the strategic, operational or compliance elements that the risk acceptance is being requested for.
Document the reason(s) that the risk cannot be mitigated.
Calculate any known financial impacts if the risk came to fruition.
All accepted risk should be approved.
Accepting a risk should not be done in a siloed view and should be visible to appropriate stakeholders within the business.
Being able to accept a risk should be done in view of the business leader having authority to take that risk for the organization.
All accepted risks should be reviewed periodically.
Accepted risks should be reviewed periodically, at least annually while the risk has not been mitigated.
Accepted risks should be rolled up and reviewed in aggregate of the documented risk appetite.
Benefits of a Risk Acceptance Process
If executed well, these elements will provide the following benefits to the organization resulting in more effective risk management outcomes:
Discipline to identify and assess mitigation options for risks across the business.
Visibility to risk within business processes and how they impact other functions and the organization as a whole.
Clear understanding of what risk is being accepted, by whom, and whether it falls within the organization’s risk appetite.
The ability to strategically change course and address the unmitigated risk through alternative approaches.
A Risk Acceptance Process Creates Options
If organizational leadership has the visibility to the unmitigated risk that the business process owner is requesting to accept, there are several practical paths that could be chosen:
Accept as documented within the risk acceptance process, with the risk to be reviewed at a specific time interval.
A decision to seek additional insurance coverage to capture the potential financial losses of a risk event tied to a specific accepted risk.
A decision to strategically avoid the business process creating the risk until an appropriate mitigation plan can be put into place.
Accept as documented within the risk acceptance process with specific directions to seek a mitigating control, avoid aspects of the business process creating the risk, or seek additional insurance coverage to transfer some of the financial impact.
As noted earlier, the goal of risk management is not to eliminate all risk. Developing a risk acceptance process can help prevent blind spots by identifying unmitigated risk with your organization. Where a risk cannot be mitigated due to a funding gap, a decision to reallocate financial resources or delay other priorities to address the risk can be made if deemed necessary.
Application:
Does your organization utilize a formal risk acceptance process?
Does your risk acceptance process take into account the organization’s risk appetite?
What would be (or has been) the most challenging aspect of implementing a risk acceptance process?
Would you like to discuss this topic further? Contact Brian Howell from Crestview.io


