Risk Acceptance and Risk Register Policy and Procedure
This policy and procedure document establishes the framework for Risk Acceptance and the maintenance of the Risk Register within the organization's IT risk management program. It builds upon the IT Risk and Control Library Policy and Procedure by providing specific guidance on formally accepting risks that cannot be fully mitigated and systematically tracking all identified risks. The goal is to ensure informed decision-making, accountability, and alignment with organizational objectives, while supporting compliance with regulatory requirements and best practices such as ISO 31000 and NIST SP 800-30.
This procedure promotes transparency in risk treatment decisions, minimizes residual risks through oversight, and maintains a centralized, auditable record of risks to facilitate ongoing monitoring and reporting.
Scope
This document applies to all identified IT-related risks across the organization, including those arising from systems, applications, networks, cloud resources, projects, and third-party engagements. It covers:
The evaluation and formal acceptance of risks rated Medium, High, or Extreme where full mitigation is not feasible.
The creation, update, and review of the Risk Register for all risks (Low to Extreme).
All departments, including IT, operations, projects, privacy, and compliance teams.
Exclusions: Operational risks outside IT scope are managed under separate business continuity procedures.
Definitions
Risk: A potential event that could negatively impact organizational objectives, quantified as Probability (Likelihood) × Severity (Impact).
Risk Acceptance: The explicit decision by authorized personnel to tolerate a risk at its current level without further mitigation, typically due to cost-benefit analysis, low residual impact, or strategic alignment. Acceptance requires documentation of rationale and monitoring plans.
Risk Register: A dynamic, centralized repository (e.g., spreadsheet, database, or tool like RiskWatch or Excel) that catalogs all identified risks, including details on assessment, treatment, ownership, and status.
Residual Risk: The risk remaining after treatment or acceptance.
Probability (Likelihood): The estimated chance of a risk occurring (rated 1-5; see Risk Assessment Methodology).
Severity (Impact): The potential consequences if the risk materializes (rated 1-5).
Risk Rating: The overall classification (Low, Medium, High, Extreme) based on the Risk Rating Matrix.
Risk Owner: The individual or team accountable for managing and monitoring a specific risk.
Compensating Controls: Alternative measures implemented to offset unmitigated risks during acceptance.
Roles and Responsibilities
IT Governance Team
Oversees the Risk Register; reviews and approves risk acceptance requests; conducts quarterly audits; reports to senior management on register status.
IT Security Team
Identifies and assesses risks; recommends acceptance criteria; monitors accepted risks for changes in probability/severity.
Risk Owners
Documents risks in the register; implements treatment plans or justifies acceptance; provides status updates during reviews.
Portfolio/Project Management Team
Integrates risk assessment into project lifecycles; updates register for project-specific risks; escalates high/extreme risks for acceptance review.
Privacy and Compliance Team
Ensures accepted risks comply with data protection regulations (e.g., GDPR, CCPA); reviews cross-border risk implications.
Senior Management/Executive Sponsor
Approves acceptance for High/Extreme risks; allocates resources for monitoring accepted risks.
All Employees and Contractors
Report potential risks promptly; adhere to monitoring requirements for accepted risks in their areas.
Policy Statement
The organization adopts a risk-based approach to IT governance, where all identified risks must be documented in the Risk Register and treated according to their rating. Risks that cannot be avoided, transferred, or fully mitigated may be formally accepted only after a thorough evaluation of residual impact, costs, and benefits. Acceptance does not imply inaction; all accepted risks require defined monitoring thresholds, periodic reviews, and escalation triggers. Unauthorized acceptance or failure to maintain the Risk Register will result in disciplinary action. This policy aligns with the IT Risk and Control Library by linking accepted risks to related controls and implementation procedures.
Risk Assessment Methodology
Risks are assessed using the standardized methodology from the IT Risk and Control Library to ensure consistency. This informs both treatment decisions and acceptance eligibility.
Probability Levels
1: Rare (<5% chance)
2: Unlikely (5-25% chance)
3: Possible (26-50% chance)
4: Likely (51-75% chance)
5: Almost Certain (>75% chance)
Severity Levels
1: Insignificant (minor disruption, no material impact)
2: Minor (recoverable with minimal effort/cost)
3: Moderate (requires moderate resources, temporary disruption)
4: Major (significant financial/reputational damage)
5: Severe (catastrophic impact, regulatory violations)
Risk Rating Matrix
Risk Rating = Probability × Severity. Use the following matrix for classification:
5 (Almost Certain)
Medium
High
High
Extreme
Extreme
4 (Likely)
Medium
Medium
High
High
Extreme
3 (Possible)
Low
Medium
Medium
High
High
2 (Unlikely)
Low
Low
Medium
Medium
High
1 (Rare)
Low
Low
Low
Medium
Medium
Risk Levels and Treatment Guidance
Low: Monitor annually; implicit acceptance with minimal oversight.
Medium: Implement controls within 6 months; consider acceptance if mitigation costs exceed benefits.
High: Mitigate within 3 months; formal acceptance requires IT Governance approval and compensating controls.
Extreme: Immediate action required; acceptance only with executive sponsorship and quarterly reviews.
Assessments must reference the IT Risk Library for categorization (e.g., RISK-AC-001) and link to applicable controls.
Risk Acceptance Procedure
Risk acceptance is a structured process to ensure decisions are informed and documented. Follow these steps:
Identification and Initial Assessment: During risk identification (e.g., via ISRAs, audits, or incident reports), assess using the Risk Rating Matrix. If mitigation is not viable (e.g., due to technical constraints or disproportionate costs), flag for acceptance review.
Rationale Documentation: The Risk Owner prepares a Risk Acceptance Request Form (template below), including:
Risk ID and description (from Risk Library).
Current rating and residual risk projection.
Justification (e.g., cost-benefit analysis, strategic alignment).
Proposed compensating controls (linked to Control Library).
Monitoring plan (e.g., thresholds for re-assessment: probability increase >1 level or severity >2 levels).
Review and Approval:
Submit to IT Governance Team for Medium/High risks.
Escalate High/Extreme to Senior Management for approval.
Timeline: Within 5 business days for initial review; 10 days for final approval.
Denials require alternative treatment plans.
Implementation and Notification:
Update the Risk Register with acceptance status.
Notify stakeholders (e.g., via email or dashboard).
Deploy compensating controls per Control Implementation Procedures.
Post-Acceptance Monitoring:
Review accepted risks quarterly (or sooner if triggers met).
Re-assess if organizational changes occur (e.g., new regulations).
Escalate if residual risk rating increases.
Risk Acceptance Request Form Template
Request Date
[YYYY-MM-DD]
Risk ID
[e.g., RISK-AC-001]
Description
[Brief summary]
Current Rating
[Low/Medium/High/Extreme]
Rationale for Acceptance
[Detailed justification]
Residual Risk Projection
[Updated Probability/Severity/Rating]
Compensating Controls
[IDs from Control Library, e.g., CTRL-IAC-001]
Monitoring Plan
[Triggers, frequency, responsible party]
Risk Owner
[Name/Team]
Approver
[Signature/Date]
Risk Register Maintenance Procedure
The Risk Register serves as the single source of truth for all IT risks. It must be updated in real-time and reviewed regularly.
Entry Criteria:
All identified risks (from ISRAs, audits, projects, or reports) must be entered within 2 business days.
Assign unique ID (e.g., RR-[YYYY]-[Sequential], linked to Risk Library).
Include mandatory fields: Description, Category, Probability, Severity, Rating, Owner, Status (Open/Mitigated/Accepted/Closed), Treatment Plan, Due Date, Last Review Date.
Structure and Fields (Minimum):
FieldDescriptionExampleRisk ID
Unique identifier
RR-2025-001
Description
Detailed risk statement
Unauthorized access to cloud storage due to weak MFA.
Category
From Risk Library (e.g., Access Control)
AC
Probability
1-5 scale
3
Severity
1-5 scale
4
Risk Rating
Low/Medium/High/Extreme
High
Owner
Responsible party
IT Security Team
Status
Open/Mitigated/Accepted/Closed
Accepted
Treatment
Plan or acceptance details
Accepted with CTRL-MFA-001; monitor quarterly.
Related Controls
IDs from Control Library
CTRL-IAC-001
Last Review
Date of last update/review
2025-10-08
Notes
Escalations or changes
Re-assess post-AWS update.
Update Process:
Risk Owners update status upon treatment milestones or changes.
IT Governance Team validates entries weekly.
Archive closed risks after 12 months of inactivity.
Review and Reporting:
Quarterly full review by IT Governance Team.
Generate reports: Risk distribution by rating, acceptance trends, overdue actions.
Annual audit for completeness (target: 100% coverage of identified risks).
Tools and Access:
Use [Specify tool, e.g., Microsoft Excel/SharePoint or GRC software].
Access controls: View-only for most users; edit rights for owners and governance team.
Integration with IT Risk and Control Library
Linkages: Risk Register entries reference Risk Library IDs for categorization and Control Library for mitigations/compensating controls.
ISRA Alignment: Risks from ISRAs feed directly into the register; acceptance decisions inform questionnaire mappings.
Relationships: Accepted risks are flagged in implementation procedures; monitor via the matrix to trigger re-assessments.
Compliance Monitoring and Auditing
Metrics:
Percentage of risks formally assessed and registered (target: 100%).
Number of accepted risks (track trends; limit to <20% of total).
Timeliness of updates (target: 95% within due dates).
Audits: Conduct internal audits bi-annually; external as required by regulations.
Reporting: Monthly dashboard to senior management; include accepted risks with residual projections.
Enforcement: Non-compliance (e.g., undocumented acceptance) escalates to HR for review.
Last updated