An organization determines that the cost of implementing controls to address a specific low-impact risk exceeds the potential loss, so management decides to do nothing further and simply budget for any possible consequences. Which risk response strategy is the organization employing?
The organization is choosing risk acceptance-it consciously retains the risk and any associated impact rather than investing in mitigation or shifting liability.
Risk acceptance: The organization acknowledges the risk and its potential impact but takes no additional action beyond monitoring or budgeting for a loss.
Risk transference: Liability is shifted to a third party (for example, via insurance or outsourcing).
Risk mitigation: Controls are implemented to reduce either the likelihood or impact of the risk.
Risk avoidance: The risky activity is eliminated altogether to remove the exposure.
Because the scenario states that management will simply absorb any consequences, it clearly aligns with risk acceptance.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What factors should an organization consider when deciding to accept a risk?
Open an interactive chat with Bash
How does risk transference differ from risk acceptance?
Open an interactive chat with Bash
What are examples of situations where risk acceptance might be appropriate?