Acceptable risk
The level of potential loss or harm that an organization or individual is willing to tolerate in a given situation after security controls and mitigation strategies have been implemented. It represents a conscious decision to accept the remaining, or residual, risk to achieve a specific benefit or objective.
Mid-20th Century
3
Definitions
In Cybersecurity and IT
In the context of cybersecurity, acceptable risk is the level of potential data loss, system compromise, or service disruption that an organization is willing to endure after implementing security controls. It is a fundamental concept in risk management frameworks like the NIST Risk Management Framework (RMF) and ISO 27001.
This is not about ignoring threats but about making a calculated business decision. For example, a company might decide that the risk of a non-critical internal development server experiencing one hour of downtime per year is an acceptable risk. The cost to achieve 99.999% uptime for that server would far outweigh the minimal business impact of the downtime.
Conversely, the same one hour of downtime for a customer-facing e-commerce platform would likely be deemed unacceptable. The decision to accept a risk is formally documented, often in a risk register, and is directly aligned with the organization's broader risk appetite.
In Business and Finance
In a business and financial context, acceptable risk refers to the degree of potential financial loss or reputational damage that a company is willing to face in pursuit of its objectives. Every business decision, from launching a new product to entering a new market, carries inherent risk.
Management must weigh the potential rewards against the potential negative outcomes. For instance, a pharmaceutical company might accept the high financial risk of investing millions in R&D for a new drug because the potential profit and market leadership from a successful outcome are enormous. This calculated gamble is considered a tolerable risk.
This decision-making process is often supported by cost-benefit analysis and is a key indicator of the company's strategic direction and its risk appetite. A conservative, established company will have a much lower threshold for acceptable risk than an aggressive startup.
In Engineering and Public Safety
In engineering and public safety, acceptable risk is a more formalized and often legally mandated concept that pertains to the safety of human life and infrastructure. It represents the level of risk that society and regulatory bodies are willing to tolerate from structures, products, or systems.
It is impossible to build a bridge that has a zero percent chance of failure or a car that is perfectly safe in all conditions. Therefore, engineers use quantitative risk analysis to design systems where the probability of a catastrophic failure is incredibly low—a level deemed a tolerable risk.
For example, aviation authorities may define an acceptable risk as one catastrophic engine failure per one million flight hours. This standard is based on extensive data, engineering capabilities, and public expectation. It is a precise, data-driven measure used to ensure public safety while allowing for technological progress.
Origin & History
Etymology
The term combines 'Acceptable', from the Latin 'acceptabilis' meaning 'worthy of being received', with 'Risk', which has roots in the Italian 'rischio' meaning 'danger'. The phrase signifies a level of danger that is deemed worthy of being tolerated.
Historical Context
The concept of **acceptable risk** emerged from engineering and public safety disciplines in the mid-20th century, particularly in high-stakes fields like aerospace and nuclear power. In these areas, it was impossible to eliminate all risk, so engineers and regulators had to quantify the probability of failure and determine a level that was socially and economically tolerable. This data-driven approach was later adopted by the financial and insurance industries, where risk is the core of business. They developed sophisticated models to calculate **tolerable risk** in investments and policies. In the late 20th and early 21st centuries, the concept became a cornerstone of information security and IT governance. As digital systems became critical, organizations realized they could not afford to protect against every conceivable threat. Frameworks like NIST and ISO 27001 formalized the process of risk assessment, mitigation, and acceptance, making the determination of **acceptable risk** a key part of modern cybersecurity strategy.
Usage Examples
After implementing multi-factor authentication, the IT department concluded that the remaining threat of unauthorized access was an acceptable risk.
The board of directors decided that the potential for minor financial loss from the new market venture was a tolerable risk compared to the potential for significant growth.
Our company's risk appetite is extremely low, so the level of acceptable risk is much lower than our competitors'; we must reduce the residual risk even further before proceeding.
Frequently Asked Questions
What is the difference between acceptable risk and residual risk?
Residual risk is the risk that remains after security controls and mitigation efforts have been applied. Acceptable risk is the specific amount of that residual risk that management has formally decided it is willing to tolerate.
If the residual risk is higher than the organization's defined acceptable risk level, further controls are needed. If the residual risk is at or below the acceptable risk level, the organization can formally accept it without further action.
Who is responsible for determining the level of acceptable risk in an organization?
The responsibility for determining acceptable risk lies with senior leadership, such as the board of directors, C-level executives, or a dedicated risk management committee. It is a strategic business decision, not a purely technical one.
This decision is based on the organization's overall goals, its risk appetite, legal and regulatory requirements, and the potential impact on finances and reputation. Technical teams provide the data and analysis, but leadership makes the final determination.