Risk Acceptance is a risk response strategy whereby we, as the project team, decide to acknowledge the risk and not take any action unless the risk occurs (PMBOK®, 6th edition, Glossary).
All risks should be assessed equally and documented in the risk register. When accepting risks it should be done with caution and follow an official acceptance process with a risk acceptance form that is signed and approved to ensure the appropriate people in your company are aware of the risks the team are accepting. The PMI has the following recommendation:
As the term suggests, risk acceptance is when we consciously acknowledge, and accept that, while a certain degree of threat exists to our project, we consider that degree to be unimportant for us to take any proactive action. Risk Acceptance is an especially appropriate strategy for low-priority threats.(PMBOK®, 6th edition, ch. 220.127.116.11).
Risk Management Techniques
Risk acceptance arguably begins with risk management processes and techniques. Risk management is doing what you can to reduce risk during the project. This is made possible when you identify and manage potentially loss-causing risks.
The processes most commonly and broadly used to identify and treat risk in risk management are: Risk Identification, Risk Analysis and Treatments. Risk management starts with the risk identification process and its techniques.
During a specialized meeting or risk workshop, the risk identification team we would have assembled first creatively imagine or brainstorm the future before identifying individual project risks. (PMBOK®, 6th edition, ch.18.104.22.168, ch. 11.2).
While project managers, team members, risk specialists, and subject matter experts are often key participants for risk identification, all project stakeholders should be encouraged(PMBOK®, 6th edition, ch. 11.2) to attend.
Although there are over thirty techniques for risk identification, most of us are familiar with the SWOT Analysis technique. It examines the project with regards to its strengths, weaknesses, opportunities, and threats (SWOT) perspectives.
The technique starts with the identification of strengths and weaknesses of the organization, focusing on either the project, organization, or the business area in general. It is used to increase the breadth of identified risks by including internally generated risks. (PMBOK®, 6th edition, ch. 22.214.171.124).
After identifying risks, you will collate them in a risk register and as a team assess the risks to determine the impact and probability. This will then help rank risks which can individually be assessed and best response strategy can be determined.
Risk Responses Strategies
In addition to risk acceptance, there are four other possible responses to risk. These are escalation, avoidance, transfer and mitigation. Of these four, I will now briefly consider the remaining four.
Risk avoidance is when we act to eliminate the threat or protect the project from its impact. It may be appropriate for high-priority threats with a high probability of occurrence and a large negative impact. Avoidance may involve changing some aspect of the project management plan to eliminate the threat entirely.
Examples of avoidance actions may include removing the cause of a threat, extending the schedule, changing the project strategy, reducing scope, clarifying requirements, obtaining information, improving communication, or acquiring expertise. (PMBOK®, 6th edition, ch. 126.96.36.199).
Escalation is best when we or the project sponsor agree that a threat is outside the scope of the project or the proposed response exceeds the project manager’s authority.
Escalated risks are managed at the program level, portfolio level, or other relevant part of the organization, and not at the project level. The project manager determines who should be notified about the threat and communicates the details to that person or department for purposes of ownership of escalated threats. You should be aware of the project risk exposure when escalating risks.
Escalated threats are not monitored further by us after escalation, although they may be recorded in the risk register for information. (PMBOK®, 6th edition, ch. 188.8.131.52).
Transfer or Share Risk
Risk transfer involves us shifting ownership of a threat to a third party in order to manage the risk and bear the impact if the threat occurs. Often, it involves payment of a risk premium to the party taking on the threat.
Transfer can be achieved by a range of actions, which include: the use of insurance, performance bonds, warranties, guarantees, etc. Agreements may be used to transfer ownership and liability for specified risks to another party. (PMBOK®, 6th edition, ch. 184.108.40.206).
Mitigate or Enhance Risk
In risk mitigation, we take action to reduce the probability of the occurrence and/or impact of a threat. Early mitigation action is often more effective than trying to repair the damage after the threat has occurred.
Adopting less complex processes, security policies, conducting more tests, choosing a more stable seller, or designing redundancy are some examples of mitigation actions. (PMBOK®, 6th edition, ch. 220.127.116.11).
Risk Assessment / Review
Risk assessment is an important feature of risk management. It is defined as the process of identifying risks and evaluating their probability and impact. Probability is the potential for the identified risk to occur.
Risk probability assessment considers the likelihood that a specific risk will occur. (PMBOK®, 6th edition, ch. 18.104.22.168). The risk assessment is the basis for an risk analysis that a project manager might need to do during the project.
Investigation of Risk Acceptance
Whether we passively or actively accept risk, ultimately, we still have to justify our reasons and the effect of our decision to do so. This requires a quantitative investigation of risk acceptance.
To undertake such an investigation, we require a validated instrument to measure the risk we took, and are willing to take in managing our projects risks.. Such investigations should happen depending on the expected risk exposure even if its an infrequent risk or not.
Concept of Risk Acceptance Criteria Types: Active and Passive
As managers, we can also adopt Risk Acceptance when it is not possible or cost-effective for us to address a threat in any other way(PMBOK®, 6th edition, ch. 22.214.171.124). As such, risk acceptance can be either active or passive.
The most common active Risk Acceptance strategy is to establish a contingency reserve. This should include: amounts of time, money, or resources to handle the threat IF and when it occurs. (PMBOK®, 6th edition, ch. 126.96.36.199, ch. 188.8.131.52)
On the other hand, passive Risk Acceptance involves no proactive action on our part, other than a periodic review of the threat to ensure that it does not change significantly. (PMBOK®, 6th edition, ch. 184.108.40.206). For the success of our projects, however, an active acceptance of risk is always the most advisable and best course of response.
Active Acceptance of Risk
As stated earlier, while Risk Acceptance can either be active or passive (PMBOK®, 6th edition, ch. 220.127.116.11). The most advisable and best course of response for us is an active acceptance of risk. Actively accepting risk is a contingency measure that is designed for use only if certain events occur.
When we actively accept risk, it involves us making an appropriate response plan that will only be executed under certain predefined conditions. Making such a response plan shows our belief that there will be sufficient warning to implement the plan.
In this regard, defined events such as missing intermediate milestones or gaining higher priority with a seller, should be tracked and, once observed, contingency responses triggered. For this reason, risk responses identified using this technique are often called contingency plans or fallback plans. (PMBOK®, 6th edition, ch. 18.104.22.168).
Risk Acceptance Examples
Before and during the course of a project’s life-cycle, we sometimes find ourselves presented with a certain degree of risk we have to accept. For me, the history of the Trans Anatolian Natural Gas Pipeline project is a good case- study of some Risk Acceptance examples we face as nations and project managers.
Before embarking on the Trans Anatolian Natural Gas Pipeline, the European Union had for decades passively accepted the risk of relying on Russia for 40% of its natural gas requirements. Given the size of the project, and its scheduling challenge, TANAP Natural Gas Transmission Co. awarded the contract to four different contractors to perform their work simultaneously.
TANAP accepted the huge management risk of doing so, it now had to deal with all four major contractors building the pipeline at once.
Despite passively accepting the risk, in 2014, the TANAP team soon realized it had to manage the contractors or risk progress on the project. Consequently, TANAP actively accepted risk by assembling a team to provide special services such as engineering, procurement, construction and management – as and when needed.
However, this presented TANAP with further risk! The story of the Trans Anatolian Natural Gas Pipeline project leads me to differences between Risk Acceptance and Risk Sharing.
Risk Acceptance Template Form
You can make a copy of our risk acceptance form here.
Risk Acceptance vs. Risk Sharing
As I highlighted earlier, Risk Acceptance is a risk response strategy whereby the project team decides to acknowledge the risk and not take any action unless the risk occurs (PMBOK®, 6th edition, Glossary). Conversely, a risk sharing response strategy is whereby we are willing to share ownership of an opportunity with a third party who is best able to capture the benefit of that opportunity (PMBOK®, 6th edition, Glossary).
Risk Sharing Example
Examples of risk sharing are getting insurance, forming risk-sharing partnerships, teams, special-purpose companies, or joint ventures. (PMBOK®, 6th edition, ch. 22.214.171.124). For this reason, risk sharing is at times referred to as Risk Transference (PMBOK®, 6th edition, Glossary, ch. 126.96.36.199).
Risk Transference Example
Risk Transference is a risk response strategy whereby the project team shifts the impact of a threat to a third party, together with ownership of the response. (PMBOK®, 6th edition, Glossary) Where such a transfer strategy is required, it may involve the payment of a risk premium.
Examples of both transfer and share strategies for overall project risk include, but are not limited to setting up a collaborative business structure in which the buyer and the seller share the overall project risk, launching a joint venture or special-purpose company, or subcontracting key elements of the project. (PMBOK®, 6th edition, ch. 188.8.131.52, ch. 184.108.40.206, ch. 220.127.116.11).
Rick Acceptance Q&A
What is a risk acceptance form?
A risk acceptance form is a formal document that is used to officially accept a risk during a project. The form will be stored with the other project artifacts managed by the project manager.
What are the four risk responses?
There are four other possible responses to risk. These are escalation, avoidance, transfer and mitigation.
Who is responsible for risk acceptance?
The project team is responsible for accepting the risk but it is determined by agreeing on a risk exposure and identifying all the risks to the project and understanding the impact and probability of the rick occurring.
How can we avoid risk?
You can avoid risk by eliminating the threat or protect the project from its impact. It may be appropriate for high-priority threats with a high probability of occurrence and a large negative impact.
Is accepting the risk a good way to handle risk?
Risk Acceptance is a risk response strategy whereby the project team decides to acknowledge the risk and not take any action unless the risk occurs. This a good way of handling the if you have assessed the probability and impact of the risk
What is the difference between avoiding a risk and accepting a risk?
Accepting a risk is making an appropriate response plan that will only be executed under certain predefined conditions. Risk avoidance is when we act to eliminate the threat or protect the project from its impact.