Risk acceptance and risk retention may be used interchangeably in other risk management frameworks. However, there are some minute differences from the perspective of ISO 27005.
- Risk Retention is the risk treatment option that no action is taken given the inherent or residual risk meets the risk acceptance criteria defined when establishing the risk context.
- In contrast, Risk Acceptance is a decision on whether the residual risk, produced after risk treatments, such as risk modification, risk share, or risk avoidance, is explicitly accepted by the managers.
For those accepted risks that do not meet the normal risk acceptance criteria, the outcome of risk acceptance should highlight them with stated justification. Risk acceptance criteria may become inadequate and should be revised, but it is not always possible to do so promptly. For example, when it comes to accepting risk with desirable benefits or high cost of risk modification, odds are the outdated risk acceptance criteria cannot be revised timely. In this situation, the decision-maker should explicitly comment on the risks and include a justification for the decision to override normal risk acceptance criteria.