Risk Acceptance in Project Management

by · March 17, 2024

Risk Acceptance is a risk response strategy whereby we, as the project team, decide to acknowledge the risk and not take any action unless the risk occurs (PMBOK®, 6th edition, Glossary).

All risks should be assessed equally and documented in the risk register. Accepting risks should be done with caution, and an official acceptance process should be followed, with a risk acceptance form that is signed and approved to ensure the appropriate people in your company are aware of the risks the team is accepting. The PMI has the following recommendations:

As the term suggests, risk acceptance is when we consciously acknowledge, and accept that, while  a certain degree of threat exists to our project, we consider that degree to be unimportant for us to take any proactive action. Risk Acceptance is an especially appropriate strategy for low-priority threats. (PMBOK®, 6th edition, ch. 11.5.2.4).

Risk Management Techniques

Risk acceptance arguably begins with risk management processes and techniques. Risk management is doing what you can to reduce risk during the project. This is made possible when you identify and manage potentially loss-causing risks.

Risk identification, risk analysis, and treatments are the processes most commonly and broadly used to identify and treat risk in risk management. Risk management starts with the risk identification process and its techniques.

Identify Risks

During a specialized meeting or risk workshop, the risk identification team would have assembled first to creatively imagine or brainstorm the future before identifying individual project risks. (PMBOK®, 6th edition, ch.11.2.2.6, ch. 11.2).

While project managers, team members, risk specialists, and subject matter experts are often key participants in risk identification, all project stakeholders should be encouraged to attend (PMBOK®, 6th edition, ch. 11.2).

Although there are over thirty techniques for risk identification, most of us are familiar with the SWOT Analysis technique. It examines the project’s strengths, weaknesses, opportunities, and threats (SWOT) perspectives.

The technique starts by identifying the organization’s strengths and weaknesses, focusing on either the project, organization, or business area in general. It is used to increase the breadth of identified risks by including internally generated risks (PMBOK®, 6th edition, ch. 11.2.2.3).

After identifying risks, you will collate them in a risk register and as a team assess the risks to determine the impact and probability. This will then help rank risks, which can individually be evaluated, and the best response strategy can be determined.

Risk Responses Strategies

Accept Risk

In addition to risk acceptance, there are four other possible responses to risk. These are escalation, avoidance, transfer, and mitigation. Of these four, I will now briefly consider the remaining four.

Avoid Risk

Risk avoidance is when we act to eliminate the threat or protect the project from its impact. It may be appropriate for high-priority threats with a high probability of occurrence and a significant negative effect. Avoidance may involve changing some aspects of the project management plan to eliminate the threat.

Examples of avoidance actions may include removing the cause of a threat, extending the schedule, changing the project strategy, reducing scope, clarifying requirements, obtaining information, improving communication, or acquiring expertise. (PMBOK®, 6th edition, ch. 11.5.2.4).

Escalate Risks

Escalation is best when we or the project sponsor agree that a threat is outside the project’s scope or the proposed response exceeds the project manager’s authority.

Escalated risks are managed at the program, portfolio, or other relevant parts of the organization, not at the project level. The project manager determines who should be notified about the threat and communicates the details to that person or department for ownership of escalated threats.  You should be aware of the project risk exposure when escalating risks.

Escalated threats are not monitored further by us after escalation, although they may be recorded in the risk register for information. (PMBOK®, 6th edition, ch. 11.5.2.4).

Transfer or Share Risk

Risk transfer involves us shifting ownership of a threat to a third party to manage the risk and bear the impact if the threat occurs. Often, it involves paying a risk premium to the party taking on the threat.

Transfer can be achieved by a range of actions, including insurance, performance bonds, warranties, guarantees, etc. Agreements may transfer ownership and liability for specified risks to another party. (PMBOK®, 6th edition, ch. 11.5.2.4).

Mitigate or Enhance Risk

In risk mitigation, we take action to reduce the probability of a threat’s occurrence and impact. Early mitigation action is often more effective than repairing the damage after the threat has occurred.

Adopting less complex processes and security policies, conducting more tests, choosing a more stable seller, or designing redundancy are some examples of mitigation actions (PMBOK®, 6th edition, ch. 11.5.2.4).

Risk Assessment / Review

Risk assessment is an essential feature of risk management. It involves identifying risks and evaluating their probability and impact. Probability is the potential for the identified risk to occur.  

Risk probability assessment considers the likelihood that a specific risk will occur (PMBOK®, 6th edition, ch. 11.3.2.3). It is the basis for a risk analysis that a project manager might need to perform during the project.

Investigation of Risk Acceptance

Whether we passively or actively accept risk, we still have to justify our reasons and the effect of our decision. This requires a quantitative investigation of risk acceptance.

To undertake such an investigation, we require a validated instrument to measure the risk we took and are willing to take in managing our project’s risks. Such investigations should happen depending on the expected risk exposure, whether it’s infrequent or not.

Concept of Risk Acceptance Criteria Types: Active and Passive

As managers, we can also adopt Risk Acceptance when it is not possible or cost-effective for us to address a threat in any other way(PMBOK®, 6th edition, ch. 11.5.2.5). risk acceptance can be either active or passive.

The most common active Risk Acceptance strategy is to establish a contingency reserve. This should include time, money, or resources to handle the threat IF and when it occurs. (PMBOK®, 6th edition, ch. 11.5.2.5, ch. 11.5.2.7)

On the other hand, passive Risk Acceptance involves no proactive action on our part other than a periodic review of the threat to ensure that it does not change significantly (PMBOK®, 6th edition, ch. 11.5.2.4). For the success of our projects, however, active risk acceptance is always the most advisable and best course of response. 

Active Acceptance of Risk

As stated earlier, Risk Acceptance can be active or passive (PMBOK®, 6th edition, ch. 11.5.2.4). The most advisable and best response for us is active risk acceptance. Actively accepting risk is a contingency measure designed for use only if certain events occur.

When we actively accept risk, we make an appropriate response plan that will only be executed under certain predefined conditions. Making such a response plan shows our belief that there will be sufficient warning to implement the plan.

In this regard, defined events, such as missing intermediate milestones or gaining higher priority with a seller, should be tracked and, once observed, contingency responses triggered. For this reason, risk responses identified using this technique are often called contingency plans or fallback plans. (PMBOK®, 6th edition, ch. 11.5.2.6).

Risk Acceptance Examples

Before and during a project’s life cycle, we sometimes face a certain degree of risk we have to accept. For me, the history of the Trans Anatolian Natural Gas Pipeline project is a good case- study of some Risk Acceptance examples we face as nations and project managers.

Before embarking on the Trans Anatolian Natural Gas Pipeline, the European Union had passively accepted the risk of relying on Russia for 40% of its natural gas requirements for decades. Given the size of the project and its scheduling challenge, TANAP Natural Gas Transmission Co. awarded the contract to four different contractors to perform their work simultaneously.

TANAP accepted the huge management risk of doing so. It now had to deal with all four major contractors building the pipeline at once.

Despite passively accepting the risk, in 2014, the TANAP team soon realized it had to manage the contractors or risk progress on the project. Consequently, TANAP actively accepted risk by assembling a team to provide special services such as engineering, cloud procurement, construction, and management – as and when needed.

However, this presented TANAP with further risk! The story of the Trans Anatolian Natural Gas Pipeline project leads me to the differences between Risk Acceptance and Risk Sharing.

Risk Acceptance Template Form

You can make a copy of our risk acceptance form here.

Risk Acceptance vs. Risk Sharing

As I highlighted earlier, Risk Acceptance is a risk response strategy in which the project team decides to acknowledge the risk and not take any action unless the risk occurs (PMBOK®, 6th edition, Glossary). Conversely, a risk-sharing response strategy involves being willing to share ownership of an opportunity with a third party who can best capture the benefit of that opportunity (PMBOK®, 6th edition, Glossary).

Risk Sharing Example

Examples of risk sharing are getting insurance and forming risk-sharing partnerships, teams, special-purpose companies, or joint ventures (PMBOK®, 6th edition, ch. 11.5.2.5). For this reason, risk sharing is sometimes referred to as Risk Transference (PMBOK®, 6th edition, Glossary, ch. 11.5.2.7).

Risk Transference Example

Risk Transference is a risk response strategy in which the project team shifts the impact of a threat to a third party, together with ownership of the response (PMBOK®, 6th edition, Glossary). Where such a transfer strategy is required, it may involve the payment of a risk premium.

Examples of both transfer and share strategies for overall project risk include but are not limited to, setting up a collaborative business structure in which the buyer and the seller share the overall project risk, launching a joint venture or special-purpose company, or subcontracting critical elements of the project. (PMBOK®, 6th edition, ch. 11.5.2.4, ch. 11.5.2.5, ch. 11.5.2.7).

Rick Acceptance Q&A

What is a risk acceptance form?

A risk acceptance form is a formal document used to accept a risk during a project officially. The form will be stored with the other project artifacts managed by the project manager.

What are the four risk responses?

There are four other possible responses to risk. These are escalation, avoidance, transfer, and mitigation.

Who is responsible for risk acceptance?

The project team is responsible for accepting the risk, which is determined by agreeing on a risk exposure, identifying all the risks to the project, and understanding the impact and probability of the risk occurring.

How can we avoid risk?

Eliminating the threat or protecting the project from its impact can avoid risk. This approach may be appropriate for high-priority threats with a high probability of occurrence and a significant negative effect.

Is accepting the risk an excellent way to handle risk?

Risk Acceptance is a risk response strategy whereby the project team acknowledges the risk and does not take any action unless the risk occurs. This a good way of handling the if you have assessed the probability and impact of the risk

What is the difference between avoiding a risk and accepting a risk?

Accepting a risk is making an appropriate response plan that will only be executed under certain predefined conditions. Risk avoidance is when we act to eliminate the threat or protect the project from its impact.

Shane Drumm

Shane Drumm

Shane Drumm, holding certifications in PMP®, PMI-ACP®, CSM, and LPM, is the author behind numerous articles featured here. Hailing from County Cork, Ireland, his expertise lies in implementing Agile methodologies with geographically dispersed teams for software development projects. In his leisure, he dedicates time to web development and Ironman triathlon training. Find out more about Shane on shanedrumm.com and please reach out and connect with Shane on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked *