Risk Acceptance is a risk response strategy in which the project team consciously decides to acknowledge an identified risk and take no action unless or until that risk materialises (PMBOKยฎ, 6th edition, Glossary). All risks must be assessed consistently and documented in the risk register. The decision to accept a risk should never be taken lightly.
A formal acceptance process is required, supported by a completed risk acceptance form that has been reviewed, signed, and approved by the relevant stakeholders. This ensures that all appropriate personnel within the organisation are fully informed of the risks the team has chosen to accept. The PMI offers the following recommendations:
Risk acceptance involves the conscious acknowledgement that, while a certain degree of threat exists within a project, that threat is considered insufficient to warrant proactive intervention. It is an especially appropriate strategy for low-priority threats. (PMBOKยฎ, 6th edition, ch. 11.5.2.4).
Risk Management Techniques
Risk acceptance begins within the broader framework of risk management processes. Risk management is the discipline of identifying and addressing potentially loss-causing events before they affect the project. It provides the structured foundation from which any acceptance decision should emerge, ensuring that teams make informed choices rather than overlook potential threats.
Risk identification, risk analysis, and risk treatment are the three core processes used to evaluate and respond to project threats. Each process builds on the previous one, allowing teams to develop a comprehensive picture of what risks exist, how significant they are, and what the most appropriate responses might be. Without this foundation, risk acceptance lacks the justification it requires.
Identify Risks
During a risk workshop or specialized planning meeting, the risk identification team assembles to brainstorm and imaginatively map potential future scenarios before cataloguing individual project risks (PMBOK, 6th edition, ch. 11.2). Project managers, team members, risk specialists, and subject matter experts are typically central to this process, though all relevant stakeholders should be encouraged to participate to ensure broad coverage.
One of the most widely recognized identification techniques is SWOT Analysis, which examines the project’s strengths, weaknesses, opportunities, and threats. It begins by assessing the organization’s internal landscape, helping to surface risks that originate from within the project or business unit itself (PMBOK, 6th edition, ch. 11.2.2.3). This internal focus broadens the scope of risk identification beyond external factors alone.
After identifying risks, the team collates them in a risk register and collectively assesses each one for probability and impact. This assessment supports risk ranking, which enables project managers to evaluate each risk individually and determine the most appropriate response strategy. The risk register becomes the living record that guides all subsequent risk management decisions throughout the project lifecycle.
Risk Response Strategies
Accept Risk
Risk acceptance is most appropriate for low-priority threats where the cost or effort of any other response outweighs the potential impact of the risk itself. It is a conscious, deliberate choice to acknowledge that a threat exists while determining that proactive intervention is not warranted at this time. Acceptance should always be documented and reviewed periodically to ensure conditions have not changed.
Avoid Risk
Risk avoidance involves taking deliberate action to eliminate a threat or shield the project from its consequences. It is most suitable for high-priority threats with a high probability of occurrence and a significant negative effect on project objectives. Avoidance actions may include removing the cause of a threat, adjusting the schedule, reducing scope, clarifying requirements, improving communication, or acquiring specialized expertise (PMBOK, 6th edition, ch. 11.5.2.4).
Escalate Risks
Escalation is appropriate when a threat is determined to fall outside the project’s scope or when the proposed response exceeds the project manager’s authority. The project manager identifies the correct individual or department to assume ownership and communicates all relevant details for that escalation. Escalated risks are generally no longer monitored at the project level, though they may remain recorded in the risk registerย for reference (PMBOK, 6th edition, ch. 11.5.2.4).
Transfer or Share Risk
Risk transfer involves shifting ownership of a threat to a third party, who then bears the impact if the risk materializes. This often involves paying a risk premium to the receiving party and is commonly achieved through insurance, performance bonds, warranties, or contractual guarantees (PMBOK, 6th edition, ch. 11.5.2.4). Transfer is most effective when a third party is better positioned to manage a specific category of risk.
Mitigate Risk
Risk mitigation focuses on reducing the probability or impact of a threat before it occurs. Early mitigation action is consistently more effective than addressing damage after the fact. Common mitigation strategies include adopting less complex processes, implementing security policies, increasing testing frequency, selecting more stable vendors, or building redundancy into critical systems (PMBOK, 6th edition, ch. 11.5.2.4).
Risk Assessment and Review
Risk assessment is a fundamental component of effective risk management, encompassing the identification of potential risks and a structured evaluation of their probability and impact. Probability, in this context, refers to the likelihood that an identified risk will materialise.
Risk probability assessment provides a systematic basis for determining how likely a specific risk is to occur (PMBOKยฎ, 6th edition, ch. 11.3.2.3). It forms the foundation for the broader risk analysis that project managers are expected to conduct throughout the project lifecycle.
Investigation of Risk Acceptance
Regardless of whether risk is accepted passively or actively, project teams must document and justify both the rationale behind the decision and its potential consequences. This necessitates a structured, quantitative investigation of risk acceptance. To conduct such an investigation effectively, a validated measurement instrument is required.
This should be one that is capable of assessing the level of risk undertaken and the degree of risk the team is prepared to tolerate throughout the project lifecycle. The frequency of these investigations should be calibrated to the project’s anticipated risk exposure, with higher-exposure projects warranting more regular review.
Concept of Risk Acceptance Criteria Types: Active and Passive Risk Acceptance
Risk Acceptance may also be adopted when it is not possible or cost-effective to address a threat through any other means (PMBOKยฎ, 6th edition, ch. 11.5.2.5). This strategy can take one of two forms: active or passive.
- The most common active Risk Acceptance strategy is to establish a contingency reserve, comprising time, money, or resources allocated to address the threat should it materialise (PMBOKยฎ, 6th edition, ch. 11.5.2.5, ch. 11.5.2.7).
- Passive Risk Acceptance, by contrast, requires no proactive intervention. It consists solely of periodic reviews of the identified threat to confirm that it has not changed significantly (PMBOKยฎ, 6th edition, ch. 11.5.2.4). For optimal project outcomes, however, active risk acceptance is strongly recommended as the preferred course of action.
Active Acceptance of Risk
As stated earlier, Risk Acceptance can be active or passive (PMBOKยฎ, 6th edition, ch. 11.5.2.4). The most advisable and best response for us is active risk acceptance. Actively accepting risk is a contingency measure designed for use only if certain events occur. When we actively accept risk, we make an appropriate response plan that will only be executed under certain predefined conditions. Making such a response plan shows our belief that there will be sufficient warning to implement the plan.
In this regard, defined events, such as missing intermediate milestones or gaining higher priority with a seller, should be tracked and, once observed, contingency responses triggered. For this reason, risk responses identified using this technique are often called contingency plans or fallback plans. (PMBOKยฎ, 6thย edition, ch. 11.5.2.6).
Risk Acceptance Examples
TANAP Project: A Real-World Case Study in Risk Acceptance
Throughout a project’s life cycle, project teams frequently encounter risks that must be acknowledged and accepted rather than avoided. The history of the Trans-Anatolian Natural Gas Pipeline (TANAP) project serves as a compelling case study illustrating the practical application of Risk Acceptance at both a national and project management level.
Before the initiation of the Trans Anatolian Natural Gas Pipeline, the European Union had long passively accepted the risk of depending on Russia for approximately 40% of its natural gas supply. Given the considerable scale of the TANAP project and its significant scheduling demands, TANAP Natural Gas Transmission Co. made the strategic decision to award contracts to four separate contractors, tasked with executing their respective scopes of work concurrently.
In doing so, TANAP accepted a substantial management risk, coordinating four major contractors working simultaneously on the same pipeline infrastructure. By 2014, however, it became evident that passive acceptance was no longer sufficient. The TANAP team recognised the need to actively manage contractor performance to safeguard project progress.
In response, TANAP transitioned to active risk acceptance by establishing a dedicated team to deliver specialist services, including engineering, procurement, construction, and project management, on an as-needed basis. This transition, while necessary, introduced an additional layer of risk โ ultimately leading to important distinctions between Risk Acceptance and Risk Sharing.
Risk Acceptance Template Form
You can make a copy of our risk acceptance form here.
Risk Acceptance vs. Risk Sharing
As I highlighted earlier, Risk Acceptance is a risk response strategy in which the project team decides to acknowledge the risk and not take any action unless the risk occurs (PMBOKยฎ, 6th edition, Glossary). Conversely, a risk-sharing response strategy involves being willing to share ownership of an opportunity with a third party who can best capture the benefit of that opportunity (PMBOKยฎ, 6th edition, Glossary).
Risk Sharing Example
Examples of risk sharing are getting insurance and forming risk-sharing partnerships, teams, special-purpose companies, or joint ventures (PMBOKยฎ, 6th edition, ch. 11.5.2.5). For this reason, risk sharing is sometimes referred to as Risk Transference (PMBOKยฎ, 6th edition, Glossary, ch. 11.5.2.7).
Risk Transference Example
Risk Transference is a risk response strategy in which the project team shifts the impact of a threat to a third party, together with ownership of the response (PMBOKยฎ, 6th edition, Glossary). Where such a transfer strategy is required, it may involve the payment of a risk premium.
Examples of both transfer and share strategies for overall projectย risk include, but are not limited to, setting up a collaborative business structure in which the buyer and the seller share the overall project risk, launching a joint venture or special-purpose company, or subcontracting critical elements of the project. (PMBOKยฎ, 6thย edition, ch. 11.5.2.4, ch. 11.5.2.5, ch. 11.5.2.7).
Conclusion
Risk acceptance is a legitimate and often necessary strategy in project management, but it must be applied with intention and supported by solid documentation. Whether a team opts for active or passive acceptance, the decision should follow a thorough assessment of probability, impact, and available alternatives. Properly executed, risk acceptance reflects not indifference to threat, but a rational, evidence-based judgment about where resources and attention are most needed.
As projects grow in complexity, the ability to make clear, justified risk decisions becomes increasingly valuable. Teams that build structured risk management practices, maintain accurate risk registers, and revisit acceptance decisions throughout the project lifecycle will be far better equipped to protect their outcomes. Taking a disciplined approach to risk acceptance today lays the groundwork for more resilient, better-governed projects in the future.
FAQs
What is a risk acceptance form?
A risk acceptance form is a formal document used to officially record and approve the decision to accept a specific risk during a project. It is stored alongside other project artifacts managed by the project manager and serves as an auditable record that the acceptance decision was made deliberately, with appropriate stakeholder awareness and sign-off.
What are the five risk response strategies?
The five risk response strategies outlined in the PMBOK are acceptance, escalation, avoidance, transfer, and mitigation. Each strategy is suited to different levels of risk priority, probability, and impact. Selecting the right response depends on a thorough risk assessment and an understanding of the project’s constraints, tolerance levels, and available resources.
Who is responsible for risk acceptance?
The project team holds primary responsibility for accepting a risk, with the decision grounded in a shared understanding of the risk’s probability, impact, and overall exposure. The project manager typically leads this process, but sign-off from relevant stakeholders or sponsors is often required to ensure accountability and organizational awareness of the accepted threat.
What is the difference between active and passive risk acceptance?
Active risk acceptance involves creating a contingency plan or reserving resources to respond if the risk occurs, triggered by predefined conditions. Passive acceptance involves monitoring the risk periodically without any prepared response. Active acceptance is generally preferred because it ensures the team is ready to act quickly and effectively if the threat materializes during the project.
What is the difference between avoiding a risk and accepting a risk?
Risk avoidance involves taking deliberate action to eliminate a threat or remove its potential impact from the project entirely. Risk acceptance, by contrast, acknowledges the threat but defers action unless the risk actually occurs. Avoidance is typically used for high-priority, high-probability threats, while acceptance is more appropriate when the risk is low-priority or when other responses are not cost-effective.
Suggested articles:
- Project Risk Management Guide
- Embracing Positive Risks as a Project Manager
- 23 x Risk Management Plan Templates (Google Docs, Excel, and PDF)
Shane Drumm, holding certifications in PMPยฎ, PMI-ACPยฎ, CSM, and LPM, is the author behind numerous articles featured here. Hailing from County Cork, Ireland, his expertise lies in implementing Agile methodologies with geographically dispersed teams for software development projects. In his leisure, he dedicates time to web development and Ironman triathlon training. Find out more about Shane on shanedrumm.com and please reach out and connect with Shane on LinkedIn.