Acceptance of residual risks that result from with Risk Treatment has to take place at the level of the executive management of the organization (see definitions in Risk Management Process). To this extent, Risk Acceptance concerns the communication of residual risks to the decision makers.
Once accepted, residual risks are considered as risks that the management of the organization knowingly takes. The level and extent of accepted risks comprise one of the major parameters of the Risk Management process. In other words, the higher the accepted residual risks, the less the work involved in managing risks (and inversely).
This does not mean, however, that once accepted the risks will not change in forthcoming repetitions of the Risk Management life-cycle. Within the recurring phases and activities of the Risk Management processes (and in particular Risk Treatment as well as Monitor and Review) the severity of these risks will be measured over time. In the event that new assertions are made or changing technical conditions identified, risks that have been accepted need to be reconsidered.
Risk Acceptance is considered as being an optional process, positioned between Risk Treatment and Risk Communication (more information here). This process is seen as an optional one, because it can be covered by both Risk Treatment and Risk Communication processes. This can be achieved by communicating the outcome of Risk Treatment to the management of the organization. One reason for explicitly mentioning Risk Acceptance is the need to draw management's attention to this issue which would otherwise merely be a communicative activity.
In the attached inventories, Risk Acceptance has been included in the assessment of methods and tools, as it might be a decision criterion for certain kinds of organizations (e.g. in the financial and insurance sector, in critical infrastructure protection etc.).