1. Purpose
Provide the standard form for documenting and requesting formal risk acceptance, and the register structure for tracking all accepted risks through their lifecycle.
2. Scope
This form and register apply to all cyber risks where the treatment decision is to accept the residual risk, either temporarily or on an ongoing basis.
3. Form Content
3.1 Risk Acceptance Request Form
The following information is required for all risk acceptance requests:
Request Information: Requestor name, date, business unit, related risk register entry ID.
Risk Description: Clear description of the risk being accepted, including the specific vulnerability, threat, or control gap.
Risk Assessment: Current risk rating (likelihood and impact scores using the approved methodology), residual risk level after existing controls, and affected assets or processes.
Justification for Acceptance: Business rationale for accepting the risk rather than mitigating, transferring, or avoiding it. Must include cost-benefit analysis comparing treatment cost against potential loss exposure.
Compensating Controls: Description of any compensating controls in place that partially reduce the risk, including their effectiveness and any monitoring requirements.
Acceptance Duration: Requested acceptance period (not to exceed [CUSTOMIZE: 12 months] without re-approval). Include the proposed review date.
Acceptance Conditions: Any conditions under which the acceptance becomes invalid (e.g., changes to threat landscape, business process, or regulatory requirements that would alter the risk assessment).
Approver Information: Name, title, signature, and date. Approval authority must align with the Risk Acceptance Authority Matrix in the Risk Appetite Statement.
3.2 Risk Acceptance Register Structure
The Risk Acceptance Register shall track the following for each accepted risk:
| Field | Description |
|---|---|
| Acceptance ID | Unique identifier (format: RA-[YYYY]-[NNN]) |
| Risk Register Reference | Link to the associated entry in the cyber risk register |
| Risk Description | Summary of the accepted risk |
| Residual Risk Rating | Current residual risk level (Critical/High/Medium/Low) |
| Requestor | Name and business unit of the individual requesting acceptance |
| Approver | Name and title of the individual who approved the acceptance |
| Approval Date | Date the acceptance was approved |
| Expiry/Review Date | Date by which the acceptance must be reviewed or renewed |
| Compensating Controls | Description of compensating controls in place |
| Conditions | Conditions that would invalidate the acceptance |
| Status | Active / Under Review / Expired / Closed (risk mitigated) |
| Last Review Date | Date of the most recent review of this acceptance |
| Review Outcome | Renew / Remediate / Escalate / Close |
3.3 Register Management Process
The Risk Acceptance Register shall be maintained by [CUSTOMIZE: Cyber Risk Management team] in [CUSTOMIZE: GRC tool/system].
Automated alerts shall be generated [CUSTOMIZE: 30 days] prior to acceptance expiry dates, notifying the risk owner and [CUSTOMIZE: Cyber Risk Management].
Expired acceptances where a review has not been completed shall be escalated to [CUSTOMIZE: CISO] within [CUSTOMIZE: 5 business days] of expiry.
The register shall be reviewed in its entirety by [CUSTOMIZE: CISO / Cyber Risk Committee] at least [CUSTOMIZE: quarterly] to identify trends, concentrations, and aging issues.
Summary metrics from the register (total acceptances, risk levels, aging, expiry compliance) shall be included in the [CUSTOMIZE: quarterly] executive cyber risk report.
4. Compliance
Compliance with this form is mandatory for all personnel and functions within its scope. Compliance will be monitored through periodic audits, management review, and second line of defence oversight.
Exceptions to this form must be documented with a business justification, approved by [CUSTOMIZE: CISO/Executive Risk Committee], and reviewed at least annually.
5. Review and Revision
This form shall be reviewed at least annually by [CUSTOMIZE: CISO/Document Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, organizational structure, or risk appetite.
All revisions shall be documented with version number, date, author, and description of changes.
Document Approval
Approved By
Title
Date
Document Control