Whether you are an information security or audit professional, you belong to a community that focuses on risk. You\u2019ve developed this risk focus because for most of you, your profession requires you to protect assets for which you probably do not have enough resources for. In many if not most situations, a risk assessment is performed that compares perceived threats to actual controls to identify gaps that result in some type of residual risk. You then decide whether to insure against the risk, implement additional controls to reduce the risk, or do nothing and accept the risk.Reasons for accepting the risk and doing nothing varyThere are many reasons for accepting the risk and doing nothing. Some of these reasons are grounded in solid business decision making. Unfortunately, other reasons result from ignorance. Frequent causes that I\u2019ve observed during my 35-year career of working with all types of organizations, for doing nothing and thereby accepting the risk include:It never happened yet \u2013 Perhaps the hardest argument is to convince someone that they need to prepare for something even though it hasn\u2019t happened yet in their organization.It will never happen here \u2013 The organization is too small, unknown, or spends a lot of money already on other solutions.Ignorance by business stakeholder \u2013 This is a variation of the frequently quoted \u201cignorance is bliss,\u201d and usually includes some form of the failure of the business stakeholder to understand and appreciate the risk and therefore it gets ignored.Ignorance by risk professional \u2013 As information security evolves into a profession and takes its rightful place alongside other professionals, \u201cthe profession\u201d needs to ensure that its practitioners are up to date on the latest threats and are using recognized approaches to provide guidance to their stakeholders.Don\u2019t have the resources or time \u2013 This can go both ways and includes both traditional expenditures and soft dollars. Many times organizations and their security practitioners seek to resolve the risk. Yet sometimes, due to their inefficiencies performing their jobs, resources are deployed to lessor risks or activities.Organizational silos \u2013 There are some very valid reasons why business stakeholders should protect their data. However, sometimes the motivation results more from organizational \u201cturf battles\u201d than actual care for the information. Although we need to respect organizational boundaries, we need to remind those charged with governance that criminals and hackers to not take a siloed approach to their work \u2013 rather they integrate what they need to do to accomplish their objectives.It\u2019s not cost beneficial \u2013 This can be a very valid reason. Generally the cost of the control should not exceed the impact of the risk actually occurring.Can\u2019t quantify the return on investment (ROI) \u2013 Unfortunately resources for most organizations are scarce, and in some it is hard to obtain needed resources unless the requestor can quantify the potential benefits and costs. Unfortunately many in the profession do not have access to the data that would enable them to provide the requisite information to their stakeholders.Expectations for rationalizing risk acceptance continue to increaseBoth financial and industry regulators continue to enhance their expectations on how organizations accept the risk. For financial reporting purposes (and Sarbanes-Oxley compliance), you will need to document an alternative control or reason why the risk will not materially impact the financial statements (although a complex accounting process, for our purposes think of materiality as impacting the decision making of the financial statement user \u2013 e.g., shareholder, regulator, creditor, customer or employee).For a regulated organization, accepting the risk gets a little more complicated.\u00a0 Organizations will need to determine if the risk impacts a regulatory requirement (e.g., a law or something else that must be done) or if the risk impacts regulatory guidance (e.g., a best or other recommended practice). In either case, the organization may (and will) probably need to justify their decision to do nothing to some type of outside auditor or regulator.Accepting the risk requires more than doing nothing from risk professionalsIt has been frequently said that business plans derive their benefits not because they are a written document but rather because they force \u201ctough\u201d thinking and conversations that are the pre-requisites to developing the plan itself. Despite the efforts involved in documenting the risk acceptance decision, organizations, their risk management professionals and business executives should be able to realize similar benefits to formalizing the risk acceptance decision.\u00a0Taking the next step and documenting the risk acceptance decision need not be complex or administratively burdensome. An understanding of the threat and either mitigating (e.g., why the risk level can be reduced to an acceptable level) or compensating (other factors that when considered together reduce the risk level) should be clearly explained. When available the ability to quantify potential impacts can further justify causes. Other information such as probabilities of occurrence and value at risk can provide a more fuller rationalization as to why no action was taken to address the risk.You can\u2019t do nothing until they agree with youThe risk is not accepted until all key stakeholders agree and physically sign a risk acceptance document noting their agreement that no further action will be taken.\u00a0 During the decision-making process, the business stakeholder is typically the greatest advocate for accepting the risk and placing undue pressure on risk management and auditing professionals to concur. After a risk (or threat is exploited) fingers unfortunately point to these professionals. Having everyone\u2019s signature evidencing why we all accepted the risks provides the shared accountability for doing nothing \u2013 just in case we are asked about it in the future.