Question 5
Domain 3 — Risk Response and ReportingWhen is risk acceptance an appropriate strategy?
Correct answer: B
Explanation
Risk acceptance is used when a risk is not worth treating because the expense or effort would outweigh the value of reducing it. In risk management, this means accepting the risk when "the cost of treatment exceeds the potential benefit."
Why each option is right or wrong
A. When risk exceeds risk appetite
B. When the cost of treatment exceeds the potential benefit
Risk acceptance is the residual-risk decision used when further treatment would be disproportionate to the expected reduction in loss, so the organization deliberately leaves the risk in place rather than spend more to control it. In standard risk-management frameworks, this is the appropriate choice where the expected cost of mitigation is greater than the value of the risk reduction achieved, making treatment economically unjustified.
C. When required by regulators
D. When the board refuses to act