Acceptable Risk

Definition(s):

The level of residual risk that has been determined to be a reasonable level of potential loss/disruption for a specific IT System.

Source: NIST 800-16

A level of residual risk to the organization’s operations, assets, or individuals that falls within the defined risk appetite and risk tolerance by the organization.

Source: NIST 800-16lrl

The level of potential losses that a society or community considers acceptable given existing social, economic, political, cultural, technical and environmental conditions. UNISDR Editor’s Note: In engineering terms, acceptable risk is also used to assess and define the structural and non-structural measures that are needed in order to reduce possible harm to people, property, services and systems to a chosen tolerated level, according to codes or “accepted practice” which are based on known probabilities of hazards and other factors.

Source: UNISDR

Acceptable risk is a term used to describe the level of risk that is considered to be acceptable by a particular person, organization, or society. It is typically based on a risk-benefit analysis, which takes into account the potential benefits of a particular activity or decision, as well as the potential risks associated with it.