Regulatory compliance. Any accepted risk must adhere to regulatory requirements.

Risk acceptance has two basic types, active acceptance and passive acceptance.

Passive acceptance indicates that an organization is aware of a risk, but has no risk mitigation plan to respond to that risk. For example, an organization understands that some employees leave the company with no notice, but it doesn't have an established human resources strategy to replace them.

In contrast, active acceptance means that the organization is aware of a risk and has a recognized contingency plan for incident response if that risk rises above a threshold that requires mitigation. For example, an organization acknowledges supply chain vulnerabilities and develops a response playbook in case the risk materializes.