For decades, risk management frameworks have cited the same four risk treatment options: accept, mitigate, transfer, and avoid. There is, however, a fifth option that some organizations select: ignore the risk.
Ignoring a risk situation is a choice, although it is not considered a wise choice. Ignoring a risk means doing nothing about it, not even making a decision about it. It amounts to little more than pretending the risk does not exist. It’s off the books. It is not even added to a risk register for consideration, but it represents a risk situation nonetheless.
In some cases, such as for minimal risk items, this may be perfectly acceptable. A theft of a paperclip may simply be too small for consideration for a risk register. It would probably be wise to leave this off of a risk register unless there is a specific reason to add it. In some cases, listing minimal risk is very critical because compliance requirements dictate that specific risks be considered in risk evaluations. Developing the right level of detail for a risk register requires experience, listening to an organization’s culture, and striking the right balance.
Organizations without risk management programs may implicitly ignore all risks, or many of them at least. Organizations might also be practicing informal and maybe even reckless risk management—risk management by gut feel. Without a systematic framework for identifying risks, many are likely to go undiscovered. This practice could also be considered as ignoring risks through the implicit refusal to identify them and treat them properly.
Note that ignoring risk, particularly when governance requires that you manage it, is usually a violation of the principles of due diligence and due care. Many organizations can be legally charged with “willful negligence” if they have a duty to manage risk, and they simply don’t.
– excerpt from CRISC Certified in Risk and Information Systems Control All-In-One Exam Guide, to be published in early 2022