Unsigned risk is your risk
Every risk your org 'accepts' without a named owner defaults back to the CISO. Get the signature, or you inherit the blame.
A risk nobody signed for isn't accepted. It's assigned — to you.
Here is the quiet trap most security programs walk into: the business “accepts” a risk in a meeting, everyone nods, and no one writes down who owns the consequence. When that risk lands — a breach, an outage, a regulator’s letter — the exec who nodded remembers it as your call. Unsigned risk doesn’t disappear. It rolls downhill to the person with “security” in their title.
Acceptance without a name is just deferral
Risk acceptance is a real, legitimate business decision. Not every gap gets fixed; budgets and roadmaps are finite, and a mature program knows how to say “we’ll live with this.” That is fine — when a named business owner accepts it in writing.
What actually happens in most orgs is softer and more dangerous. Security raises the issue. Someone senior says “let’s revisit next quarter” or “the revenue matters more right now.” The meeting moves on. No decision was recorded, no owner assigned, no residual risk stated. That isn’t acceptance. It’s deferral dressed up as a decision, and deferral has a default owner: you.
The test is simple. If the risk materialized tomorrow, could you produce a document showing who decided to carry it, what they understood at the time, and what they chose not to fund? If not, the org will reconstruct that history after the fact — and memory is generous to the people who weren’t in the security seat.
Make the signature cheap and the ownership real
The fix is not more process theater. It’s a lightweight, boring artifact that turns a hallway shrug into an accountable decision. A risk acceptance should fit on one screen:
- The risk, in business terms. Not “unpatched CVE-2026-x.” Rather: “Customer payment data is reachable if this system is compromised; likelihood is moderate, impact is regulatory plus revenue.”
- The options and their cost. Fix, mitigate, or accept — with rough price and time for each.
- The recommendation. Yours. Say what you’d do.
- The named owner. A specific executive with the authority to spend or to accept. Not “the business.” A person.
- An expiry date. Acceptance is temporary. Revisit in 90 or 180 days.
Then get it signed — email approval counts. The point isn’t to build a blame file. It’s to force the decision to be conscious. Half the “accepted” risks in your backlog evaporate the moment someone with a budget has to put their name next to them, because the acceptance was never really a decision — it was an avoidance.
This protects the business, not just you
Framed wrong, this looks like a CISO covering their own back. Framed right, it’s governance working as intended. Boards and regulators increasingly expect to see who owned material risk decisions and what they knew. An org that can produce clean acceptance records demonstrates a functioning risk process. An org that can’t looks negligent — and the individual left holding the unsigned risk looks worst of all.
There’s a cultural payoff too. When executives sign for risk, they start to care about it differently. Abstract “security debt” becomes their debt, with their name on it and a clock ticking. That does more to unlock remediation budget than any heat map ever will.
For the C-level skim
If your CISO is bringing you decisions to sign, that’s not bureaucracy — it’s the risk process doing its job. A security leader who quietly absorbs every unfunded gap is not protecting you; they’re hiding your exposure until it’s too late to act. Ask one question in your next review: which accepted risks have a named owner and an expiry date, and which are just sitting there? The second pile is the one that will surprise you.
Accept risk deliberately. Assign it explicitly. Put a date on it. Everything else is just you, quietly, owning the whole company’s exposure — until the day someone asks who decided that.