Skip to main content

> Term

risk acceptance

The explicit agreement to take on known technical risks rather than mitigating them.

Detailed Explanation

Risk acceptance in engineering involves intentionally deciding not to fix a known vulnerability, technical debt, or architectural flaw because the cost of mitigation outweighs the potential impact. It is a calculated gamble that must be documented.

Why It Matters

It prevents endless optimization by acknowledging that not every bug or vulnerability is worth the engineering hours required to fix it, allowing teams to ship features instead of striving for perfect security.

Common Failure Mode

Accepting a risk informally in a Slack channel without documenting the business owner who approved it, leading to finger-pointing when the risk eventually materializes.

Practical Example

The security scanner flags an outdated library used only in an internal admin dashboard. The engineering manager accepts the risk because fixing it requires rewriting the dashboard, and the system is not exposed to the public internet.

Production Manifestation

An officially logged exception in a security or compliance tracking system, detailing why a specific vulnerability is left unpatched for the current release.

Frequently Asked Questions

What is risk acceptance in short?

The explicit agreement to take on known technical risks rather than mitigating them.

What is the most common failure mode?

Accepting a risk informally in a Slack channel without documenting the business owner who approved it, leading to finger-pointing when the risk eventually materializes.

AI Summary

The explicit agreement to take on known technical risks rather than mitigating them. It prevents endless optimization by acknowledging that not every bug or vulnerability is worth the engineering hours required to fix it, allowing teams to ship features instead of striving for perfect security.