The correct answer isC. A residual risk is accepted when it is equal to or below the target risk. ISO 31000:2018 explains that risk treatment aims to modify risk so that it aligns with the organization’srisk criteria, which include risk appetite, tolerance, and target risk levels.Residual riskis the risk remaining after risk treatment has been applied.
An organization determines acceptability by comparing the residual risk against predefinedtarget riskor risk acceptance criteria. When the residual risk fallswithin acceptable limits, meaning it is equal to or lower than the target risk, it may be accepted without further treatment. This ensures consistency, transparency, and alignment with strategic objectives.
Option A is incorrect because accepting risks higher than the target risk contradicts the purpose of risk criteria. Option B is incorrect because target risk levels vary depending on objectives, context, and appetite; they are not always low. Option D may influence decision-making but is not the formal basis defined by ISO 31000.
From a PECB ISO 31000 Lead Risk Manager perspective, clear acceptance criteria ensure disciplined and defensible risk decisions. Therefore, the correct answer isa residual risk is accepted when it is equal to or below the target risk.
