Some say that ignored risks as part of an organization's behavior are much worse than accepted risks.
I would like to test that axiom (in the eyes of some).
When I am handling a risk and I choose to accept it, it means that I have done risk analysis and risk control, and have chosen to accept this risk and to live with it. When I am doing the same thing, only this time I choose to ignore that risk, am I not doing the same thing? I am living with that risk as part of my operational plan as an organization.
Some would say that it is foolish to ignore risks. However I am seeing it this way - The only difference between an accepted risk and an ignored risk, is the mere fact that what I am accepting a risk, I am keeping myself and my organization self-aware to that risk. And if a risk is ignored, then I probably ignored it because it is a lightweight risk, the chance of it being leveraged is minimal, and the costs of the vulnerability associated with it being exploited is zero to none.
So, is the difference so big?