What acceptable risk really means for regulated firms

January 22, 20264 min read

What acceptable risk really means for regulated firms

For regulated businesses, risk is unavoidable. But misunderstanding what “acceptable risk” actually means is one of the biggest reasons firms fall short of regulatory expectations.

Acceptable risk does not mean ignoring weaknesses, hoping nothing goes wrong, or assuming cyber insurance will pick up the pieces. In regulated sectors such as financial services, accountancy and legal, acceptable risk has a very specific meaning, and regulators expect you to be able to explain it clearly.

This article breaks down what acceptable risk really means, why so many firms get it wrong, and how regulators such as the FCA view it in practice.

Acceptable risk is not “low risk”

One of the most common misconceptions we see is the idea that acceptable risk equals low risk.

It doesn’t.

Acceptable risk is about understanding risk,reducing it where reasonable, and consciously tolerating what remains, with evidence to support those decisions.

From a regulatory perspective, the question is rarely:

“Is there risk?”

It is far more often:

“Did you understand the risk, and did you take appropriate steps to manage it?”

For FCA-regulated firms, this aligns directly with expectations around:

  • Operational resilience

  • Systems and controls

  • Data protection

  • Outsourced IT and third-party risk


If you cannot explain why a risk exists and why it is tolerated, it is unlikely to be considered acceptable.

Why regulated firms underestimate acceptable risk

In our experience working with UK-regulated businesses, acceptable risk is often misunderstood for three key reasons.

  1. Risk has built up gradually


Many risks are the result of years of small IT decisions:

  • Legacy systems that were never retired

  • Access permissions added but never removed

  • Cloud platforms adopted without formal governance


Nothing feels urgent until something breaks.

  1. “We’ve never had a breach”


Past luck is not a control.

Regulators do not assess your risk posture based on what has not happened. They assess it on whether your controls are appropriate today, based on current threat levels.

  1. Risk ownership is unclear


If nobody owns a risk, it isn’t being managed.

We regularly see firms where IT risk is assumed to be “the IT provider’s problem”, while governance and accountability remain unclear internally.

How regulators view acceptable risk

The FCA does not expect zero risk. What it expects is proportionate, evidence-based decision-making.

In practical terms, that means being able to demonstrate:

  • You know what systems and data matter most

  • You understand what could realistically go wrong

  • You have controls in place that match the impact and likelihood of those risks

  • You regularly review and test those controls


Acceptable risk is, therefore, dynamic. As threats evolve, yesterday’s acceptable risk may no longer be acceptable today.

Acceptable risk vs unmanaged exposure

This is where many firms get caught out.

Acceptable risk looks like:

  • A documented decision to tolerate a risk

  • Compensating controls in place

  • Regular review and oversight

  • Clear accountability


Unmanaged exposure looks like:

  • “We didn’t realise that was still in place”

  • “We assumed that was covered”

  • “No one has checked it in years”


Only one of those stands up under regulatory scrutiny.

A practical definition of acceptable risk

At Chapman Technology Partners, we define acceptable risk as:

Risk that is understood, documented, reviewed, and reduced as far as reasonably possible, with clear ownership and evidence to support the decision to tolerate what remains.

As Greg Chapman, Managing Director at Chapman Technology Partners, puts it:

“Acceptable risk isn’t about being comfortable. It’s about being informed. If you can’t clearly explain why a risk exists and what you’ve done about it, it’s unlikely to be acceptable in the eyes of a regulator.”

How to assess your acceptable risk position

If you are unsure whether your current risk profile would stand up to scrutiny, these are the areas to start with:

  • Critical systems and data mapping

  • User access and permissions

  • Backup integrity and recovery testing

  • Third-party and outsourced IT dependencies

  • Incident response readiness


This is exactly why many regulated firms start with an independent risk assessment rather than a reactive security project.

If you want a clearer view of where your risk sits today, our Cyber Risk Assessment is designed specifically for regulated UK businesses.

Acceptable risk is a board-level conversation

Perhaps the most important shift regulated firms need to make is this:

Acceptable risk is not an IT decision. It is a business and governance decision, supported by technical evidence.

Boards and senior management don’t need to understand every technical detail, but they do need:

  • Clear visibility of risk

  • Confidence in controls

  • Assurance that risks are reviewed regularly


Without that, firms often believe they are operating within acceptable risk when, in reality, they are relying on assumptions.

Moving from assumptions to clarity

Understanding acceptable risk properly is not about adding more tools or creating fear. It is about clarity.

Clarity on:

  • What matters most

  • Where exposure exists

  • What you are comfortable tolerating

  • What needs to change


That clarity is what regulators expect, and what resilient businesses are building towards.

If you’d like to understand how acceptable risk applies to your business, we’ve created practical guidance to help regulated firms assess and document their IT and cyber exposure.

Explore our resources or speak to our team for a structured, no-jargon starting point.

Back to Blog