Acceptance is when the organisation consciously (fully aware) accepts the risk and decides to do nothing. This course of action may be because the organisation, after having assessed the risk, believes the size/scale of the risk is small enough that no action is warranted (i.e. the risk is within its risk appetite). Alternatively the risk may be at the other extreme for the business, whereby the organisation can do nothing to change the risk but decides that the organisation still wants to operate with this risk. In this situation the organisation may be changing its risk appetite or would need to accept that it is operating outside of its agreed risk appetite.
It is the people accountable for the overall viability of the organisation who would have to accept the risk(s) that exceed appetite. Those decision makers should be clear about what risks they have accepted and the consequences of the decisions they make.
The decision not to mitigate a risk any further (see Section 3.4) means that you are accepting the current risk level. It does not mean the risk has gone away and can no longer happen.
Good practice is to link your current risk level to your financial forecasts so that the current level of risk is properly accounted for. You should not link your forecasts to your residual risk level, as the residual risk level has yet to be achieved.