What is meant by "risk retention" in risk management?

Risk retention in risk management refers to the strategy of accepting responsibility for specific risks, typically because the organization has assessed that the potential impact or likelihood of those risks is manageable or acceptable. This approach may involve intentionally deciding to take on certain risks instead of transferring them to another party, such as through insurance or outsourcing.

When an organization engages in risk retention, it usually means that it has conducted a thorough evaluation of the potential risks and determined that the costs associated with mitigating or transferring those risks do not outweigh the potential benefits. Organizations might adopt this approach for various reasons, including the desire to have greater control over their risk management processes or to retain the financial benefits that may arise if risks do not materialize.

In contrast, completely avoiding all risks would imply a level of caution that may not be feasible or practical in many business contexts, as some degree of risk is inherent in most operations. Outsourcing risk to other companies typically involves transferring those risks, which is the opposite of retention. Insuring against all possible risks would suggest an exhaustive and often impractical strategy, as no business can realistically cover every potential risk. Thus, accepting responsibility for specific risks encapsulates the essence of risk retention effectively.