Our procedure is similar. All highly critical, critical and less critical findings require corrective action or risk acceptance. The most minor comments (observations) do not require an action plan.
Line management may decide to accept the risk by providing executive management and the risk/audit committees with appropriate reasons. These can include their own view of materiality, cost/benefit, and budgetary constraints. If a risk is accepted, an annual re-evaluation of this decision is required since conditions, cost/benefit etc. can change over time. The risk/audit committee reviews acceptances and obviously has the final word.
A form documenting all of this information as well as line management and executive management approval is completed with supporting documentation and is available for regulatory and audit review.