Risk Management Process – Defining Risk Criteria

Risk Management – Article 13

Risk Management Process – Defining Risk Criteria

Keshav Ram Singhal

First we should understand what risk criteria means. ISO Guide 73:2009 has defined risk criteria as terms of reference against which the significance of a risk (i.e. effect of uncertainty on objectives) is evaluated. It is also clarified that:
- Risk criteria are based on organizational objectives and external and internal context.
- Risk criteria can be derived from standards, laws, policies and other requirements.

Significance of risk needs to be evaluated, so there is a need to define risk criteria to be used. The organization should define risk criteria that reflect the organization’s values, objectives and resources. The organization may impose or derive some risk criteria from legal (statutory and legal) requirements and other requirements to which the organization subscribes.

The organization should consider relevant factors to define risk criteria including:
- The nature and types of causes and consequences that can occur and their measurement way
- The process defining likelihood
- The timeframe of the likelihood/consequences
- The process determining the level of risk
- Stakeholders’ views
- Risk level at which risk becomes acceptable or tolerable
- Whether to consider combination of multiple risks, and if so, which combination to consider and how

The organization should ensure the following with regard to risk criteria:
- Risk criteria should be consistent with the organization’s risk management policy.
- Risk criteria should be defined at the beginning of any risk management process.
- Risk criteria should be continually reviewed.

Next write-up …. Risk Assessment - An Overview