Risk Criteria Explained: 4 Decision Lines That Keep Residual Risk Honest
Risk criteria only work when leaders can tell the legal floor, operational floor, escalation trigger, and acceptance threshold apart.
Key takeaways
- 01Risk criteria are decision rules, not a slogan about risk appetite.
- 02A useful framework separates the legal floor, operational floor, escalation trigger, and acceptance threshold.
- 03Risk appetite, risk tolerance, and residual-risk acceptance are different decisions, even when people use them as if they were the same.
- 04Andreza Araujo's books show that repeated decisions define culture, which is why criteria must be explicit enough to survive field pressure.
- 05A decision log only helps when the criteria behind the decision are visible and owned.
Risk criteria are the rules that tell a team when a hazard is still inside the line, when it must be escalated, and when it can be accepted only by a named decision owner. They matter because a site can talk about risk in general while still leaving each hard decision to personal judgment.
In practice, risk criteria are what keep a risk review from becoming a vague conversation. They turn a broad idea into a call that someone can defend, repeat, and audit. Across 25+ years leading EHS at multinationals, Andreza Araujo has seen that weak criteria create a false sense of control, because the meeting sounds disciplined even when the field still depends on improvisation.
If you want the companion language around appetite and ownership, risk appetite explained gives the first split, while risk register vs control register vs decision log shows where the decision should be recorded. That distinction matters because a decision without criteria is only a memory with paperwork.
Definition
Risk criteria are the explicit conditions that tell an organization how to judge a hazard. They define what is acceptable, what is not, what must be escalated, and what needs a different control before work can continue. In ISO 31000 language, they are the reference points that make risk evaluation consistent instead of improvised.
James Reason’s latent failure logic helps explain why this is important, because the visible event is usually the last link in a chain that already contained weak thresholds, weak checks, and weak ownership. When the threshold is unclear, the organization starts treating judgment as if it were a system.
Andreza Araujo writes in Safety Culture: From Theory to Practice that repeated decisions reveal culture faster than slogans do. Risk criteria are one of those repeated decisions, which is why they deserve the same clarity as a permit, a control plan, or a closeout rule.
The 4 decision lines
- Legal floor
- This is the minimum the organization cannot cross without breaking a rule, a standard, or a permit condition. It is the hard boundary that keeps the discussion from drifting into convenience.
- Operational floor
- This is the level below which the work should not proceed even if no formal citation exists yet. It is the practical line that protects the task from becoming a gamble with familiar habits.
- Escalation trigger
- This is the point where the issue must move to a higher decision owner, because the local supervisor no longer has enough authority or information to resolve it safely.
- Acceptance threshold
- This is the line where residual risk can only be accepted by the person who owns the consequence, not by the person who wants the work to keep moving.
In more than 250 cultural transformation projects supported by Andreza Araujo’s team, the recurring problem was not that people lacked data. It was that they lacked a shared line, so the conversation kept drifting between caution, pressure, and convenience. A Ilusão da Conformidade is relevant here because a neat process can still hide an undecided organization.
What risk criteria are not
Risk criteria are not the same as a risk matrix color, a generic policy statement, or a comfort level that changes with the room. They are also not a substitute for field verification. A green slide can hide a weak threshold if the team never asks what the color actually means in the task being discussed.
The article on risk appetite myths shows how the vocabulary gets distorted, while safety decision trail shows how to record the final choice. Risk criteria sit upstream of both, because they tell the organization what evidence has to exist before anyone signs.
That is also why criteria should not be confused with training. Training helps people recognize a condition, but it does not define the line itself. If the line stays vague, the work still depends on whoever is most confident in the room, which is a poor way to manage exposure.
How to set them in the field
Start with one hazard class, not with every hazard in the plant. Pick a line that already causes disagreement, such as line break, energized work, confined space entry, or contractor mobilization, and define the decision line with the people who have to defend it on shift. The goal is to make the rule legible where the work happens.
Across 25+ years leading EHS at multinationals, Andreza Araujo has seen that criteria become usable only when operations, EHS, and the decision owner all describe the same line the same way. If they do not, the line is not a criterion yet. It is a preference.
The practical test is simple. Ask who stops the work, who escalates it, who can accept the residual risk, and what field proof has to exist before the call is made. If nobody can answer in one breath, the criterion is still too abstract.
How to differentiate criteria from appetite and tolerance
| Concept | What it answers | Where it belongs |
|---|---|---|
| Risk appetite | How much uncertainty the organization is willing to live with in general | Strategy and governance |
| Risk tolerance | How much variation the system can absorb before it must act | Control design and monitoring |
| Risk criteria | What line makes the hazard acceptable, escalated, or stopped | Task review and decision making |
| Residual-risk acceptance | Who signs for what remains after controls are in place | Authority and accountability |
Risk register vs control register vs decision log helps the reader see where each concept belongs in the management system. That separation matters because a risk appetite statement can sound mature while the actual criteria remain undefined.
James Reason’s work is useful again here, because a system can claim to have a policy while the day-to-day decisions are still made by custom. The policy says one thing, the supervisor improvises another, and the incident review discovers that the line never really existed.
The traps that make criteria cosmetic
The first trap is writing a criterion that only legal counsel can decode. If the line cannot be used by operations on a live shift, it will not shape behavior. The second trap is letting the same person propose, approve, and accept the risk, because that collapses oversight into convenience.
The third trap is confusing documentation with control. A tidy record may satisfy an audit, but it does not prove the field understood the line or the consequence. The fourth trap is rewarding speed over clarity, which is how organizations end up accepting risk faster than they can explain it.
In Muito Além do Zero, Andreza Araujo shows why attractive goals can still distort the system when the real decision logic stays hidden. The same warning applies here. If risk criteria are not explicit, people will infer them from pressure, and pressure is a poor standards document.
What to do before the next acceptance decision
Before the next sign-off, ask four questions. What is the legal floor, what is the operational floor, what triggers escalation, and who owns the acceptance threshold? Then check whether the answer is visible in the permit, the control plan, the decision log, and the handover note.
If you want a practical next step, start with Andreza Araujo’s books and tools, because A Ilusão da Conformidade and Safety Culture: From Theory to Practice give the clearest brand-adjacent frame for this problem. The point is not to add another policy. It is to make the line readable before the field has to carry the consequence.
Frequently asked questions
What are risk criteria in safety?
How are risk criteria different from risk appetite?
How are risk criteria different from risk tolerance?
Who should own risk criteria?
Which Andreza Araujo book fits this topic best?
About the author
Andreza Araújo
Safety Culture Expert | Senior EHS Executive
Andreza Araújo is a safety culture expert and senior EHS executive with more than 25 years of experience in environment, health and safety. She is a Civil Engineer and Occupational Safety Engineer from Unicamp, holds a Master's degree in Environmental Diplomacy from the University of Geneva, and completed sustainability studies at IMD Switzerland. Andreza has served in Global Head of EHS roles in Fortune 500 environments, leading cultural transformation programs across multinational operations. She has represented Brazil as a speaker at the United Nations in Paris and has spoken at the International Labour Organization in Turin. She is the author of more than 16 books on safety culture in Portuguese, Spanish, English and German. Her work has earned more than 10 EHS awards, including two recognitions from Indra Nooyi, former PepsiCo CEO.
- Civil & Safety Engineer (Unicamp)
- M.A. Environmental Diplomacy (University of Geneva)
- Sustainability Cert (IMD Switzerland)
- People Management & Coaching (Ohio University)
- UN Paris speaker representative for Brazil
- ILO Turin speaker
- LinkedIn Top Voice
- Indra Nooyi PepsiCo CEO recognition (2x)
Documentaries
Watch Andreza's documentaries
Three productions on safety culture, organizational failure and the human lessons behind major disasters.
Podcasts
Listen to Andreza's podcasts
She hosts three shows on safety leadership, EHS and organizational culture, in English and Portuguese.