Risk Management

Risk Criteria Explained: 4 terms leaders should not confuse

Risk criteria only help when leaders separate the rule, the operating band, the acceptance decision, and the residual risk left after controls.

By 4 min read updated
risk management scene on risk criteria explained 4 terms leaders should not confuse — Risk Criteria Explained: 4 terms leader

Key takeaways

  1. 01Risk criteria are the rule that tells leaders whether a scenario is acceptable, tolerable, or too exposed to proceed.
  2. 02Risk tolerance sets the operating band, while risk acceptance records the decision for one specific case.
  3. 03Residual risk is the exposure that remains after controls, so it is not the same as a general approval.
  4. 04ISO 31000:2018 asks organizations to define criteria before they assess and treat risk.
  5. 05A risk register only helps when the term leads to an owner, a deadline, and a visible field test.

Risk criteria are the rules that tell leaders whether a scenario is acceptable, tolerable, or too exposed to proceed. They matter because the same hazard can look different in a board review, a risk register, and a supervisor stop decision, and the organization needs one rule that survives all three views.

This explainer is for supervisors, EHS managers, and risk owners who need the vocabulary to drive action. If the team confuses criteria with a matrix color, the register becomes paperwork. If risk appetite sets the boundary, criteria make the boundary usable in the field. The practical test is simple. Can one person use the term and make the next decision without asking for a second interpretation?

Across 25+ years in multinational EHS and more than 250 cultural transformation projects, Andreza Araujo has seen criteria fail when they stay inside templates. In Safety Culture: From Theory to Practice and A Ilusão da Conformidade, the point is the same: a control only exists when repeated decisions treat it as real.

Definition

ISO 31000:2018 asks organizations to define risk criteria before they assess and treat risk, because the order matters. A company cannot know whether a scenario is acceptable until it has decided what level of exposure it is willing to carry, what deviation is still allowed, and what must trigger escalation or redesign.

Risk criteria are the rule. They are not the matrix itself and they are not the score. The criteria tell the team how to read the score, which cases demand review, and when the work should stop. Without that rule, the same hazard can receive different answers from different leaders, which is how a register turns into a filing cabinet.

The 4 terms

Risk criteria

Risk criteria are the boundary line. They say what the organization will treat as acceptable, what it will review, and what it will refuse. Good criteria are specific enough that a supervisor can apply them before the job starts, not only after the monthly review.

James Reason is useful here because latent conditions usually sit behind the visible event. A criterion that stays vague gives those conditions room to drift while the report still looks tidy.

Risk tolerance

Risk tolerance is the operating band around the criteria. It describes how much variation the team can absorb on a normal day before the work must change. A tolerance that is too wide invites drift. A tolerance that is too narrow creates noise and trains people to ignore the rule.

The useful question is not whether the number moved. The useful question is whether the move stayed inside the band that leadership said was still workable.

Risk acceptance

Risk acceptance is the documented decision to proceed with one specific residual risk after controls are in place. It is not a general approval of the whole area or the whole shift. It is one decision for one case, made by one owner who can defend it if the control fails.

That distinction matters because exceptions become routine very quickly when nobody names the decision maker. A site that accepts everything in practice has already stopped using criteria.

Residual risk

Residual risk is the exposure that remains after controls. It is what the organization still carries after it has done the work it claims to have done. Residual risk can be low and still be unacceptable if the consequence is severe or if the control stack is fragile.

That is why residual risk must sit beside criteria, not in place of them. One term describes what is left. The other says whether what is left can be carried.

How to differentiate in practice

Use the table below when the team starts mixing the terms in the same sentence. The goal is not vocabulary purity. The goal is a decision path that a supervisor, an EHS manager, and a plant leader can all use without reinterpreting it.

Term What it answers Who owns it Field test
Risk criteria What counts as acceptable, tolerable, or too exposed Executives and risk owners Can a supervisor apply it before the job starts?
Risk tolerance How much variation is still inside the boundary Operations and site leadership Does the job stay inside the band or drift beyond it?
Risk acceptance Whether one specific case may proceed The decision maker for that case Is the exception documented and defensible?
Residual risk What exposure remains after controls Control owner and decision owner Would the same case still feel acceptable if the control failed today?

When to use each term

Use risk criteria when the team is setting the rule. Use risk tolerance when the question is how much day to day variation the operation can absorb. Use risk acceptance when one specific case needs a go or no go decision. Use residual risk when the controls are already in place and the team needs to judge what remains.

If the site cannot separate those moments, the discussion is already too vague. The register may still look complete, but the organization will be treating different decisions as if they were the same decision.

What leaders should do next

Start by writing one plain language criterion for the top scenarios that can lead to serious harm. Then translate it into a tolerance band, a named acceptance owner, and one field check that proves the control still exists. If any of those four pieces is missing, the rule is not ready for the field.

If your team wants help turning criteria into a working decision rule, start with Andreza Araujo's books and tools at the store. A criterion only matters when it changes the next decision.

FAQ

What are risk criteria?

Risk criteria are the rules that tell leaders whether a scenario is acceptable, tolerable, or too exposed to proceed. They turn a judgment into a repeatable decision.

Is risk tolerance the same as risk acceptance?

No. Risk tolerance is the operating band that the team can absorb. Risk acceptance is the documented decision to proceed with one specific residual risk.

How is residual risk different from criteria?

Residual risk is the exposure left after controls are in place. Criteria are the rules that say whether that remaining exposure is still acceptable.

Which Andreza Araujo book fits this topic best?

Safety Culture: From Theory to Practice fits because criteria only work when repeated decisions stay consistent. A Ilusão da Conformidade fits because a clean template does not prove control.

Topics risk-management risk-criteria risk-tolerance risk-acceptance residual-risk iso-31000 decision-rights

Frequently asked questions

What are risk criteria?
Risk criteria are the rules that tell leaders whether a scenario is acceptable, tolerable, or too exposed to proceed. They turn a judgment into a repeatable decision.
Is risk tolerance the same as risk acceptance?
No. Risk tolerance is the operating band that the team can absorb. Risk acceptance is the documented decision to proceed with one specific residual risk.
How is residual risk different from criteria?
Residual risk is the exposure left after controls are in place. Criteria are the rules that say whether that remaining exposure is still acceptable.
Which Andreza Araujo book fits this topic best?
Safety Culture: From Theory to Practice fits because criteria only work when repeated decisions stay consistent. A Ilusão da Conformidade fits because a clean template does not prove control.

About the author

Andreza Araújo

Safety Culture Expert | Senior EHS Executive

Andreza Araújo is a safety culture expert and senior EHS executive with more than 25 years of experience in environment, health and safety. She is a Civil Engineer and Occupational Safety Engineer from Unicamp, holds a Master's degree in Environmental Diplomacy from the University of Geneva, and completed sustainability studies at IMD Switzerland. Andreza has served in Global Head of EHS roles in Fortune 500 environments, leading cultural transformation programs across multinational operations. She has represented Brazil as a speaker at the United Nations in Paris and has spoken at the International Labour Organization in Turin. She is the author of more than 16 books on safety culture in Portuguese, Spanish, English and German. Her work has earned more than 10 EHS awards, including two recognitions from Indra Nooyi, former PepsiCo CEO.

  • Civil & Safety Engineer (Unicamp)
  • M.A. Environmental Diplomacy (University of Geneva)
  • Sustainability Cert (IMD Switzerland)
  • People Management & Coaching (Ohio University)
  • UN Paris speaker representative for Brazil
  • ILO Turin speaker
  • LinkedIn Top Voice
  • Indra Nooyi PepsiCo CEO recognition (2x)

Documentaries

Watch Andreza's documentaries

Three productions on safety culture, organizational failure and the human lessons behind major disasters.

Podcasts

Listen to Andreza's podcasts

She hosts three shows on safety leadership, EHS and organizational culture, in English and Portuguese.

Summarize with AI