Risk Criteria Explained: 4 terms leaders should not confuse
Risk criteria only help when leaders separate the rule, the operating band, the acceptance decision, and the residual risk left after controls.

Key takeaways
- 01Risk criteria are the rule that tells leaders whether a scenario is acceptable, tolerable, or too exposed to proceed.
- 02Risk tolerance sets the operating band, while risk acceptance records the decision for one specific case.
- 03Residual risk is the exposure that remains after controls, so it is not the same as a general approval.
- 04ISO 31000:2018 asks organizations to define criteria before they assess and treat risk.
- 05A risk register only helps when the term leads to an owner, a deadline, and a visible field test.
Risk criteria are the rules that tell leaders whether a scenario is acceptable, tolerable, or too exposed to proceed. They matter because the same hazard can look different in a board review, a risk register, and a supervisor stop decision, and the organization needs one rule that survives all three views.
This explainer is for supervisors, EHS managers, and risk owners who need the vocabulary to drive action. If the team confuses criteria with a matrix color, the register becomes paperwork. If risk appetite sets the boundary, criteria make the boundary usable in the field. The practical test is simple. Can one person use the term and make the next decision without asking for a second interpretation?
Across 25+ years in multinational EHS and more than 250 cultural transformation projects, Andreza Araujo has seen criteria fail when they stay inside templates. In Safety Culture: From Theory to Practice and A Ilusão da Conformidade, the point is the same: a control only exists when repeated decisions treat it as real.
Definition
ISO 31000:2018 asks organizations to define risk criteria before they assess and treat risk, because the order matters. A company cannot know whether a scenario is acceptable until it has decided what level of exposure it is willing to carry, what deviation is still allowed, and what must trigger escalation or redesign.
Risk criteria are the rule. They are not the matrix itself and they are not the score. The criteria tell the team how to read the score, which cases demand review, and when the work should stop. Without that rule, the same hazard can receive different answers from different leaders, which is how a register turns into a filing cabinet.
The 4 terms
Risk criteria
Risk criteria are the boundary line. They say what the organization will treat as acceptable, what it will review, and what it will refuse. Good criteria are specific enough that a supervisor can apply them before the job starts, not only after the monthly review.
James Reason is useful here because latent conditions usually sit behind the visible event. A criterion that stays vague gives those conditions room to drift while the report still looks tidy.
Risk tolerance
Risk tolerance is the operating band around the criteria. It describes how much variation the team can absorb on a normal day before the work must change. A tolerance that is too wide invites drift. A tolerance that is too narrow creates noise and trains people to ignore the rule.
The useful question is not whether the number moved. The useful question is whether the move stayed inside the band that leadership said was still workable.
Risk acceptance
Risk acceptance is the documented decision to proceed with one specific residual risk after controls are in place. It is not a general approval of the whole area or the whole shift. It is one decision for one case, made by one owner who can defend it if the control fails.
That distinction matters because exceptions become routine very quickly when nobody names the decision maker. A site that accepts everything in practice has already stopped using criteria.
Residual risk
Residual risk is the exposure that remains after controls. It is what the organization still carries after it has done the work it claims to have done. Residual risk can be low and still be unacceptable if the consequence is severe or if the control stack is fragile.
That is why residual risk must sit beside criteria, not in place of them. One term describes what is left. The other says whether what is left can be carried.
How to differentiate in practice
Use the table below when the team starts mixing the terms in the same sentence. The goal is not vocabulary purity. The goal is a decision path that a supervisor, an EHS manager, and a plant leader can all use without reinterpreting it.
| Term | What it answers | Who owns it | Field test |
|---|---|---|---|
| Risk criteria | What counts as acceptable, tolerable, or too exposed | Executives and risk owners | Can a supervisor apply it before the job starts? |
| Risk tolerance | How much variation is still inside the boundary | Operations and site leadership | Does the job stay inside the band or drift beyond it? |
| Risk acceptance | Whether one specific case may proceed | The decision maker for that case | Is the exception documented and defensible? |
| Residual risk | What exposure remains after controls | Control owner and decision owner | Would the same case still feel acceptable if the control failed today? |
When to use each term
Use risk criteria when the team is setting the rule. Use risk tolerance when the question is how much day to day variation the operation can absorb. Use risk acceptance when one specific case needs a go or no go decision. Use residual risk when the controls are already in place and the team needs to judge what remains.
If the site cannot separate those moments, the discussion is already too vague. The register may still look complete, but the organization will be treating different decisions as if they were the same decision.
What leaders should do next
Start by writing one plain language criterion for the top scenarios that can lead to serious harm. Then translate it into a tolerance band, a named acceptance owner, and one field check that proves the control still exists. If any of those four pieces is missing, the rule is not ready for the field.
If your team wants help turning criteria into a working decision rule, start with Andreza Araujo's books and tools at the store. A criterion only matters when it changes the next decision.
FAQ
What are risk criteria?
Risk criteria are the rules that tell leaders whether a scenario is acceptable, tolerable, or too exposed to proceed. They turn a judgment into a repeatable decision.
Is risk tolerance the same as risk acceptance?
No. Risk tolerance is the operating band that the team can absorb. Risk acceptance is the documented decision to proceed with one specific residual risk.
How is residual risk different from criteria?
Residual risk is the exposure left after controls are in place. Criteria are the rules that say whether that remaining exposure is still acceptable.
Which Andreza Araujo book fits this topic best?
Safety Culture: From Theory to Practice fits because criteria only work when repeated decisions stay consistent. A Ilusão da Conformidade fits because a clean template does not prove control.
Frequently asked questions
What are risk criteria?
Is risk tolerance the same as risk acceptance?
How is residual risk different from criteria?
Which Andreza Araujo book fits this topic best?
About the author
Andreza Araújo
Safety Culture Expert | Senior EHS Executive
Andreza Araújo is a safety culture expert and senior EHS executive with more than 25 years of experience in environment, health and safety. She is a Civil Engineer and Occupational Safety Engineer from Unicamp, holds a Master's degree in Environmental Diplomacy from the University of Geneva, and completed sustainability studies at IMD Switzerland. Andreza has served in Global Head of EHS roles in Fortune 500 environments, leading cultural transformation programs across multinational operations. She has represented Brazil as a speaker at the United Nations in Paris and has spoken at the International Labour Organization in Turin. She is the author of more than 16 books on safety culture in Portuguese, Spanish, English and German. Her work has earned more than 10 EHS awards, including two recognitions from Indra Nooyi, former PepsiCo CEO.
- Civil & Safety Engineer (Unicamp)
- M.A. Environmental Diplomacy (University of Geneva)
- Sustainability Cert (IMD Switzerland)
- People Management & Coaching (Ohio University)
- UN Paris speaker representative for Brazil
- ILO Turin speaker
- LinkedIn Top Voice
- Indra Nooyi PepsiCo CEO recognition (2x)
Documentaries
Watch Andreza's documentaries
Three productions on safety culture, organizational failure and the human lessons behind major disasters.
Podcasts
Listen to Andreza's podcasts
She hosts three shows on safety leadership, EHS and organizational culture, in English and Portuguese.