Risk Criteria Risk criteria include:
The amount and type of risk the organization may or may not take
Obligations and views of the stakeholders
Uncertainties that can affect outcomes and objectives
How we will measure and define likelihood and consequences
Timeframe and time-related factors
Measurement techniques and metrics
How the level of risk is to be determined
How combinations and sequences of multiple risks will be taken into account
The organization’s capacity and resources.
Scope considerations include:
Timeframe for analysis
Geographic and virtual locations
Business units to be included
Inclusions and exclusions including practice areas and domains (eg:physical, ICT, safety, finance/fraud, etc.)
Risk analysis tools and techniques
Records to be kept
Relationships to other groups
Projects, processes and activities.
Risk Tolerance can be articulated in whichever way is appropriate for each organization. The following is just one example.
The Australian Government Department of Finance recommend the following 10-step process for defining risk appetite and tolerance¹:
Appoint a core reference group
Validate current risk categories
Review current risk profile
Build a risk appetite statement
Interview senior executive and define risk appetite statement
Engage with SME’s to build and refine risk tolerance statements
Senior executive review
Amend risk appetite and tolerance statements as required
Incorporate and communicate
¹ You can find implementation tips and more details at Finance, Department of.‘Risk Resources’. Text, 22 August 2017 https://www.finance.gov.au/sites/default/files/2019-11/case-study-defining-risk-appetite-and-tolerance.pdf. More guidance can be found at: https://www.finance.gov.au/risk-resources/.