top of page

What are Risk Criteria, Scope and Risk Tolerance?

Risk Criteria Risk criteria include:

  • The amount and type of risk the organization may or may not take

  • Obligations and views of the stakeholders

  • Uncertainties that can affect outcomes and objectives

  • How we will measure and define likelihood and consequences

  • Timeframe and time-related factors

  • Measurement techniques and metrics

  • How the level of risk is to be determined

  • How combinations and sequences of multiple risks will be taken into account

  • The organization’s capacity and resources.


Scope considerations include:

  • Objectives

  • Expected outcomes

  • Timeframe for analysis

  • Geographic and virtual locations

  • Business units to be included

  • Inclusions and exclusions including practice areas and domains (eg:physical, ICT, safety, finance/fraud, etc.)

  • Risk analysis tools and techniques

  • Resources

  • Responsibilities

  • Records to be kept

  • Relationships to other groups

  • Projects, processes and activities.

Risk Tolerance

Risk Tolerance can be articulated in whichever way is appropriate for each organization. The following is just one example.

The Australian Government Department of Finance recommend the following 10-step process for defining risk appetite and tolerance¹:

  1. Appoint a core reference group

  2. Validate current risk categories

  3. Review current risk profile

  4. Build a risk appetite statement

  5. Interview senior executive and define risk appetite statement

  6. Engage with SME’s to build and refine risk tolerance statements

  7. Senior executive review

  8. Amend risk appetite and tolerance statements as required

  9. Committee Validation

  10. Incorporate and communicate


¹ You can find implementation tips and more details at Finance, Department of.‘Risk Resources’. Text, 22 August 2017 More guidance can be found at:

4,484 views0 comments

Recent Posts

See All


bottom of page