Risk criteria represent definitions of the types of risk an organization may face and the level of these risks they are prepared to tolerate. They represent the views of the stakeholders and the obligations that the organization has towards them. Risks reflect the uncertainties and events that could affect outcomes and objectives of an organization.

Criteria of risk are defined so that they can be measured in terms of the likelihood of them occurring and the consequences to the organization when they do. They involve timeframes and time-related impacts as well as defining measurement techniques and metrics for measuring risk. This involves deciding how the level of risk will be determined and what impact multiple and combinations of risks can have. These criteria represent the tolerance that an organization has for negative events and the point at which they become so great that a given activity or direction is abandoned.