Risk criteria are an important point of reference for evaluating the significance of risk. They link strategy and action and help you determine whether you are taking on the right amount of risk. Risk criteria also can give decision-makers permission to take more risk to yield the right return and efficiently make use of available resources.

As vital as risk criteria are to an enterprise risk management program, however, they often get eclipsed by more visible tools like heat maps and key risk indicators. Many organizations view risk criteria as something running in the background, rarely taking time to reexamine or update according to changing conditions.

Well-crafted risk criteria also are complex – and they are not easy to develop. It takes time and effort to create a measuring stick for understanding and connecting risk appetite, risk tolerance, and strategy. But if your measuring stick is off, how will you know if you are taking the right risks to achieve your strategic goals?

A Consistent Point of Reference

Risk criteria provide clear interpretation of risk tolerance and risk appetite as they align with your overall goals. The consistent nature of risk criteria eliminates cognitive bias that may sneak in during times of uncertainty. And that can help you avoid making snap judgements that are not in your long-term best interest.

Risk criteria also establish a common language for effective communication about risk, which is important since stimulating valuable conversation is one of the most important parts of an ERM program. When the discussion turns to action, risk criteria can also be used to prioritize resources. That is especially helpful in the event of conflicting objectives.

Find Meaningful Risk Criteria

To develop risk criteria, start by asking two questions: How much risk are you currently taking? And is that level of risk-taking acceptable?

Once you have accurate answers, you can move on to defining the specific criteria for your business. Note that risk criteria are not an off-the-shelf tool. To be meaningful, risk criteria must be calibrated to your company’s strategy, goals, measures, and risk appetite. And regularly revisit your criteria to make sure current conditions are reflected in the way you are prioritizing risks.

Here are six steps to use as a guide:

  1. Define your strategic objectives. What are your growth targets? Where are you trying to move the bar? What other things – e.g., safety, the environment, regulatory compliance, your reputation – do you value? Include things that you care about and spend money on even if they are not explicitly stated in your strategy.
  2. Choose measures for your scorecard. What metrics best reflect failure and success? Talk to experts and function leaders across finance, HR, sales, and so forth and extract measures that matter – and are instantly understandable. And if those KPIs don’t exist, take this opportunity to put those in place.
  3. Define the event. What is an undesirable or other-than-planned outcome? In some cases, an outcome that’s even a little bit off the mark can have spiraling disasters. Taking the time to visualize undesirable circumstances helps you assess the impact specific events may have on your operations, reputation, and bottom line.
  4. Identify the end points. What would be a catastrophe? What kind of outcome against each of your measures would effectively destroy your strategy and cause irreparable harm to the enterprise? And what types of events would be only considered problematic? The most severe outcome is your boundary or anchor point.
  5. Determine intolerable deviation. How much deviation from your target is acceptable, and how much is unacceptable? What indicators will tell you when you are approaching unacceptable deviation? In some cases, you may need to dig down deeper, apply other criteria, and assess the risk more formally.
  6. Fill in the points between tolerable and intolerable risk. Use your scorecard, your end points, and your deviations to define your boundaries as to what is acceptable and what not – aka your risk tolerance. You’ll want to look more closely at those risks that could credibly exceed your tolerance threshold.

Other Considerations When Developing Risk Criteria

Risk criteria are also shaped by forces like risk velocity. Velocity in the world of risk management is the interval of time between the occurrence of an event and its peak impact.

Imagine a timeline to mark when something blows up, when it’s detected, and when it impacts the business. For high velocity risks – like cyberthreats – the event can play out so quickly, you don’t have time to put measures in place to prevent the harm from happening. Low velocity risks – like a change in the competitive landscape – happen over time, which gives you room to mitigate.

Another consideration is the controls you have in place to either prevent the occurrence of the risk or manage its impact. Are your efforts appropriately scaled to the risk? Do you have plans in place? Do you have people accountable for executing those plans? Are you checking to make sure everything is working properly? Do you need to make any adjustments? If you have these things in place, you can say a risk is fully controlled. The ultimate step is to have an independent third party periodically test the controls related to the most severe risks.

The last consideration is likelihood of the risk occurring. The most effective way to assess likelihood is to look at your risks in context of each other. Pay particular attention to those risks that could credibly happen where preparation could prevent it from happening or at least limit the damage.

What Now?

You can use risk criteria in any scenario in which you need to assess or communicate risks and opportunities – like risk assessments, risk workshops, and identifying project risks. Once you have done this analysis and established your risk criteria, you are also free to do things differently to take on the appropriate amount of risk. Instead of protecting your reputation at all costs, for instance, you may decide that the reward of making certain operational changes that benefit the business is worth the risk that not all employees will be happy about it.

“Well-developed risk criteria are a tremendous help in many aspects of ERM,” explains Rob Quail, noted author and ERM expert. “Risk criteria are your trigger points that say risk needs to be communicated upward. This is how to overcome bias and allow comparison of risks. Then you can bake all that logic into key business processes. Better conversations lead to better decision-making about priorities.”

For more on ERM, download our ebook, Charting a Course for Enterprise Risk Management, and check out Riskonnect’s ERM software.