The vast majority of organisations I’ve had the pleasure of working with define risk criteria as the method through which you measure the potential impact of a risk on your objectives, and therefore rank the importance of your risks. But I’d argue that the most important element of a risk criteria is the defining of trigger points where you need to make a decision or take action.

Traditionally, those trigger points tended to be based on financial hurdle rates such as return on investment, or lagging safety statistics such as the number of lost time injuries. But it’s becoming increasingly clear that these are only part of the story.

Less tangible areas of risk such a reputation, environment, cyber and political are rising up the business agenda and need to form part of the risk criteria. So, the big challenge becomes - how do you measure something that can be really difficult to accurately quantify?

If you’re someone who lives and breathes numbers, then being asked to measure something that can only be qualified rather than quantified is really difficult.

But when it comes to the dynamic measurement and updating of things like risk profiles, appetites and tolerances some of the risks will be quantifiably measurable and some of them won’t. Most importantly, sometimes those qualitative aspects will be the make or break part of the decision as to whether you decide to take a risk. In fact, if you can’t easily measure a risk that might be a good indicator that you need to take more notice of it as it suggests that it is complex and liable to surprise you.

That’s because measurable risk criteria enables people to align the decision making throughout an organisation so there is agreement on what is an appropriate risk to take and what is a risk that needs to be escalated to a more senior level of decision making. Where something cannot be easily be measured, the default should typically be to escalate it “just in case”.

Once your criteria – both intangible and tangible – are set, you need to have a process to constantly review that criteria. If an organisation says: ‘we established our risk criteria or appetite or tolerance five years ago, and it took us three years to get it signed off, so therefore, no we are not going to change it any time soon’, that should be a warning that some very strange decision making may be going on within your organisation as it will be based on a version of your organisation that is five years old..

If the risk management community were to change one thing, it would be to show those organisations that it is not appropriate to sign off your risk criteria and leave it for a long period of time. Your organisation needs to be prepared to adapt its criteria as the environment in which it operates changes.

A leading indicator that an organisation is truly using risk management can be how often they review their risk criteria.