The criteria by which risks will be evaluated have to be decided and agreed. Deciding whether risk treatment is required,
is usually based on operational, technical, financial, regulatory, legal, social, or environmental, criteria or combinations
of them. The criteria should be in line with the scope and framework defined above. Furthermore they should be closely related
to the organization's internal policies and procedures and support its goals and objectives. Important criteria, to be considered, are impact criteria and the kinds of consequences that will be considered, criteria
of likelihood, the rules that will determine whether the risk level is such that further treatment activities are required.
It is very common, that criteria identified during these steps are further developed or even modified during later phases
of the Risk Management process.
Organisation
Responsible
Risk Manager
Accountable
Senior Management
Consulted
Risk Owner Domain Expert
Input/Output
Input data
D61 Asset classification D60 Rules for impact acceptance