Risk criteria examples

Date:: 23 Mar 2026

About this guide

Risk criteria are the clear benchmarks used to assess and prioritise risks.

When you’re assessing risks, you’ll need to refer to your organisation’s risk criteria to help you decide on how to treat them.

We’ve put together these examples to help you review and refine your own organisation’s risk criteria. You’ll find guidance on:

Consequence descriptors
Likelihood descriptors
Risk rating
Escalation and response for risk rating.

Consequence descriptors

A consequence descriptor in risk assessment is a clear description – either qualitative or quantitative – that defines how severe the impact would be if a specific risk event happens.

It provides a standardised definition for each level of a consequence scale (e.g. Severe, Major, Moderate, Minor and Insignificant) to guide consistent ratings and level of response.

Here are some examples of consequence descriptors.
When you’re assessing risk in your organisation, make sure you use your own descriptors—they should reflect your unique context and needs.

Severe
- Direct loss or opportunity cost of more than $XXm.
Major
- Direct loss or opportunity cost of $XXm to $YYm.
Moderate
- Direct loss or opportunity cost of $XXk to $YYm.
Minor
- Direct loss or opportunity cost of $XXk to $YYk.
Insignificant
- Direct loss or opportunity cost of less than $XXk.
Severe
- Multiple preventable fatalities.
- Many senior staff resignations and wide loss of capability.
- Large parts of the workforce aren’t upskilled to meet key strategic priorities.
Major
- Preventable fatality or total and permanent disability.
- Resignations of key staff and loss of capability affecting a major business function.
- Parts of the workforce aren’t upskilled to meet specific business plan priorities.
Moderate
- Any preventable injury or disease resulting in a person being incapacitated from normal activity for >7 days.
- Higher than desired turnover of key staff and loss capability.
Minor
- Any preventable injury or disease likely to result in a person being incapacitated from normal activity for <7 days.
- Some staff turnover.
Insignificant
- Isolated instances of preventable injuries only needing first aid treatment.
Severe
- International or major media scandal, regulatory investigation, or massive viral campaign. Lasting reputational damage.
Major
- National media coverage or sustained negative social media storm. Significant damage to reputation.
Moderate
- Coverage in regional media or viral social media post by an influencer. High attention from customers and stakeholders. Noticeable concern and public image affected.
Minor
- No external criticism but new, isolated complaints from stakeholders.
Insignificant
- Some unplanned additional time spent explaining the organisation’s position.
Severe
- Full service or business performance disruption >ZZ weeks.
Major
- Full or partial service or business performance disruption <ZZ days.
Moderate
- Partial service disruption <Z days during key operating times.
Minor
- Partial service disruption <Z hours during key operating times.
Insignificant
- Short or intermittent service disruption mostly out of key operating times.
Severe
- Externally reportable breach of regulation with fines and penalties.
- Litigation costing >$XXm.
- Extensive external investigation disrupting operations.
Major
- Externally reportable breach of regulations.
- Liltigation costing <$XXm.
- External investigation not significantly disrupting operations.
Moderate
- Breach of regulations.
- Litigation costing <$XXk.
- Internal investigation.
Minor
- Breach of regulations.
- Litigation costs within existing legal budgets.
Insignificant
- Minor breach of regulations.
Severe
- Long term, possibly irreversible destruction of critical ecosystems.
Major
- Severe contamination of soil, waterways and air quality causes habitat degradation and native species decline.
Moderate
- Localised pollution or land clearing leading to measurable reduction in habitat quality and biodiversity.
Minor
- Limited disturbance to a contained natural area temporarily disrupts local flora and fauna.
Insignificant
- Minimal and short-term environmental impact with no lasting effect on ecosystem.
Severe
- Cluster or single event resulting in multiple preventable consumer deaths and/or serious harm.
- Formal complaint from governing body, e.g. Department of Health.
Major
- A single preventable consumer death or event resulting in permanent loss or reduced function for the consumer.
Moderate
- A preventable event resulting in harm from which the consumer is likely to fully recover.
Minor
- A preventable event, resulting in harm requiring an increased level of care.
Insignificant
- A preventable event resulting in minimal harm.

Likelihood descriptors

A likelihood descriptor in risk assessment is a qualitative or quantitative term for describing the probability, frequency, or chance of a specific risk event or consequence occurring within a defined timeframe. To help prioritise different risks, likelihood descriptors are assigned to a ranking scale in a risk matrix.

Here are some examples of likelihood descriptors.
These use a controls-centric approach – that assumes most significant risks are within your control.

Likelihood	Descriptor example
Almost certain	All controls associated with the risk are weak and/or non-existent. Without control improvement there’s almost no doubt that the event and its consequences will eventuate.
Likely	Most controls associated with the risk are weak. Without control improvement, it’s more likely than not that the event and its consequences will eventuate.
Possible	There are some controls that need improvement. If there’s no improvement, there’s a good chance the event and its consequences will occur.
Unlikely	Most controls are strong with few known control gaps. If this risk eventuates, it’s most likely because of external circumstances outside of our control.
Rare	All controls are strong with no known control gaps. If this risk eventuates, it’s most likely because of external circumstances outside of our control.

Risk rating matrix - example

The matrix combines the consequence and likelihood ratings to plot risks at differing levels of severity. It's an easy way to visualise the risks which require different levels of response. Over time, its also possible to see plot movement on the matrix as risks become more or less severe.

The matrix is typically used in reporting to different audiences: executives, operational teams, committees, Boards, regulators, etc.

Escalation and response - examples

When assessing risks, a key step is evaluation. Evaluation is the process of comparing analysed risks against established criteria to determine their tolerability, significance, and priority. It involves deciding whether a risk is acceptable or requires treatment by weighing its likelihood and consequences to directly guide the urgency of review, the appropriate level of oversight, and, ultimately, decisions about control.

Here are some examples of escalation and response.
When you’re assessing risk in your organisation, make sure you use your Risk Management Policy and/or delegations of authority.

Sources

The examples provided were adapted from several sources including:

Updated 5 May 2026