The risk criteria guide our recommendations about what to do with a given risk or collection of risks. We define what risk is a acceptable to the organization.
It might be tempting for someone in the organization to suggest that we have “zero tolerance” for risk. This bit of hyperbole is rarely helpful. Every organization operates with risk and uncertainty. The real question for legal risk management is how much to invest to reduce the risk to an acceptable level.