Risk criteria should reflect your organization???s values, policies, andobjectives, should be based on its external and internal context, shouldconsider the views of stakeholders, and should be derived fromstandards, laws, policies, and other requirements.