Why Your Risk Acceptability Criteria Is Probably Wrong (And How Auditors Catch It)

Most risk acceptability criteria fail audits because they are copied, generic, and not justified. Under ISO 14971, your criteria must be defined in your risk management plan and supported by objective rationale—not just a matrix.

This is one of the clearest indicators of whether a company truly understands risk management—or is just following templates.

The Problem: Copy-Paste Risk Matrices

Most companies use a standard probability vs severity matrix.

That’s not the issue.

The issue is:

• No justification for thresholds
• No link to clinical or regulatory context
• No explanation of why risks are “acceptable”

In other words, the matrix exists—but the logic behind it does not.

What ISO 14971 Actually Requires

Risk acceptability criteria must be:

• Defined in the risk management plan
• Based on policy and regulatory considerations
• Consistently applied

More importantly, they must be justified.

If your risk criteria are arbitrary, your entire risk evaluation becomes questionable.

If your file is already under pressure, start here: Risk Management File Rejected? Fix Your ISO 14971 Gaps

Where Companies Get It Wrong

1. Arbitrary Risk Thresholds

Many matrices define:

• Low / Medium / High risk

But cannot explain:

• Why a specific combination is acceptable
• Why another is not

This is a red flag in audits.

2. No Link to State of the Art

Acceptability should consider:

• Industry standards
• Clinical expectations
• Comparable devices

Without this, your criteria are isolated—not defensible.

3. No ALARP or Risk Reduction Logic

Many companies mark risks as “acceptable” too early.

Auditors expect:

• Risk reduction before acceptance
• Clear justification if not reduced further

4. Inconsistent Application

The same risk level is treated differently across the file.

This breaks credibility immediately.

5. No Link to Benefit-Risk Decisions

For higher risks, acceptability must consider:

• Clinical benefit
• Intended use

Most files skip this entirely.

How Auditors Catch This Fast

Auditors don’t start with your matrix.

They start with a single risk.

Then they ask:

• Why is this acceptable?
• What criteria did you apply?
• Where is that defined?

If you cannot answer clearly, the finding follows.

What Good Looks Like

A defensible risk acceptability framework includes:

• Defined criteria in the risk management plan
• Clear justification for thresholds
• Alignment with regulatory expectations
• Consistency across all risks
• Link to risk control and benefit-risk decisions

This is what separates compliant systems from template-based ones.

How to Fix It

Step 1: Define Policy First

Your criteria should come from a defined policy—not a spreadsheet.

Step 2: Justify Thresholds

Explain:

• Why certain risks are acceptable
• What data or rationale supports that

Step 3: Align With Risk Control

Your criteria must reflect:

• Risk reduction expectations
• Control hierarchy

Step 4: Ensure Consistency

Apply criteria uniformly across all hazards.

Step 5: Link to QMS Systems

Your decisions should connect to:

• CAPA system
• Internal audits
• Monitoring and measurement

Tools That Help You Fix This Properly

• ISO 14971 Risk Management System
• ISO 13485 + ISO 14971 Integrated Compliance Pack
• Risk Management Training Kit

Where This Becomes a Commercial Risk

If your acceptability criteria are weak:

• Your risk evaluations are invalid
• Your residual risk decisions are questionable
• Your entire risk file becomes vulnerable

This is why this issue frequently leads to deeper audit findings—not just isolated comments.

Final Takeaway

Your risk matrix is not the problem.

Your justification is.

If you cannot explain why a risk is acceptable, neither can your auditor—and that’s when your system starts to fail.