Section 11.3.1 of API 580 explicitly states:

“Many companies have corporate risk criteria defining acceptable and prudent levels of safety, environmental and financial risks… Because each company may be different in terms of acceptable risk levels, risk management decisions can vary among companies.”

This highlights that risk acceptance criteria are typically developed internally by organizations based on their own tolerance and business drivers—not by API or external regulations.