The organization must determine an acceptable level for risks. The level is calculated based on the likelihood, impact and control of the risks.