I'll just add one point. On one hand, it's an interesting question. It refers to the need to make sure that the criteria we use and how we weight them is reviewed regularly.
I think the other point that needs to be appreciated, as we say in paragraph 2.44, is that there needs to be some form of review of the individual who was at one point perhaps rated as being low risk, let's say, to some years later or some time down the road reassess that organization: is it still low risk, or if it was high risk and being audited every year and having lots of controls around it, is it still high risk down the road? That form of reassessment becomes very important.