I would say ours is very similar to Don's. At the HRSDC department we have a risk-based approach to three specific areas: financial reporting, payments, and monitoring. Similarly, we use a number of factors to determine the risk base for each of those components.
As well, as Don said, throughout the life cycle of a project, if a project is a three-year project, we can take the opportunity to look at that risk over the period of time. If anything comes up during the project that we would see as problematic, we have the opportunity to go in, review the project, and see if there's anything that needs to be monitored or changed based on those assessments.