I would suggest that there's no risk management model that is perfect. The Auditor General pointed out, and I think in his report acknowledged, that the risk-rating systems were being used by departments to manage those risks. I believe the more complete observation he made is that we weren't specific enough in our guidance; we weren't reinforcing in our guidance the requirement to review regularly the risk management model in departments and agencies. I believe that in the details the Auditor General recognized that many departments had done that without having specific guidance placed in the Treasury Board policy suite.
So I'd look at it not that there is a fundamental break in the risk-rating methodologies being used by departments, but that there is an element in our policy guidance that needs to be there to make it clear that you need to review the risk-rating models on a regular basis to ensure that they are still legitimate. I would open it up to the Auditor General to add to my comments.