Perhaps I'll take a crack at trying to provide an answer to your question.
When it comes to risk rankings, I will speak to my experience at the time in a grants and contributions department. Most departments and agencies, at least at a beginning point, develop their own risk-ranking criteria. They were the individuals who were most familiar with the business lines they were dealing with. The guidance is, of course, meant to provide some consistency in approach and methodology without tying the hands of a department to a single risk-rating approach across town.
Experiences change over a seven-year or eight-year period. One of the areas we're entering into now in the management or administration of grants and contributions is the concept of standardized business processes, to increase efficiency in deliveries, and this can apply to a number of areas. Although I don't think we will ever have a single template for risk rating across town, there is probably an opportunity for ensuring greater consistency in the risk-rating methodologies that are used by departments to ensure their completeness and their utility.
With that, I hope I've answered part of your question, and the Auditor General can certainly chip in if I've got it wrong.