It's a terminology that other people have introduced. It's not a terminology that we would necessarily use for designated organizations in terms of what was high-risk or low-risk. But risk is determined through some form of assessment, and there are some probability issues here as well.
The organization is required to do some form of a risk assessment. There's a matrix or way of doing that. Where they determine that there is high risk, risk, or moderate risk, then there needs to be a means of being able to mitigate that risk in some form of a set of procedures or documents.
So the term they're using in the context that they're talking about really doesn't necessarily make a lot of sense, certainly not to me.