Risk Ratings

The risk rating criteria considering risk appetite is developed for assessing the significance of
risks identified in the risk assessment process. The significance of the risks identified shall be
determined based on potential consequences and likelihood of occurrence, at an
inherent level (without taking into account the controls in place), and at a residual
level (after considering the controls in place).
Inherent Risk Rating

Inherent Risk – Potential consequences Rating Inherent Risk – Likelihood Rating

A numerical rating of the impact on the Company A numerical rating of the probability of occurrence
should the event occur without execution of controls of event without execution of controls currently in
currently in place. place.

1 Insignificant 1 Rare

2 Minor 2 Unlikely

3 Moderate 3 Possible

4 Major 4 Likely

5 Catastrophic 5 Almost Certain

Inherent Risk Matrix

5 6 7 8 9 10

4 5 6 7 8 9
Potenti
al 3 4 5 6 7 8
Conse 2 3 4 5 6 7
quenc
es 1 2 3 4 5 6

1 2 3 4 5

Likelihood of Occurrence
Extreme Risk
Significant/ High Risk
Moderate Risk
Low Risk

Control Rating
Controls will be rated on the following factors at the time of Risk Assessment:
Excellent 1 or 2 Systems and processes exist to manage the
risks and management accountability is
assigned. The systems are well documented
and regular monitoring/management review
indicates that the processes are effective in
Adequate mitigating the risk.

Good 3 or 4 Good: Systems and processes exist which

manage the risk. Minor improvement
opportunities have been identified but not
yet attached.

Fair 5 or 6 Some systems and processes exist to

manage the risk. However, in order to
mitigate the risk, controls need further
enhancement.

Poor 7 or 8 Systems and processes for managing the risk

Inadequate
have been subject to major change or are in
the process of being implemented and their
effectiveness cannot be confirmed.

Unsatisfact 9 or 10 No systems and processes exist to manage

ory the risk

Residual Risk Matrix

The Residual Risk Rating is calculated by adding the Inherent Risk measures of Consequence and Likelihood and
combining the control rating. The management response required in relation to the Residual Risk is determined by the
position of the latter on the matrix.

10

HighRisk – Continuous ExtremeRisk – ActiveManagement

8
Review
7

LowRisk – NoMajor MediumRisk – Periodic Monitoring

k
g
atR
ish
n
r
e
I

3
Concern
2

0 1 2 3 4 5 6 7 8 9 10

Adequate Inadequate

Control Rating
Extreme Risk – Inherent risk is high and system of internal control is seriously compromised. Risks where current
Active Management treatment options require active review and management.

High Risk – Inherent risk is high and improvement opportunity in control is identified. Continued monitoring of
Continuous Review controls over time is required to confirm this.

Medium Risk – Control is not strong but risk impact is not high. Options to improve control or monitor risk impact
Periodic Monitoring to ensure it does not increase over time.

Low Risk – No Risks where systems and processes managing the risks are adequate and subject to minor
Major Concern improvement opportunity.