I thought I had a pretty good knowledge of the standard for risk assessment (AS4360) until this afternoon - I was editing a risk assessment paper and it was pointed out to me that the approach I’d described (in the picture above) differed from another standard in the Bureau that also purported to be an implementation of AS4360.

A quick google showed me four more examples of a risk rating matrix, but rather than tell me who was right I’d ended up with six quite different approaches.

And so I discovered that the standard doesn’t actually promote a single approach to rating risks, which makes a lot of sense in hindsight. In the end I used the same approach as the other ABS standard because I felt it took into consideration our moderate, but not extreme, risk aversion.