Determining risk rankings is up to each organization. When determining the appropriate ranking, most organizations consider the following factors:

• Regulatory fines
• Auditor comments
• Customer complaints
• Process errors
• Policy violations