Early this week, a consultant friend told me that a nonconformity was raised against her client because their method for determining risks/opportunities doesn't have criteria for determining the level of risk (i.e. high, medium, low). The CB auditor was looking for factors such as how the severity of the impact and likelihood of the occurrence of risks are measured. I've actually observed such prescriptive calls of CB auditors, fortunately we know how to push back. For others, like my friend's client, who doesn't want to tussle with CB auditors, will just go along with the prescriptive call and accept the nonconformity finding. Just want to vent my exasperation and, at the same time, get some two cents (agreeable or dissenting) from the members of this forum.