I use a risk matrix that I believe someone at BOL was kind enough to give me quite a while back:
HIGH - High risk of loss, high monetary exposure, regulatory concern, key controls not in place or not operating effectively, indicates a serious control weakness/deficiency requiring action
MEDIUM - Policy or compliance issue, moderate risk of loss or monetary exposure, key controls are partially in place or only somewhat effective, indicates a control concern which requires action to be taken
LOW - Minor documentation error or minor control issue, low risk of loss, key controls are in place but could be improved
You can then further define these based on criteria you want to use at your particular shop.