# Risk assessment

## Risk assessment

A risk can be evaluated with the following formula:

$$
Risk=Probability∗Impact
$$

Where the **probability** is the frequency of occurrence of a hazardous event and/or a hazardous element, and the **impact** is the severity of the effects and/or the severity of the consequences of this hazardous event.

The impact of a risk is classified by default in 4 categories:&#x20;

* Catastrophic,&#x20;
* Significant,&#x20;
* Medium,&#x20;
* Low.

The probability of a risk is classified by default in 4 categories:

* Very likely,&#x20;
* Likely,&#x20;
* Possible,&#x20;
* Unlikely.

{% hint style="info" %}
It's possible to customize the risk levels in Dastra.
{% endhint %}

## Risks classification

Depending on their level of probability and impact, risks can be classified into several categories:&#x20;

* Intolerable risks;
* Risks that must be limited as much as possible;
* Acceptable risks either because the probability and/or the severity of the risk is/are negligible compared to other risks.

Unacceptable risks are shown in **red** in Dastra.&#x20;

Risks that should be limited as much as possible are represented in **orange** or **yellow** in Dastra.&#x20;

Acceptable risks are shown in **green** in Dastra.

## Gross risk vs. net (or residual) risk

A "**gross**" risk is considered without all of the surrounding control systems - organization, various controls, documentation, etc.&#x20;

A "**net**" (or residual) risk, on the other hand, is evaluated by taking into account all the systems already in place and effective.

## Visualization of a risk

<figure><img src="/files/2x57npGYVV9ZQMiilIQG" alt=""><figcaption><p>Example of risk visualization in Dastra</p></figcaption></figure>

## For more information

{% content-ref url="/pages/zGkLmYam7IP9xxLigjAY" %}
[Attach a risk to a processing activity](/en/features/risk-management/attach-a-risk-to-a-processing-activity.md)
{% endcontent-ref %}

{% content-ref url="/pages/-Lvijo5ijJ\_brcGKIdrw" %}
[Vendor risk management](/en/le-rgpd-en-bref/risk-management/risques-sous-traitants.md)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://doc.dastra.eu/en/le-rgpd-en-bref/risk-management/risk-assessment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.