Before we begin, here are some important definitions:

• Probability: corresponds to the evaluation of the frequency of occurrence of a risk. It is a score evaluated empirically (traditionally a score out of 5). Each level of risk corresponds to a frequency of occurrence of the risk.

• Impact: corresponds to the evaluation of the consequence of a feared event on the company.

• Current risk: the level of risk as it is at a given moment in time according to the level of remediation of your control points. It is calculated as follows: {Current Risk} = {Residual Risk} + ({Initial Risk} - {Residual Risk}) * {Risk Remediation Rate}.

• Residual risk: this is the risk remaining after the implementation of control measures (internal control).

• Initial (or inherent) risk: this is the theoretical risk associated with the activity. It can also be defined as the initial risk, before any control measure (internal control). It is calculated by multiplying the gross impact x by the gross probability.

• Dreaded event: refers to the uncertain event that will be characterised in terms of frequency and severity

• Risk: the combination of a feared event and the evaluation of the impact and probability on an object (treatment, actor (subcontractor), application or entity). Other criteria may be taken into account, such as threats (the types of risk causing the risk) or sources (the media or location of the risk).

• Checkpoint: (or risk management system). Compliance with the control points is the means to remedy 100% of the risks and therefore to move towards a current risk = residual risk. In Dastra, the checkpoint listing is managed at the level of the feared event.

• Remediation: this is the percentage of compliance of the control plan for a risk. E.g.: if 2 out of 3 control points comply = 66% remediation rate.