1. Projection


When an audit is done on a system – company, service, instrument, etc. – étic uses the risk cartography as an analytic and client communication tool. This method permits to easily see and understand the full results of the analysis.


After the initial definition of the issue – the system – and the criteria that are necessary for a proper working, all the resources that are needed for this proper working are identified.


Each resource faces threats, which if they occur, can have one or more impacts. These impacts can affect following areas:

  • operational: the system does not work properly anymore, or it is not apt to insure the expected service (issue)

  • financial: costs result from the failure, or total breakdown, of the system (direct or indirect costs)

  • in terms of image: the company is prejudiced by the occurrence of this threat with short, medium and long term consequences


This is therefore a projection, since it means to imagine, before they happen, all occurrences or hazards that could affect a system, and its resources, and provoke different levels of impact.


It is for that purpose that all the know-how and experience ari needed and be applied for this type of analysis, so as to:

  • identify, thoroughly and independently, all the resources and the threats to which they are exposed – not withstanding of the fact that they might already have happened or not

  • determine the probability of each single occurrence and the different types of threat they represent

  • evaluate the scope of the impact

  • differentiate between acceptable risks and those that need an adequate risk management 


The identification of the threats is paramount to the analysis of the history of the system and the events that affect it.

The concept of projection also includes the fact that vulnerabilities might not be identifiable only through simple observations and conclusions of the system and its actual environment.


On the other hand, the context and its environment can cause these vulnerabilities. In other words, one has to provide for the unexpectable as well as imagine and identify certain threats as possible. Among these, modifications – of the legal framework, the competition, the consumer habits, the arrival of new products, etc. – are the most common.



2. Vulnerability evaluation matrix [return to "Risk Management"]


The vulnerability evaluation matrix – or vulnerability matrix – is a spread sheet with 2 inputs that allows to quantify each risk both in terms of the probability of occurrence of the threat and the impact of the threat on the issue.


Deduced from the following concept, the matrix is then filled out with an estimation of the actual risk:

Effective risk (vulnerability) = probability of the threat x impact on the issue.

Herewith and at first sight, one can estimate:

  • that a risk with a low probability of occurrence, but a high impact, has an overall average vulnerability level

  • that a risk with a low impact, but a high probability of occurrence, has an overall average vulnerability level



3. Représentation cartographique des zones de vulnérabilités [return to "Risk Management"]


All the vulnerabilities that affect a system – one can easily find several hundreds, depending on the complexity of the system – are the represented graphically in order to give a overall image of the state of a system and the risks it faces.