What does Inherent Risk mean?
There are few common definitions in risk but "Inherent Risk" is commonly defined as "the risk without considering internal controls" or alternatively "a raw risk that has no mitigation factors or treatments applied to it". Residual Risk on the other hand is commonly defined as "the level of risk remaining after the relevant controls have been applied".
Can Inherent Risk be determined?
One of the main arguments against the use of inherent risk as a concept is the perceived difficultly in determining its level. Consider "Building Security Risk" - the risk that an unauthorised person will access a building and carry out unauthorised and or damaging actions. When we assess "What is the level of risk before considering controls?", workshop responses vary as we have limited experience of this risk without any controls.
As a result, there is often difficulty in determining a consistent inherent risk scenario. Does this mean a lack of all or a combination of some of the following controls - security guards, CCTV, windows, doors and walls?
We believe that this problem can largely be overcome by changing the order of the risk assessment by firstly identifying the controls that mitigate the risk. Secondly, the inherent risk assessment is then performed by asking the question "What is the level of risk before considering the identified controls?". This approach overcomes the question of what controls are assumed not to exist or be working. If a "control" is not specifically identified, it is assumed to be present in the inherent risk assessment. These pre-existing controls are often referred to as "base-line" controls.
In determining whether a control is base-line or not, it helps to define "a control". A useful definition of a control is "a specific action taken by the organisation with the objective of reducing the risk". The key is a "specific action". Security guards and CCTV would be seen as non base-line or "identified" and therefore be considered in the inherent risk assessment. However, windows and doors would be base-line controls as it would be reasonable to expect that they would exist in the inherent environment without any specific action being undertaken by the organization.
Can Inherent Likelihood always be determined?
Likelihood is a measure of the expected frequency of the risk occurring. Multiple factors can go into the measurement of likelihood.
If one or more of those factors cannot be determined, it is difficult to determine inherent likelihood.
For example, the likelihood of fraud risk requires consideration of:
(a) The likelihood that an individual is dishonest
(b) The level of skill they possess in carrying out the fraud
(c) The chance of success if they were to carry out the fraud
Point a) is virtually impossible to determine, b) is difficult to determine and c) can be reasonably determined with sufficient thought. As a result inherent risk for fraud is virtually impossible to determine and requires an assumption about a) and b).
However, for many other risks, clients assess inherent risk with relative ease.
What is the difference in these risks? We believe it lies in whether the risk is deliberate or non deliberate. Where the risk is non deliberate or accidental, the inherent likelihood can be relatively easy to obtain. Where the risk is deliberate through actions of people, such as fraud, inherent likelihood cannot be determined and the best wecan do is to determine the chance of success if the person was dishonest. If we assess this likelihood on this (incomplete) basis we must be careful when comparing the level of risk with other non deliberate risks where all factors affecting likelihood have been considered.
Is Inherent Risk useful as part of a Risk Assessment Process?
Where possible, we are of the view that the determination of inherent risk is very useful. The reasons are:
- It assists in identifying which controls are critical. For example in Fig 1, controls over "perimeter security compromised" are critical in that they reduce the inherent risk score from "20" to a residual risk position of "6". We can use this analysis to assist us in selecting which controls will be subject to periodic attestation in our compliance programs as "Key Controls".
- Internal audit should focus their control audits on controls that are critical. As above, these are controls that reduce a high inherent risk by a substantial amount.
- Scenario analysis for stress testing purposes should be carried out on those risks which have the potential to result in catastrophic (Level 5) consequences. Such a scenario is most likely to occur when a risk with an inherent risk score of "5" occurs and the related controls fail. Therefore risks that have an inherent consequence rating of "5" would be used for further scenario analysis.
- Reporting to Board should include information on those risks that have the potential to be catastrophic for the organisation, namely those risks where the inherent consequence is high.
The debate over the usefulness of inherent risk will surely continue. The key is to apply the most relevant approach to the type of risk and recognise not all risks are the same. Where possible the determination of inherent risk can be useful in understanding the nature of the risk, the potential worst case scenario and the importance of related controls.
For further information on automating your risk assessment process, please contact Genevieve Aboud via email firstname.lastname@example.org or phone +61 2 8005 1265.