Are they useful?
Residual risk, the risk after considering existing controls, is universally accepted as important to assess in the risk assessment process.
In a previous blog article, we questioned whether
This blog takes the next step and explores whether “Expected” and “Targeted” risk are useful.
We will start with definitions:
- Inherent Risk: The risk before considering existing controls
- Residual Risk: The risk after considering existing controls
- Expected Risk: The risk after considering agreed actions that have not yet been implemented
- Targeted Risk: The desired optimal level of risk
- Existing Controls: Controls currently existing in the business
- Actions: Agreed actions to further treat risk
- Issues: Identified gaps or weaknesses which need to be addressed by developing actions
The question is whether our understanding and value of risk assessment are enhanced by assessing one or both of the additional layers of risk, “Expected” and “Targeted” risk and is there any further value in adding further layers of risk?
Firstly, let’s consider how these risk components logically fit together. Using a common risk assessment methodology where Likelihood and Impact are assessed using a 5-scale measure for each, consider the following.
An example assessment process:
- Assume that the Inherent Risk is assessed as a Likelihood value of 5 and an Impact value of 4
- The assessment of Existing Controls in the business leads us to the conclusion that these controls reduce both likelihood and impact by 1
- This gives a Residual Risk level of Likelihood 4 and Impact 3
- We now observe as to whether there are any outstanding actions which involve control improvements for this risk
- We identify one or more outstanding actions and assess that when implemented, they will reduce likelihood by a further 1
- This gives an Expected Risk level of Likelihood 3 and Impact 3
thenassess where we would ideally like the level of this risk to be
- We decide that our Targeted Risk level is Likelihood 2 and Impact 2
- This means we have an “issue”, as our current actions will not deliver the desired Targeted level.
We, therefore,record an issue for this risk which will then give rise to an action once the solution has been agreed.
This information is illustrated in a tabular and matrix format below
Figure 1. The different layers of risk
Figure 2. Matrix report
Where “I” = Inherent Risk, “R” = Residual Risk, “E” = Expected Risk and “T” = Targeted Risk.
Linking to your risk management framework components
The various components in this analysis should be linked to the various components of your Enterprise Risk Management framework and system as follow:
Benefits and insights of this approach:
- We can ascertain the status of any risk by comparing the 4 layers of risk as follows:
a. The difference between Inherent and Residual Risk indicates the importance of existing controls which can be used to determine the extent of controls assurance required.
b. The difference between Residual and Expected Risk show the relative importance of the outstanding actions and can be used to
c. The difference between Expected and Targeted Risk indicates where we have issues and how important those Issues are which, again, can be used to prioritise issues.
- Our objective should be to make Residual Risk equal Expected Risk equal Targeted Risk. So, once we create Actions from the Issues, Expected Risk will equal Targeted Risk. Once we implement all Actions, Residual Risk will then equal Expected Risk and we can conclude that the Residual Risk equals our Targeted Risk and, in turn, that this risk is being adequately managed.
Problems with this approach:
Observing the current ERM practices being implemented, we rarely see all aspects of the above approach being used. This is primarily because it requires added complexity and effort in assessing these additional layers. However, we are seeing a higher occurrence of the concept of Targeted Risk which effectively combines the Expected and Targeted risk levels into a single component. That is the identification of Inherent, Residual and Targeted. The difference between Residual and Targeted covers both actions and issues without differentiating between them or creating the additional layer of Expected Risk. We believe this may be a maturity issue and as organisations become more familiar with risk assessment then increased sophistication may occur which includes these additional layers.
The decision to enhance your ERM assessment methodology to include one or more of these additional layers should take into consideration:
- Where are you with your current ERM maturity? If you are at the beginning of the journey or a less mature stage then it would not be wise to further complicate the assessment process above the basics until this part of the process is well understood. You may find the article "The 7 key ingredients for successfully transforming and maturing your ERM" useful.
- What is the perceived cost/benefit of adding further layers? The benefits are covered above. The costs include considerations such as additional time to complete an assessment, further training of those involved in the assessment process and additional complexity of dashboards and analytics.
- Does your ERM system easily allow these additional layers to be appropriately captured, linked, assessed and analysed? To maximise the value of implementing these additional valuable layers, your ERM system should allow you (not your provider) to update your assessment methodology, apply linkages or tags dynamically and provide high-quality easy-to-read analytics. If not, you will be left with a process which could become a burden and a further cost impediment.
With all developments in risk management, the cost has to be weighed against the benefits and each organisation will be different based on the above.