Risk Management Insights

I want to join the BLOG

Risk Management Training, Inherent & Residual Risk

Risk Appetite - Inherent and Residual?

The case for setting both an Inherent and Residual Risk Appetite

In the last two blogs, Inherent Risk - It is useful? and Expected and Targeted risks, I discussed the potential value of assessing inherent, residual, expected and targeted risks. In this article, I go one stage further and discuss the potential relevance and value of setting both an inherent and residual risk appetite. 

The instigator that prompted me to consider this topic came from a board risk appetite setting session I conducted a short time ago. It was clear that the board was not going to agree on the levels of risk appetite for certain risks as their views were quite diverse.

At one extreme, one director wanted to set high appetites, especially for strategic risk, while another more conservative director was very uncomfortable with this and wished to set much lower appetites.  Listening to the conversations it becomes clear that the discussion was at cross purposes.

Read More

Enterprise Risk Management, Inherent & Residual Risk, Risk and Control Self Assessment, Risk Controls, Risk Assessment

Inherent Risk – Is it useful?

The ISO 31000:2009 standard does not refer to “inherent” risk. Is this a deliberate omission and if so, what is the reason? This leads to the question as to whether inherent risk is a useful concept in risk management and risk assessment.

The main areas of contention are:

What does Inherent Risk mean?

There are few common definitions in risk but “Inherent risk” is commonly defined as “the risk without considering internal controls” or alternatively “a raw risk that has no mitigation factors or treatments applied to it”. Residual Risk on the other hand is commonly defined as “the level of risk remaining after controls have been applied”. 

Read More

Inherent & Residual Risk, Risk Assessment

The Scoring of Residual Risk

We previously discussed the pros and cons of identifying and assessing the level of inherent risk. This article assumes that inherent risk is used and that the effectiveness of controls is separately assessed in order to arrive at a residual risk assessment.

The first issue to consider is how the level of residual risk is assessed taking into account the scoring of inherent risk and the level of control effectiveness. One approach is to apply subjective judgement without applying any mathematical relationship between inherent risk and the level of control effectiveness.
A second method is to apply a mathematical approach.

Read More

Inherent & Residual Risk, Risk and Control Self Assessment, Risk Assessment

Can Residual Risk Be Higher Than Inherent Risk?

For those that adopt inherent risk in their risk assessment process, there is general recognition that inherent and residual risk are connected in the following manner:

Inherent risk less the effect of controls equals residual risk.

This implies that residual risk will always be less than or equal to inherent risk. However, any general rule is there to be challenged. Can residual risk be higher than inherent risk? To assess this, we need to understand the way in which controls modify risk, leading to a residual risk position. 

Read More