For those that adopt inherent risk in their risk assessment process, there is general recognition that inherent and residual risk are connected in the following manner:
Inherent risk less the effect of controls equals residual risk.
This implies that residual risk will always be less than or equal to inherent risk. However, any general rule is there to be challenged. Can residual risk be higher than inherent risk? To assess this, we need to understand the way in which controls modify risk, leading to a residual risk position.