Risk Management Insights

I want to join the BLOG

Enterprise Risk Management, Risk and Control Self Assessment, Risk Assessment, Risk Management Framework

Inherent Risk: Friend or Foe?

What does Inherent Risk mean?

There are few common definitions in risk but Inherent Risk is commonly defined as "the risk without considering internal controls" or alternatively "a raw risk that has no mitigation factors or treatments applied to it". Residual Risk on the other hand is commonly defined as "the level of risk remaining after the relevant controls have been applied".

Read More

Inherent & Residual Risk, Risk Assessment

The Scoring of Residual Risk

We previously discussed the pros and cons of identifying and assessing the level of inherent risk. This article assumes that inherent risk is used and that the effectiveness of controls is separately assessed in order to arrive at a residual risk assessment.

The first issue to consider is how the level of residual risk is assessed taking into account the scoring of inherent risk and the level of control effectiveness. One approach is to apply subjective judgement without applying any mathematical relationship between inherent risk and the level of control effectiveness.

A second method is to apply a mathematical approach.

Read More

Inherent & Residual Risk, Risk and Control Self Assessment, Risk Assessment

Can Residual Risk Be Higher Than Inherent Risk?

For those that adopt inherent risk in their risk assessment process, there is general recognition that inherent and residual risk are connected in the following manner:

Inherent risk less the effect of controls equals residual risk.

This implies that residual risk will always be less than or equal to inherent risk. However, any general rule is there to be challenged. Can residual risk be higher than inherent risk? To assess this, we need to understand the way in which controls modify risk, leading to a residual risk position. 

Read More