Inherent vs. Residual Risk
By Ms.Becky Terry, Strategic Risk Management Executive
Founder of RTE and Company, USA
The difference between inherent and residual risk is often the most confusing concept and why that distinction is so important. I encountered when helping companies identify risks as part of their baseline ERM program. There was always been debate around the terms, So, I conducted a survey with my clients CRO and CAEs, asking them if they still used the terms inherent and residual, and if they wanted to change. The unanimous response was that they used them and liked using them.
Inherent risk can be defined as the amount of risk present in an activity before any controls are applied.
In other words, the risk to me getting injured if I enter a construction site, without any controls, is possible injury, so I would say that the inherent risk to me at a construction site is high. Inherent risk can also be viewed as pre-control. We inherently know when a risk is high (think cybersecurity) and when a risk is low (think petty cash). Once the concept is introduced, it is usually a quick exercise to apply definitions and develop high, medium, or low risk designations.
Residual risk can be defined as the amount of risk present after we have applied controls.
Staying with the construction site example, once I put on a hardhat, have I reduced my risk to an acceptable level? I might say yes, but I am willing to bet the construction supervisor would say no. He would expect me to also wear safety glasses, work boots, and maybe even have attended some safety classes. Residual risk can also be viewed as post control. Reducing our risk to an acceptable level is the ultimate goal of an enterprise risk management project.
Why is the difference important?
Knowing both the inherent and the residual risk allows us to focus our activities on the risks that are the most important, and then begin to discuss control activities with those risks in mind. Not only might we need more controls, like this example, but there may be areas in which we have too many controls. Internal and external audit groups use the inherent risk rating to drive their testing plan, as demonstrated by unanimous discussion with my client’s internal audit groups.
I confess that the concept of “absent controls” is a hard concept to grasp. There is undoubtedly movement within the ERM community to think about the controls in place first and then determine if the risk has been sufficiently reduced. One of the comments I received was the use of terminology like current and target risk.
Problem with the use of current risk is that it implies that your controls are operating effectively.
What if they aren’t? What kind of exposure do you have? Without an understanding of inherent risk – you may apply too many controls to a risk that doesn’t warrant that amount of effort.
Another comment suggested that we look at the probability of achieving our objectives prior to putting in mitigation activities and the probability after mitigation activities have been put in place. Before and after, similar to inherent and residual. The one constant is objectives.
My concern with this approach is that we may be applying resources to mitigating activities for a risk that was so low in the first place that activities aren’t even warranted.There may be better ways of thinking about inherent and residual risk. There may be better ways of thinking about heat maps and likelihood and impact of risk.
Regardless of what method you use to measure risk, understanding the risks that may impact the strategic objectives of the company are paramount to a company’s success.
For companies just starting on their ERM journey – Inherent and Residual risk may be concepts worth exploring. For companies who already have a mature and robust reporting and monitoring process, who have already ingrained the risk thinking mindset into every area of the company, it may be time to evolve to a different way of thinking about risks, inherently or residually.
I think that Inherent and Residual risk concepts are essential for establishing a baseline risk view of a company; however, the value that ERM brings to an organization is through an ongoing partnership, not a periodic review.
When deciding what ERM program fits best for your company and what framework should be used, understanding the corporate culture will help determine the success of the ERM program. Stay practical is my motto.
Ms. Becky Terry is a strategic risk management executive with years of demonstrated expertise in creating and maintaining value-added risk management departments.
Currently, Becky is the founder of RTE and Company: a strategic consulting company
focused on improving their client’s success by helping them create and maintain enterprise risk management functions that add value to their organization. Her career included risk management roles at Freddie Mac and consulting opportunities partnered with PwC.
- ISA 600 (Revised) – A timely IAASB initiative for Financial Reporting in the Tourism Industry - October 8, 2020
- Resistance in the Face of Reality: Change Management Explained - October 4, 2020
- Inherent vs. Residual Risk - October 2, 2020