For those that adopt inherent risk in their risk assessment process, there is general recognition that inherent and residual risk are connected in the following manner:
Inherent risk less the effect of controls equals residual risk.
This implies that residual risk will always be less than or equal to inherent risk. However, any general rule is there to be challenged. Can residual risk be higher than inherent risk? To assess this, we need to understand the way in which controls modify risk, leading to a residual risk position.
A common definition of controls is "A specific action taken with the objective of reducing either the likelihood of the risk occurring and / or the consequence if the risk were to occur". This implies that residual risk must be less than inherent risk. In contrast, ISO 31000 defines a control as "measure that is modifying risk" without the implication that it is always reducing risk.
Consider the following: You are hiring a car for a colleague and are considering whether to take out additional insurance to reduce the $3,000 excess to $500. When considering the cost / benefit of this you need to consider the extent to which "accident risk" is reduced against the cost of the insurance.
This requires an assessment of the degree to which "accident risk" is reduced by the additional insurance.
If we assume the following:
If the insurance costs less than $25 we might consider it worthwhile.
As insurance is a remedial control, we have only reduced the consequence. However, is there an impact on likelihood that we have not considered. Consider how the hirer may drive the car when we do not take out the additional insurance, probably more like their own! This contrasts as to how they might drive the car if we take out the additional assurance - like a hire car! This change of behaviour by the driver on the basis that there is now a financial safety net if things go wrong, may lead to an increase in the likelihood.
If we now reassess our risk:
In this analysis, the increase in the likelihood from 1% to 9% more than offsets the reduction in consequence and the residual risk is now higher than inherent risk.
This example may be extreme in order to illustrate that it is possible for residual risk to be higher than inherent risk. However, the underlying question is simple - can certain remedial controls lead to a change in behaviour that leads to an increase in likelihood of risk events and ultimately an overall higher cost to the organisation?
To factor this into your risk management process consider these steps:
Can you think of any such controls in practice? One that springs to mind is the dependency on rating agencies for credit assessment of counterparties. Does that reliance improve our understanding of credit risk or lead to blanket acceptance of counterparties above a certain rating, which ultimately may lead to additional losses should things go wrong. Sounds like the story of CDOs and the GFC!
Join our live webinar to learn more about Inherent, Residual and Targeted Risks and how you can use them effectively in your own risk management process:
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).