For those that adopt inherent risk in their risk assessment process, there is general recognition that inherent and residual risk are connected in the following manner: Inherent risk less the effect of controls equals residual risk.
This implies that residual risk will always be less than or equal to inherent risk. However, any general rule is there to be challenged. Can residual risk be higher than inherent risk? To assess this, we need to understand the way in which controls modify risk, leading to a residual risk position.
A common definition of controls is "A specific action taken with the objective of reducing either the likelihood of the risk occurring and / or the consequence if the risk were to occur". This implies that residual risk must be less than inherent risk. In contrast, ISO 31000 defines a control as "measure that is modifying risk" without the implication that it is always reducing risk.
Consider the following: You are hiring a car for a colleague and are considering whether to take out additional insurance to reduce the $3,000 excess to $500. When considering the cost / benefit of this you need to consider the extent to which "accident risk" is reduced against the cost of the insurance.
This requires an assessment of the degree to which "accident risk" is reduced by the additional insurance.
If we assume the following:
If the insurance costs less than $25 we might consider it worthwhile.
As insurance is a remedial control, we have only reduced the consequence. However, is there an impact on likelihood that we have not considered. Consider how the hirer may drive the car when we do not take out the additional insurance, probably more like their own! This contrasts as to how they might drive the car if we take out the additional assurance - like a hire car! This change of behaviour by the driver on the basis that there is now a financial safety net if things go wrong, may lead to an increase in the likelihood.
If we now reassess our risk:
In this analysis, the increase in the likelihood from 1% to 9% more than offsets the reduction in consequence and the residual risk is now higher than inherent risk.
This example may be extreme in order to illustrate that it is possible for residual risk to be higher than inherent risk. However, the underlying question is simple - can certain remedial controls lead to a change in behaviour that leads to an increase in likelihood of risk events and ultimately an overall higher cost to the organisation?
To factor this into your risk management process consider these steps:
Can you think of any such controls in practice? One that springs to mind is the dependency on rating agencies for credit assessment of counter-parties. Does that reliance improve our understanding of credit risk or lead to blanket acceptance of counter-parties above a certain rating, which ultimately may lead to additional losses should things go wrong. Sounds like the story of CDOs and the GFC!
David Tattam is the Chief of Research, Knowledge and Consulting and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.