Residual risk, the risk after considering existing controls, is universally accepted as important to assess in the risk assessment process.
In a previous blog article, we questioned whether
This blog takes the next step and explores whether “Expected” and “Targeted” risk are useful.
The question is whether our understanding and value of risk assessment are enhanced by assessing one or both of the additional layers of risk, “Expected” and “Targeted” risk and is there any further value in adding further layers of risk?
Firstly, let’s consider how these risk components logically fit together. Using a common risk assessment methodology where Likelihood and Impact are assessed using a 5-scale measure for each, consider the following.
This information is illustrated in a tabular and matrix format below
Figure 1. The different layers of risk
Figure 2. Matrix report
Where “I” = Inherent Risk, “R” = Residual Risk, “E” = Expected Risk and “T” = Targeted Risk.
Linking to your risk management framework components
The various components in this analysis should be linked to the various components of your Enterprise Risk Management framework and system as follow:
|Component||Assessment Information sourced from|
Observing the current ERM practices being implemented, we rarely see all aspects of the above approach being used. This is primarily because it requires added complexity and effort in assessing these additional layers. However, we are seeing a higher occurrence of the concept of Targeted Risk which effectively combines the Expected and Targeted risk levels into a single component. That is the identification of Inherent, Residual and Targeted. The difference between Residual and Targeted covers both actions and issues without differentiating between them or creating the additional layer of Expected Risk. We believe this may be a maturity issue and as organisations become more familiar with risk assessment then increased sophistication may occur which includes these additional layers.
The decision to enhance your ERM assessment methodology to include one or more of these additional layers should take into consideration:
With all developments in risk management, the cost has to be weighed against the benefits and each organisation will be different based on the above.
Join our live webinar to learn more about Inherent, Residual and Targeted Risks:
David Tattam is the Chief of Research, Knowledge and Consulting and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.