Residual risk, the risk after considering existing controls, is universally accepted as important to assess in the risk assessment process.
In a previous blog article, we questioned whether
This blog takes the next step and explores whether “Expected” and “Targeted” risk are useful.
The question is whether our understanding and value of risk assessment are enhanced by assessing one or both of the additional layers of risk, “Expected” and “Targeted” risk and is there any further value in adding further layers of risk?
Firstly, let’s consider how these risk components logically fit together. Using a common risk assessment methodology where Likelihood and Impact are assessed using a 5-scale measure for each, consider the following.
This information is illustrated in a tabular and matrix format below
Figure 1. The different layers of risk
Figure 2. Matrix report
Where “I” = Inherent Risk, “R” = Residual Risk, “E” = Expected Risk and “T” = Targeted Risk.
Linking to your risk management framework components
The various components in this analysis should be linked to the various components of your Enterprise Risk Management framework and system as follow:
Observing the current ERM practices being implemented, we rarely see all aspects of the above approach being used. This is primarily because it requires added complexity and effort in assessing these additional layers. However, we are seeing a higher occurrence of the concept of Targeted Risk which effectively combines the Expected and Targeted risk levels into a single component. That is the identification of Inherent, Residual and Targeted. The difference between Residual and Targeted covers both actions and issues without differentiating between them or creating the additional layer of Expected Risk. We believe this may be a maturity issue and as organisations become more familiar with risk assessment then increased sophistication may occur which includes these additional layers.
The decision to enhance your ERM assessment methodology to include one or more of these additional layers should take into consideration:
With all developments in risk management, the cost has to be weighed against the benefits and each organisation will be different based on the above.
Join our live webinar to learn more about Inherent, Residual and Targeted Risks:
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).