The ISO 31000:2009 standard does not refer to “inherent” risk. Is this a deliberate omission and if so, what is the reason? This leads to the question as to whether inherent risk is a useful concept in risk management and risk assessment.
The main areas of contention are:
There are few common definitions in risk but “Inherent risk” is commonly defined as “the risk without considering internal controls” or alternatively “a raw risk that has no mitigation factors or treatments applied to it”. Residual Risk on the other hand is commonly defined as “the level of risk remaining after controls have been applied”.
One of the main arguments against the use of inherent risk as a concept is the perceived difficultly in determining its level. Consider “Building Security Risk” – the risk that an unauthorised person will access a building and carry out unauthorised and or damaging actions. When we assess “What is the level of risk before considering controls?”, workshop responses vary as we have limited experience of this risk without any controls.
As a result, there is often difficulty in determining a consistent inherent risk scenario. Does this mean a lack of all or a combination of some of the following controls — no security guards, no CCTV, no windows, no doors and no walls?
This is a common problem when trying to assess inherent risk in a typical risk assessment. This problem can however, largely be overcome by changing the order of the risk assessment by firstly identifying the controls that mitigate the risk. Secondly, the inherent risk assessment is then performed by asking the question “What is the level of risk before considering the identified controls?”. This approach overcomes the question of what controls are assumed not to exist or working effectively. If a “control” is not specifically identified, it is assumed to be present in the inherent risk assessment. These pre-existing controls are often referred to as “base-line” controls.
In determining whether a control is base-line or not, it helps to define “a control?”. A definition we find useful is “a specific action taken by the organisation with the objective of reducing the risk”.
The key is a “specific action”. Security guards and CCTV would be seen as non base-line or “identified” and therefore be considered in the inherent risk assessment.
However, windows and doors would be base-line controls as it would be reasonable to expect that they would exist in the inherent environment without any specific action being undertaken by the organisation.
For further insights you can also read, 'Can Residual Risk be higher than Inherent Risk?'.
Likelihood is a measure of the expected frequency of the risk occurring. Multiple factors can go into the measurement of likelihood. If one or more of those factors cannot be determined, it is difficult to determine inherent likelihood.
For example, the likelihood of fraud risk requires consideration of:
Point a) is virtually impossible to determine, b) is difficult to determine and c) can be reasonably determined with sufficient thought. As a result inherent risk for fraud is virtually impossible to determine and requires an assumption about a) and b).
However, for many other risks it is, in relation, easier to assess inherent risk.
What is the difference in these risks? We believe it lies in whether the risk is deliberate or non-deliberate. Where the risk is non deliberate or accidental, the inherent likelihood can be relatively easy to obtain. Where the risk is deliberate through actions of people, such as fraud, inherent likelihood cannot be determined and the best we can do is to determine the chance of success if the person was dishonest, If we assess this likelihood on this (incomplete) basis we must be careful when comparing the level of risk with other non-deliberate risks where all factors affecting likelihood have been considered.
Where it is considered possible to assess inherent risk, we are of the view that its determination can be very useful. The reasons are:
The debate over the usefulness of inherent risk will no doubt continue. The key is to apply the most relevant approach to the type of risk and recognise not all risks are the same. Where possible the determination of inherent risk can be useful in understanding the nature of the risk, the potential worst case scenario and the importance of related controls.
If you wish to learn more about how Protecht can help you, please email firstname.lastname@example.org
David Tattam is the Chief of Research, Knowledge and Consulting and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.