The ISO 31000:2009 standard does not refer to “inherent” risk. Is this a deliberate omission and if so, what is the reason? This leads to the question as to whether inherent risk is a useful concept in risk management and risk assessment.
The main areas of contention are:
What does Inherent Risk mean?
There are few common definitions in risk but “Inherent risk” is commonly defined as “the risk without considering internal controls” or alternatively “a raw risk that has no mitigation factors or treatments applied to it”. Residual Risk on the other hand is commonly defined as “the level of risk remaining after controls have been applied”.
Can Inherent Risk be determined?
One of the main arguments against the use of inherent risk as a concept is the perceived difficultly in determining its level. Consider “Building Security Risk” – the risk that an unauthorised person will access a building and carry out unauthorised and or damaging actions. When we assess “What is the level of risk before considering controls?”, workshop responses vary as we have limited experience of this risk without any controls.
As a result, there is often difficulty in determining a consistent inherent risk scenario. Does this mean a lack of all or a combination of some of the following controls — no security guards, no CCTV, no windows, no doors and no walls?
This is a common problem when trying to assess inherent risk in a typical risk assessment. This problem can however, largely be overcome by changing the order of the risk assessment by firstly identifying the controls that mitigate the risk. Secondly, the inherent risk assessment is then performed by asking the question “What is the level of risk before considering the identified controls?”. This approach overcomes the question of what controls are assumed not to exist or working effectively. If a “control” is not specifically identified, it is assumed to be present in the inherent risk assessment. These pre-existing controls are often referred to as “base-line” controls.
In determining whether a control is base-line or not, it helps to define “a control?”. A definition we find useful is “a specific action taken by the organisation with the objective of reducing the risk”.
The key is a “specific action”. Security guards and CCTV would be seen as non base-line or “identified” and therefore be considered in the inherent risk assessment.
However, windows and doors would be base-line controls as it would be reasonable to expect that they would exist in the inherent environment without any specific action being undertaken by the organisation.
For further insights you can also read, 'Can Residual Risk be higher than Inherent Risk?'.
Can Inherent Likelihood and Consequence always be determined?
Likelihood is a measure of the expected frequency of the risk occurring. Multiple factors can go into the measurement of likelihood. If one or more of those factors cannot be determined, it is difficult to determine inherent likelihood.
For example, the likelihood of fraud risk requires consideration of:
Point a) is virtually impossible to determine, b) is difficult to determine and c) can be reasonably determined with sufficient thought. As a result inherent risk for fraud is virtually impossible to determine and requires an assumption about a) and b).
however, for many other risks it is, in relation, easier to assess inherent risk.
What is the difference in these risks? We believe it lies in whether the risk is deliberate or non-deliberate. Where the risk is non deliberate or accidental, the inherent likelihood can be relatively easy to obtain. Where the risk is deliberate through actions of people, such as fraud, inherent likelihood cannot be determined and the best we can do is to determine the chance of success if the person was dishonest, If we assess this likelihood on this (incomplete) basis we must be careful when comparing the level of risk with other non-deliberate risks where all factors affecting likelihood have been considered.
Is inherent risk useful as part of a risk assessment process?
Where it is considered possible to assess inherent risk, we are of the view that its determination can be very useful. The reasons are:
The debate over the usefulness of inherent risk will no doubt continue. The key is to apply the most relevant approach to the type of risk and recognise not all risks are the same. Where possible the determination of inherent risk can be useful in understanding the nature of the risk, the potential worst case scenario and the importance of related controls.
If you wish to learn more about how Protecht can help you, please email firstname.lastname@example.org
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).