There are few common definitions in risk but Inherent Risk is commonly defined as "the risk without considering internal controls" or alternatively "a raw risk that has no mitigation factors or treatments applied to it". Residual Risk on the other hand is commonly defined as "the level of risk remaining after the relevant controls have been applied".
One of the main arguments against the use of inherent risk as a concept is the perceived difficulty in determining its level. Consider "Building Security Risk" - the risk that an unauthorised person will access a building and carry out unauthorised and or damaging actions. When we assess "What is the level of risk before considering controls?", workshop responses vary as we have limited experience of this risk without any controls.
As a result, there is often difficulty in determining a consistent inherent risk scenario. Does this mean a lack of all or a combination of some of the following controls - security guards, CCTV, windows, doors and walls?
We believe that this problem can largely be overcome by changing the order of the risk assessment by firstly identifying the controls that mitigate the risk. Secondly, the inherent risk assessment is then performed by asking the question "What is the level of risk before considering the identified controls?".
This approach overcomes the question of what controls are assumed not to exist or be working. If a "control" is not specifically identified, it is assumed to be present in the inherent risk assessment. These pre-existing controls are often referred to as "base-line" controls.
In determining whether a control is base-line or not, it helps to define "a control". A useful definition of a control is "a specific action taken by the organisation with the objective of reducing the risk". The key is a "specific action".
Security guards and CCTV would be seen as non base-line or "identified" and therefore be considered in the inherent risk assessment. However, windows and doors would be base-line controls as it would be reasonable to expect that they would exist in the inherent environment without any specific action being undertaken by the organisation.
Likelihood is a measure of the expected frequency of the risk occurring. Multiple factors can go into the measurement of likelihood.
If one or more of those factors cannot be determined, it is difficult to determine inherent likelihood.
For example, the likelihood of fraud risk requires consideration of:
(a) The likelihood that an individual is dishonest
(b) The level of skill they possess in carrying out the fraud
(c) The chance of success if they were to carry out the fraud
Point a) is virtually impossible to determine, b) is difficult to determine and c) can be reasonably determined with sufficient thought. As a result inherent risk for fraud is virtually impossible to determine and requires an assumption about a) and b).
However, for many other risks, clients assess inherent risk with relative ease.
What is the difference in these risks?
We believe it lies in whether the risk is deliberate or non deliberate. Where the risk is non deliberate or accidental, the inherent likelihood can be relatively easy to obtain. Where the risk is deliberate through actions of people, such as fraud, inherent likelihood cannot be determined and the best we can do is to determine the chance of success if the person was dishonest.
If we assess this likelihood on this (incomplete) basis, we must be careful when comparing the level of risk with other non deliberate risks where all factors affecting likelihood have been considered.
Where possible, we are of the view that the determination of inherent risk is very useful. The reasons are:
The debate over the usefulness of inherent risk will surely continue. The key is to apply the most relevant approach to the type of risk and recognise not all risks are the same. Where possible the determination of inherent risk can be useful in understanding the nature of the risk, the potential worst case scenario and the importance of related controls.
David Tattam is the Chief Research and Content Officer and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.