For those that adopt inherent risk in their risk assessment process, there is general recognition that inherent and residual risk are connected in the following manner: Inherent risk less the effect of controls equals residual risk.
This implies that residual risk will always be less than or equal to inherent risk. However, any general rule is there to be challenged. Can residual risk be higher than inherent risk? To assess this, we need to understand the way in which controls modify risk, leading to a residual risk position.
A common definition of controls is "A specific action taken with the objective of reducing either the likelihood of the risk occurring and / or the consequence if the risk were to occur". This implies that residual risk must be less than inherent risk. In contrast, ISO 31000 defines a control as "measure that is modifying risk" without the implication that it is always reducing risk.
Three types of control are commonly recognised:
- Preventive. Attempts to prevent the risk from occurring and therefore is aimed at reducing the likelihood.
- Detective. Attempts to identify the occurrence of risk and if it is prior to the risk occurring it reduces the likelihood and if after the risk has occurred, it is aimed at reducing the consequence.
- Remedial (Reactive / Corrective). Attempts to limit the damage from the risk having occurred and therefore is aimed at reducing the consequence.
Consider the following: You are hiring a car for a colleague and are considering whether to take out additional insurance to reduce the $3,000 excess to $500. When considering the cost / benefit of this you need to consider the extent to which "accident risk" is reduced against the cost of the insurance.
This requires an assessment of the degree to which "accident risk" is reduced by the additional insurance.
If we assume the following:
If the insurance costs less than $25 we might consider it worthwhile.
As insurance is a remedial control, we have only reduced the consequence. However, is there an impact on likelihood that we have not considered. Consider how the hirer may drive the car when we do not take out the additional insurance, probably more like their own! This contrasts as to how they might drive the car if we take out the additional assurance - like a hire car! This change of behaviour by the driver on the basis that there is now a financial safety net if things go wrong, may lead to an increase in the likelihood.
If we now reassess our risk:
In this analysis, the increase in the likelihood from 1% to 9% more than offsets the reduction in consequence and the residual risk is now higher than inherent risk.
This example may be extreme in order to illustrate that it is possible for residual risk to be higher than inherent risk. However, the underlying question is simple - can certain remedial controls lead to a change in behaviour that leads to an increase in likelihood of risk events and ultimately an overall higher cost to the organisation?
To factor this into your risk management process consider these steps:
- Identify remedial controls that are designed to mitigate the consequence of human based risks, such as human error.
- Ensure that an evaluation of the effectiveness of the control recognises that likelihood may increase. You may ask the question - does this remedial control affect the behaviour of staff? This may affect your assessment of the overall effectiveness of the control and your assessment of the residual risk.
- When evaluating the value of a control (its risk mitigating effectiveness against its cost) ensure that this potential effect is considered to avoid over valuing a control.
Can you think of any such controls in practice? One that springs to mind is the dependency on rating agencies for credit assessment of counter-parties. Does that reliance improve our understanding of credit risk or lead to blanket acceptance of counter-parties above a certain rating, which ultimately may lead to additional losses should things go wrong. Sounds like the story of CDOs and the GFC!