They could not get comfortable with the current state of their control environment without having a firm grasp on the assessed inherent risk for that scenario. This stemmed from their experience in conducting risk assessments where the first step is to identify the inherent risk, then factor in controls to arrive at residual risk.
Here are the standard definitions of the two concepts:
- Inherent risk represents the amount of risk that exists in the absence of controls.
- Residual risk is the amount of risk that remains after controls are accounted for.
Sounds straightforward. But these two terms seem to fall apart when put into practice.
Applying the above definitions to the clients’ scenario uncovered the fact that the “inherent” risk being described was not a “no controls“ environment, but rather, one that only excluded some controls.
The flaw with inherent risk is that in most cases, when used in practice, it does not explicitly consider which controls are being included or excluded.
A truly inherent risk state, in our example, would assume no employee background checks or interviews are conducted and that no locks exist on any doors. This could lead to almost any risk scenario being evaluated as inherently high. Treating inherent risk therefore can be quite arbitrary.
According to Jack Jones, author of Measuring and Managing Information Risk: A FAIR Approach and creator of the FAIR model, much more realistic and useful definitions would be
- Inherent risk is current risk level given the existing set of controls rather than the hypothetical notion of an absence of any controls.
- Residual risk would then be whatever risk level remain after additional controls are applied.
How FAIR can help
Applying the FAIR model to risk analyses, such as the scenario described above, can help rid the ambiguity around the “no controls” notion of inherent risk by focusing on explicitly identifying and evaluating key controls in the current state environment.
Specifically, when measuring the current level of risk for a given scenario, controls are factored into either the frequency or magnitude side of the model based on their nature [avoidance, deterrent, response, etc.]. Doing so allows you to be more intentional about the controls that you chose to include or exclude from your analysis, and ultimately identify which controls appear to have the greatest effect on the loss scenario.
Learn more in Jack’s blog post Using the FAIR Model to Measure Inherent Risk.
Topics: FAIR
The residual risk is the amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls.[1]
The general formula to calculate residual risk is
where the general concept of risk is [threats × vulnerability] or, alternatively, [severity × probability].
An example of residual risk is given by the use of automotive seat-belts. Installation and use of seat-belts reduces the overall severity and probability of injury in an automotive accident;[2] however, probability of injury remains when in use, that is, a remainder of residual risk.
In the economic context, residual means “the quantity left over at the end of a process; a remainder”[3]
In the property rights model it is the shareholder that holds the residual risk and therefore the residual profit.
See also[edit]
- Risk analysis
- Risk management
References[edit]
- ^ Gregory Monahan [2008]. Enterprise Risk Management: A Methodology for Achieving Strategic Objectives. John Wiley & Sons.
- ^ "Seat Belts: Get the Facts". Motor Vehicle Safety. Centers for Disease Control. 20 August 2015. Retrieved 2016-02-15.
- ^ "dictionary.com". {{cite web}}: Missing or empty |url= [help]
External links[edit]
- Residual Risk Reduction
- Economist.com
- Euronuclear.org
- R3i.org