People travel through a world of risk every day, and we constantly calculate the level of risk we’re willing to tolerate at any particular moment. Should we race through the yellow light or stop? Should we keep investing in that promising stock or get out now? And on we go through the day — sometimes taking steps to reduce risk, other times just living with a risk we deem acceptable at the moment.
Risk management for organizations works in much the same manner. Businesses assess the inherent risk in some particular situation; take whatever precautions management might deem necessary; and then live with the residual risk that remains.
And as the potential harms of miscalculating a risk (financial or otherwise) increase, the importance of understanding the difference between inherent and residual risk goes up too.
What is Inherent Risk and What is Residual Risk?
Inherent risk is the innate risk in a business process or transaction without any controls in place. Imagine IT systems without any passwords, vulnerability scanning, penetration tests, security audits, or other measures to keep confidential data safe and operations running smoothly: that is an example of the inherent risk of modern technology.
Clearly the inherent risk of modern IT systems is quite high; your organization would almost be guaranteed to suffer a data breach, violate regulatory compliance obligations, and lose money. So businesses implement all the controls we mentioned above, and more: password policies, cybersecurity training, audits, pen tests, locks on the data center door, and so forth.
Residual risk is the risk that remains after you’ve applied all the controls you intend to use — because no matter how good your current controls are, you will never be able to eradicate every single risk.
What are Examples of Inherent Risk?
In the financial world, inherent risk is often defined as a misstatement that may lead to mismanagement when decisions are based on that misleading statement. This happens not for lack of internal controls but because the statement is simply wrong.
For instance, those statements may have been put together depending on a large amount of estimation (“Things are beginning to look up! So let’s build a new plant”), or perhaps a complicated calculation was performed incorrectly and led to erroneous conclusions (say, recording $100 million in revenue when you only had $10 million).
Another example is the inherent risk of cash, which is higher than the inherent risk of physical infrastructure such as a bank branch. Why? Because cash can easily be stolen or misappropriated; a building, not so much.
The financial service sector is vulnerable to inherent risk because of the often complicated relationships among financial institutions, their many vendors, contractors and customers. Frequent regulatory changes in the financial sector can make it difficult for financial firms to assure that their business processes and relationships are in full compliance with the law.
What are Examples of Residual Risk?
Residual risk is what’s left after you’ve mitigated all the risks you can identify and treat; it’s the risk that remains after your internal controls have done their work.
For instance, a company could implement a password policy requiring employees to use complex passwords that must be changed every week. The residual risk of hackers guessing the password would be low; but the resident risk of employees using new passwords that vary only slightly from the old (and jotting them down on a Post-It note) would be high. Which password policy should the company use? That depends on the amount and type of residual risk that management is willing to accept.
Another example: your company could require three executives to approve onboarding of new SaaS providers. The residual risk of hiring a fraudulent provider might be low (lots of executives are reviewing the contract), but it also means a longer, less agile onboarding process. Or the company could require only one executive approval: the residual risk of onboarding an unreliable provider is higher, but the company’s ability to embrace new technology runs faster. Which policy is better? Again, it depends on the residual risks management is willing to accept.
Key Differences Between Inherent and Residual Risk
A good risk assessment program analyzes the risk landscape in which you operate, determines the likelihood of specific types of risks actually turning into threats, and puts internal controls in place to filter out the highest risk threats.
Inherent risk is the risk level where your business is right now, as you are doing risk assessment, perhaps focused on the amount of risk stemming from your vendors. Once you have determined the risk level you can accept and have applied all controls that you want, what’s left is residual risk.
Manage Inherent and Residual Risk in One System
As you develop your business, you may find that your risk appetite changes. After all, running a business is what you do and you may be bolder in some areas today than you were a year ago.
We are here to support your risk management and analysis, every step of the way. Using artificial intelligence and sophisticated data analytics, ZenGRC will stay on top of compliance changes and new risk factors, and quickly identify blindspots in your processes.
ZenGRC’s compliance, risk, and workflow management software is an intuitive platform that not only keeps track of your workflow, but also lets you find areas of high risk before that risk has turned into a real threat.
Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.