Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

Home>Assess>Risk>Inherent & Residual Risk

Inherent and Residual Risk

Inherent Risk: The risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls)

Residual Risk: The risk that remains after controls are taken into account (the net risk or risk after controls).

Inherent and Residual Risk are commonly used terms within the operational risk community, especially by accountants. While Residual Risk is relatively simple to define within the Simple Risk Model (e.g. "Residual Risk" is "Risk" as used in the Model), the definition of Inherent Risk is more problematic. For example, in the auditing community Inherent Risk is defined as the risk that a financial record is incorrect absent any internal controls. In this situation it is tempting to simply equate Inherent Risk to Cost, since both terms refer to the importance of a process or asset to a business before controls (Vulnerabilities) are taken into account. Alternatively, Inherent Risk could equated to the Probability that the financial record is incorrect.

The inherent problem with Inherent Risk is that it is a subjective concept as applied by the auditing community. I would suggest the following as a more objective means of measuring Inherent Risk:

I have to acknowledge that this conclusion is based on a primitive mathematical analysis. However, it does lead to a more accurate definition of Inherent Risk:

  1. The risk that a process poses to the business before controls are taken into account,
  2. The risk that a process poses to the business based on the financial exposure if the process fails and the presence of threats that could exploit a vulnerability in that process.

In the first definition, there is the temptation to treat all processes as having a high Inherent Risk. For example, there is always the risk that a financial record will be inaccurate before controls are put in place. Hence, the first definition is not very helpful in setting priorities.

The second definition provides better guidance by first determining the impact to the business if the financial record were to be inaccurate. Are we talking about a $1 or $1 million line item? Second, you also need to determine the potential for a mistake to be made in preparing the financial record or that someone will intentionally misrepresent the amount. Once these assessments are made the accountant can then better determine which financial records deserve close attention (i.e. have a higher Inherent risk).

The second definition also provides a vital insight into the assessment of Cost. It is difficult to conceptualize a business risk, especially estimating the Financial Exposure, in an environment where there are no controls. This is why many managers have a hard time quantifying Cost. For example, a business may have an Internet application that is considered highly proprietary and vital to the continuation of the business. What is the Financial Exposure from an employee selling or otherwise transferring the code for this application to a competitor, especially if there are no controls (i.e. non-disclosure agreements, access restrictions, change control, etc.)? The question is easier to deal with if you consider an additional element - what is the Threat level? What is the Motivation, Experience, Resources, and Prevalence of employees who might sell the code? What is the proportion of loyal versus disgruntled employees in the business? Are there competitors that would stoop to stealing the code? When these types of questions are considered, the Financial Exposure estimate becomes easier to calculate.

One further comment - It has been my experience that the concepts of inherent and residual risk do not add much value in identifying risk. They tend to place too much of an emphasis on the impact of controls on the overall level of risk. In addition, accountants, lacking a method to objectively quantify Cost or Threats, tend to treat inherent and residual risk as nebulous concepts. This often leads to unproductive and rancorous arguments between the accountant and management over the level of risk, since neither side has a method to quantify the various elements.

The following pages provide a further break down of Cost, Threat and Vulnerability.