Inherent Risk vs. Residual Risk Explained in 90 Seconds

Sep 7, 2017 3:18:43 PM / by Rachel Slabotsky



I recently had a conversation with clients around a risk analysis they conducted and noticed as they walked me through it that they seemed to lớn get hung up on the terms “inherent risk” và “residual risk” và what inherent risk represented in that particular scenario.Bạn vẫn xem: Residual risk là gì

They could not get comfortable with the current state of their control environment without having a firm grasp on the assessed inherent risk for that scenario. This stemmed from their experience in conducting risk assessments where the first step is to identify the inherent risk, then factor in controls khổng lồ arrive at residual risk.

Here are the standard definitions of the two concepts:

Inherent risk represents the amount of risk that exists in the absence of controls.

Bạn đang xem: Residual risk là gì

Residual risk is the amount of risk that remains after controls are accounted for.

Applying the above definitions to lớn the clients’ scenario uncovered the fact that the “inherent” risk being described was not a “no controls“ environment, but rather, one that only excluded some controls.

The flaw with inherent risk is that in most cases, when used in practice, it does not explicitly consider which controls are being included or excluded.

Xem thêm: Làm Cách Đặt Tên Bảng Trong Excel, Cách Đặt Tên Cho Ô Hoặc Vùng Dữ Liệu Excel

A truly inherent risk state, in our example, would assume no employee background checks or interviews are conducted & that no locks exist on any doors.

Xem thêm: Nồi Chiên Không Dầu Aqua 12L Điện Tử (Thái Lan), Nồi Chiên Không Dầu Aqua Hq

This could lead to lớn almost any risk scenario being evaluated as inherently high. Treating inherent risk therefore can be quite arbitrary.

According lớn Jack Jones, author of Measuring và Managing Information Risk: A FAIR Approach & creator of the FAIR model, much more realistic & useful definitions would be

How FAIR can help

Applying the FAIR mã sản phẩm to risk analyses, such as the scenario described above, can help rid the ambiguity around the “no controls” notion of inherent risk by focusing on explicitly identifying & evaluating key controls in the current state environment.

Specifically, when measuring the current màn chơi of risk for a given scenario, controls are factored into either the frequency or magnitude side of the model based on their nature (avoidance, deterrent, response, etc.). Doing so allows you khổng lồ be more intentional about the controls that you chose to include or exclude from your analysis, và ultimately identify which controls appear to lớn have the greatest effect on the loss scenario.