A lot of our customers ask for advise on whether they should assess risks by Inherent Risk, Residual Risk or both. While our software supports the ranking and assessment of both, the value of assessing Inherent Risk is limited.
First some definitions
Inherent Impact – The impact that the event would have on the organization if it occurred and there were no controls in place. Inherent Likelihood – The likelihood of the event occurring if there were no controls in place.
Residual Impact – The impact that the event would have on the organization if it occurred with the current control environment. (This includes Insurance, preventive and detective controls and other risk treatments)
Residual Likelihood – The likelihood of the event occurring in the current control environment. (This includes Insurance, preventive and detective controls and other risk treatments)
The only PRO we hear about for ranking Inherent Risk is as an output for Internal Audit.
If you rate risks on both Inherent and Residual Risk then you can show the change from Inherent to Residual which indicates the organizations dependence on the effectiveness of the control. If a critical risk is largely mitigated due to the presumed operation of a control or set of controls then it would be VERY useful for Internal Audit to validate that those controls are working as assumed.
This snapshot of the Ballot Heatmap shows the change between Inherent and Residual Risk. The longer the line, the more you are depending on the effectiveness of the controls.
The CON for ranking Inherent Risk
Inherent Risk is not real life. There are many great examples of this, “A Plane without a Pilot, Wings, or Brakes”, “A Bank without a Safe, Camera’s, Alarms, or Locks” clearly these do not warrant discussion in any group of senior personnel.
If you do want the comparison between Inherent and Residual Risk it is recommended that you have a small team (1 or 2 people) who are very familiar with the Inherent Risk concept rate the inherent risk. Don’t waste a group’s time with it.