About BWise


Assessing risks: Inherent or Residual

September 29, 2015 by
Filed under: Governance, Risk and Compliance

Triggered by a conversation with a Chief Risk Officer, I thought it would make sense to write down a few lines on the assessment of risks. What seems like a regular practice for many, is quite difficult for even more it turns out. The CRO said, “Aha, you're assessing inherent and residual risk. We've been discussing this for a long time, and never got to the right answer.” This was a result of me just showing one example, as assessments are done in so many varied ways.
What did this tell me? It told me that assessments are apparently less obvious than I thought they were, by now. As most super-specialists may have stopped reading this blog by now, I will not go into deep academic definitions and try to explain it in laymen's terms.

Inherent (or gross) risk is the level of risk if all the measures and controls were failing. Often this is also the worst case scenario for this risk, as a simple rule of thumb.
Residual (or net) risk is the level of risk with all the measures and controls in place.

Think of the risk of the office building burning down. We have fire alarms and we have fire extinguishers, both measures to mitigate the risk. The inherent risk is probably assessed as the entire building burning down, say a value of 4M Euro with a certain likelihood, say once every twenty years. This is a pretty high risk, as it is likely to happen sometime during your career in that building. The measures that are taken will reduce this risk to a likelihood of once every fifty years and an impact of 200k, because the fire will be contained in a smaller area.

We now immediately see why it is important to assess both inherent as well as residual risk. The residual risk will tell you whether you need to be nervous about the existing situation. When the residual risk is high, clearly you need to take extra measures. When the inherent risk is high, you need to be nervous about the controls and measures; are they working effectively? Is there still water pressure on the fire extinguishers? Does the fire alarm work? Especially, when the difference between inherent and residual risk is high, it is extra important to ensure measures and controls are working effectively.

This is true on an ERM level, as well as on an operational level. And yes, for those specialists that did keep on reading, reality is probably more complex, because a risk is not just one impact and a single likelihood. There are many potential statistics behind it. That is why risk assessments are intended for setting priorities, not for calculating the risk exposure. That's a completely different story.

Tags: BWise, Risk, Risk Management

More Information

Nasdaq Offices

What is GRC?

Read the definition of Governance, Risk and Compliance

Gartner ORM report

Nasdaq's BWise has been positioned as a Leader in Gartner's Magic Quadrant for Operational Risk Management Report, 2016. 

Forrester report

Forrester positioned Nasdaq BWise as a Leader in New Report, The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2016.

Why BWise

Download the brochure: Three Key Reasons why Hundreds of Customers Rely on Nasdaq BWise.

Scroll up