Assessing risks: Inherent or Residual
What did this tell me? It told me that assessments are apparently less obvious than I thought they were, by now. As most super-specialists may have stopped reading this blog by now, I will not go into deep academic definitions and try to explain it in laymen's terms.
Inherent (or gross) risk is the level of risk if all the measures and controls were failing. Often this is also the worst case scenario for this risk, as a simple rule of thumb.
Residual (or net) risk is the level of risk with all the measures and controls in place.
Think of the risk of the office building burning down. We have fire alarms and we have fire extinguishers, both measures to mitigate the risk. The inherent risk is probably assessed as the entire building burning down, say a value of 4M Euro with a certain likelihood, say once every twenty years. This is a pretty high risk, as it is likely to happen sometime during your career in that building. The measures that are taken will reduce this risk to a likelihood of once every fifty years and an impact of 200k, because the fire will be contained in a smaller area.
We now immediately see why it is important to assess both inherent as well as residual risk. The residual risk will tell you whether you need to be nervous about the existing situation. When the residual risk is high, clearly you need to take extra measures. When the inherent risk is high, you need to be nervous about the controls and measures; are they working effectively? Is there still water pressure on the fire extinguishers? Does the fire alarm work? Especially, when the difference between inherent and residual risk is high, it is extra important to ensure measures and controls are working effectively.
This is true on an ERM level, as well as on an operational level. And yes, for those specialists that did keep on reading, reality is probably more complex, because a risk is not just one impact and a single likelihood. There are many potential statistics behind it. That is why risk assessments are intended for setting priorities, not for calculating the risk exposure. That's a completely different story.