GRC 101: Inherent Risk

LogicGate | June 15, 2021

Inherent risk is a recognition that everything an organization does poses some level of risk. Organizations that operate with a clear-eyed view of what risks they face are better prepared to address evolving market dynamics, use risk as a strategic advantage, and build resilience. 

Defining Inherent Risk

Inherent risk is the level of untreated risk that an organization faces. It is defined as the magnitude of risk in the absence of any risk controls or mitigants. Inherent risk is difficult to conceptualize because it’s challenging to envision a scenario with absolutely no risk controls―most organizations have some level of controls already in place. To help clarify things, the FAIR Institute has proposed an alternate definition for inherent risk as “the current risk level given the existing set of controls rather than the hypothetical notion of an absence of any controls.” 

Regardless of which definition is used, inherent risk is best understood when considered with residual risk. After identifying an inherent risk and introducing mitigating controls or processes, an organization is subject to a reduced level of risk. The risk remaining after controls have been enacted is called residual risk. This residual risk, when measured against your organization’s risk appetite and risk thresholds, will help guide future planning and investment. 

Measuring Inherent Risk

Inherent risk is measured using two criteria―impact and likelihood. 

  • Inherent impact is the impact that an event would have on an organization should it occur and is measured in terms of magnitude, from the negligible to the extreme. 
  • Inherent likelihood speaks to the probability of the risk occurring in the absence of controls. 

These two criteria are multiplied to come up with an inherent risk score. Let’s break this down further using an example. If you were to identify the inherent risk of a cybersecurity breach for your organization, you would consider the likelihood of a breach occurring and multiply it by the potential impact on the business, taking into account financial, regulatory, and reputational implications, in order to generate an inherent risk score. 

An inherent risk score is useful in three contexts―it is essential to calculate residual risk scores, it provides a necessary metric for audit and compliance, and it supports the allocation of risk management resources. 

KRI Guide

Utility of Inherent Risk Scoring

Defining inherent risk is an important conceptual exercise but where it has the most impact is in its relationship to residual risk. Residual risk scoring is an important process to gauge the efficacy and strength of your organization’s controls. 

Controls can not reduce the impact of an inherent risk but they can reduce the probability of it occurring, thereby reducing your overall risk. Once you have identified an inherent risk and identified the impact and likelihood, you can implement controls that will reduce the likelihood of that risk. To calculate a residual risk score, multiply the impact of the inherent risk with the reduced likelihood of that event occurring now that a control is in place. The residual risk score will be lower than the inherent risk score and, in a successful risk management environment, it will also be lower than the company’s identified risk tolerance

Inherent and residual risk scoring is essential to the audit process. Assessments typically analyze the risks inherent in a given business line or process, the impact and efficacy of the mitigating controls, and the resulting residual risk exposure to the organization. Monitoring residual risk is mandated in ISO 27001, which is a global standard for how to manage information security. 

Inherent risk scoring also provides a standard, firmwide approach to risk assessment that allows for a more efficient allocation of capital. If every risk―strategic, operational, financial, and macroeconomic―is scored and ranked, organizations can prioritize investment in controls that will reduce residual risk to an acceptable level for the organization. 

Identifying Inherent Risk

Understanding and identifying inherent risk is critical for any enterprise risk management effort. Uncovering and quantifying risks across the firm requires an organization-wide effort. 

  1. Understand Your Risk Profile: Understanding your risk profile and identifying inherent risks requires an enterprise-wide effort. Sharing the magnitude of inherent risks and potential gaps in controls requires trust, honesty, and transparency. To be effective, the exercise should be undertaken as a collective effort with the shared aim of protecting the firm, its employees, customers, and assets. 
  2. Build a collective understanding: Aligning on impact is important to developing a shared and consistent perspective of a firm’s risks. As each department will have its own priorities and perspectives on what they perceive as a major risk, they should work from a common firmwide understanding when assessing the inherent impact of a risk. For example, Human Resources may assign high impact to achieve compliance with labor laws and regulations while the IT department may tag the risk of a breach as a major risk. However, from a firmwide framework, one event may have less impact than the other. A collective understanding will help provide a clear assignment of impact and act as a useful tool for future investment in controls. 
  3. Iterate the Process: The assessment of inherent and residual risks requires iteration, both as the firm grows and risks develop. Revisiting your assumptions periodically is good practice and will help refine your risk management assumptions and inform your processes. Having flexible and shared tools to manage this process can reduce the time spent on this exercise and develop better insights.

LogicGate’s Enterprise Risk Management Solution

As your organization grows, your risk management and security needs evolve too. LogicGate’s Risk Cloud provides a flexible platform where you can easily communicate your company’s risk framework, safeguard your information assets, and comply with industry standards, so you can maintain your organization’s reputation and protect your company, employees, clients, and customers. 


Further Reading

GRC Insights Delivered to your Inbox