What is Inherent Risk in Risk Management?


Table of contents

Everything an organization does poses some level of risk. Inherent risk is risk in its rawest form, before any measures are taken to mitigate, control, or exploit it. Organizations that operate with a clear-eyed view of the inherent risk they face will be better prepared to address evolving market dynamics, turn risk into a strategic advantage, and strengthen operational resilience.

In this article, we’ll take a deep dive into the concept of inherent risk, including how to identify, measure, and manage it.

Defining inherent risk

Inherent risk is the level of untreated risk that an organization faces, defined as the magnitude of risk in the absence of any risk controls or mitigants. 

Inherent risk can be difficult to conceptualize because it’s challenging to envision a scenario with absolutely no risk controls ― most organizations have some level of controls already in place, and new organizations tend to set at least some up quickly. The FAIR Institute uses an alternative definition that takes this into consideration: “Inherent risk is the current risk level given the existing set of controls rather than the hypothetical notion of an absence of any controls.” 

In other words, inherent risk can be defined as the current state of your organization’s risk exposure before any additional controls are put in place.

Inherent risk vs. residual risk

Inherent risk is best understood when considered alongside another related concept: residual risk. After identifying your inherent risk and introducing mitigating controls or processes, your organization's exposure to that risk is reduced. Any risk that remains after controls have been implemented — and there will almost always be at least some — is known as residual risk. This residual risk, when measured against your organization’s risk appetite and risk thresholds, helps guide future risk management planning and investment.

What factors determine inherent risk?

Every business is different, and each faces different types of and levels of inherent risk. Here are a few of the things that determine your organization’s inherent risk exposure:

Type of business

Some organizations operate in industries or engage in business activities that carry higher levels of risk than others. An energy utility operating multiple nuclear power plants that is responsible for the uninterrupted flow of electricity to commercial and residential customers and ensuring catastrophic accidents do not occur faces significantly more inherent risk than a local coffee shop chain, for instance.

Technology usage and data processing

More organizations are relying on data and technology to fuel their operations than ever before. Handling that data — which can often be of a sensitive or personal nature — responsibly and protecting it from data breaches or other cybersecurity threats is a risk any business must navigate. This is especially true as more of business shifts online and the technology used to conduct it introduces more vectors for threat actors to infiltrate networks.

Complexity level

The more moving parts your organization has, the higher your inherent risk levels will be. Organizations that rely on complex processes and procedures to conduct operations run a great risk that human error will cause part of those processes to fail.

Ineffective, inefficient, or unethical management

Similarly to the risks posed by increased complexity, if the people who manage those processes are detached from the frontlines of your business, incompetent in their role, or engaging in unethical behavior, things can easily begin to unravel, introducing even more risk to your business.

How to measure inherent risk 

Inherent risk is measured using two criteria ― impact and likelihood. 

Inherent impact is the impact that an event would have on an organization should it occur and is measured in terms of magnitude, from the negligible to the extreme. 

Inherent likelihood speaks to the probability of the risk occurring in the absence of controls. 

These two criteria are multiplied to generate an inherent risk score. Let’s break this down further using an example. If you were to identify the inherent risk of a cybersecurity breach for your organization, you would consider the likelihood of a breach occurring and multiply it by the potential impact on the business, taking into account financial, regulatory, and reputational implications, in order to produce an inherent risk score. 

An inherent risk score is useful in three contexts―it is essential to calculate residual risk scores, it provides a necessary metric for audit and compliance, and it supports the allocation of risk management resources.

Inherent Risk Scoring

Defining inherent risk and understanding where your organization’s inherent risks exist is an important exercise, but the concept is most useful when measured in relation to residual risk. These practices, known as inherent and residual risk scoring, are important processes for gauging the efficacy and strength of your organization’s controls.

To calculate inherent risk scores, multiply the expected impact of the inherent risk with the likelihood of that event occurring. Traditional qualitative risk assessment methods can be used to do this, but more modern risk quantification methods will provide a more accurate result.

Once you have identified an inherent risk and identified its impact and likelihood of occurrence, you can implement the appropriate controls to mitigate it. Controls can not entirely eliminate the threat that inherent risk could generate a risk event, but they can reduce the probability of that happening, which reduces your overall risk exposure. The remaining risk is your residual risk. 

To calculate a residual risk score, follow the same process, but calculate the likelihood of the risk event occurring taking the effectiveness of the controls you put in place into consideration. Residual risk scores should be lower than inherent risk scores and, in a successful risk management environment, it will also be lower than the company’s identified risk tolerance.

Inherent and residual risk assessments typically analyze the risks inherent in a given business line or process, the impact and efficacy of the mitigating controls, and the resulting residual risk exposure to the organization. These processes are critical to auditing. Additionally, monitoring residual risk is mandated by many standards frameworks, such ISO 27001, a widely-adopted global standard for managing information security. 

Inherent and residual risk scoring also provides a standard approach to risk assessment that allows for a more efficient allocation of capital. If every risk―strategic, operational, financial, and macroeconomic―is scored and ranked, organizations can prioritize investment in controls that will reduce residual risk to an acceptable level for the organization.

How to manage inherent risk

Now that we’ve defined inherent risk and understand its relationship to residual risk, let’s talk about how to go about managing your inherent risk. 

Identify your inherent risks

You can’t begin to manage and mitigate your organization’s inherent risks if you don’t know which ones you’re facing. That’s why the first step in managing inherent risk is to map out your organization’s entire risk landscape.

Try to be as comprehensive as possible here, so that you’re able to paint as complete a picture as possible of all of the risks your organization might face. Some of these risks will immediately be recognized as the most severe, while others will be less of a priority, but it’s still important to know where all your risks exist. Having the right technology to collect all of this information and store it in one place is important. Leaving it all strewn about a mess of spreadsheets or in a collection of emails in your inbox is a recipe for missing risks. 

Modern GRC technology like LogicGate Risk Cloudis designed to make it easy to collect, centralize, and communicate your inherent risk profile.

Assess and prioritize your inherent risk

Next, you’ll want to get a handle on which of your inherent risks poses the biggest threat to your operations. You can use the risk scoring and risk quantification approach detailed above to tie each of your inherent risks to their business impact, then you can rank them in order of severity to begin prioritizing your mitigation efforts.

Once you’ve put the appropriate controls in place for all of your inherent risks, you can conduct this exercise again for the remaining residual risk.

Mitigate inherent risk

With your inherent risk assessment in hand, you can start to apply controls and other mitigation measures across your organization. Here are a few ways you can handle inherent risk:

Accept the risk: If the risk falls within your organization’s risk tolerance, you can simply accept it as part of normal operations and do nothing or very little about it.

Avoid the risk: You can avoid some risks entirely by simply choosing not to engage in activities that would expose you to that risk. The trade off here is that you’ll also be forfeiting any benefits that those activities would bring.

Reduce the risk: This strategy involves using various controls and other mitigation methods to reduce a risk’s impact or likelihood of occurring while still allowing you to reap the benefits of the activities that carry the risk.

Transfer the risk: Another way to enable your organization to conduct activities that expose you to risk is to transfer the impact to a third party. Most commonly, this takes the form of insurance.

Communicate the results

Don’t let the results of your inherent risk assessment and mitigation efforts sit on the shelf once you’re finished: Communicate it out to the wider organization so the insights can be put to good use. Distribute this information at all levels as is appropriate, from frontline employees all the way up to the C-suite and board of directors.

Inherent risk management best practices

As with any governance, risk, and compliance activity, there are certain things you can do to improve the chances that your efforts to manage inherent and residual risk will succeed. Here are a few best practices to keep in mind:

Understand Your Risk Profile

Understanding your risk profile and identifying inherent risks requires an enterprise-wide effort. Sharing the magnitude of inherent risks and potential gaps in controls requires trust, honesty, and transparency. To be effective, the exercise should be undertaken as a collective effort with the shared aim of protecting the firm, its employees, customers, and assets. 

Build a collective understanding

Aligning on impact is important to developing a shared and consistent perspective of a firm’s risks. As each department will have its own priorities and perspectives on what they perceive as a major risk, they should work from a common firm-wide understanding when assessing the inherent impact of a risk. 

For example, Human Resources may assign high impact to achieve compliance with labor laws and regulations while the IT department may tag the risk of a breach as a major risk. However, from a firmwide framework, one event may have less impact than the other. A collective understanding will help provide a clear assignment of impact and act as a useful tool for future investment in controls. 

Iterate the Process

The assessment of inherent and residual risks requires iteration, both as the firm grows and risks develop. Revisiting your assumptions periodically is good practice and will help refine your risk management assumptions and inform your processes. Having flexible and shared tools to manage this process can reduce the time spent on this exercise and develop better insights.

Inherent risk in auditing

In accounting and audit management, inherent risk carries a different meaning that’s worth mentioning here. In that context, it’s the risk that an error or misstatement could appear in a company’s financial documents or statements due to a reason other than a failure of internal controls. This type of risk is leveraged in conjunction with two other types of risk — control risk and detection risk — to determine audit risk, the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated.

Leveraging GRC technology for inherent risk management

Inherent risk is an unavoidable part of doing business, and having an effective process for identifying, assessing, and mitigating it is a must for every organization. Modern GRC technology, like LogicGate Risk Cloud, offers risk and compliance teams a way to house all of their inherent risk data, assessments, and controls under one roof, so inherent risk assessments can be conducted on a regular basis without fear of missing a major risk.

Schedule a demo today to learn more about how Risk Cloud can help you improve your inherent risk management processes.

Further Reading

GRC Insights Delivered to your Inbox