In this article of ERM Back to Basics, I will try to explain the difference between inherent and residual risk and why the distinction is so important. This is often the most confusing concept I come across when helping companies identify risks as part of their baseline ERM program.
Inherent risk can be defined as the amount of risk present in an activity before any controls are applied. In other words, the risk to me getting injured if I enter a construction site, without any controls, is possible injury, so I would say that the inherent risk to me at a construction site is high. Inherent risk can also be viewed as pre-control.
Residual risk can be defined as the amount of risk present after we have applied controls. In other words, once I put on a hardhat, have I reduced my risk to an acceptable level? I might say yes, but I’m willing to bet the construction supervisor would say no. He would expect me to also wear safety glasses, work boots, and maybe even have attended some safety classes. Residual risk can also be viewed as post control.
Why is this important? Knowing both the inherent and the residual risk allows us to focus our activities on the risks that are the most important, and then begin to discuss control activities with those risks in mind. Not only might we need more controls, like this example, but there may be areas in which we have too many controls.
I confess that the concept of “absent controls” is a hard concept to grasp. There is undoubtedly movement within the ERM community to think about the controls in place first and then determine if the risk has been sufficiently reduced. When deciding what ERM program fits best for your company and what framework should be used, understanding the corporate culture will help determine the success of the ERM program.
Regardless of what method you use to measure risk, understanding the risks that may impact the strategic objectives of the company are paramount to a company’s success. For companies just starting on their ERM journey – Inherent and Residual risk may be concepts worth exploring. For companies who already have a mature and robust reporting and monitoring process, who have already ingrained the risk thinking mindset into every area of the company, they may be ready to evolve to a different way of thinking about risks, inherently or residually.
Inherent and Residual risk concepts are essential for establishing a baseline risk view of a company; however, the value that ERM brings to an organization is through an ongoing partnership, not a periodic review.
An outside consultant can help you identify the risks to achieving your strategic objectives. Some risks are quite obvious, while others are not. An outside risk consultant takes their experiences with similar businesses and translates them to your situation, utilizing best practices.
Stay safe. Let me know if there are other ERM concepts that you would like me to cover in upcoming articles.