Inherent Risk vs Residual Risk Explained with Examples

Editorial Team

Inherent Risk vs Residual Risk PMP

What is Risk?

Risk management is one of the most crucial processes that ought to be done in an organization or company. It could be defined as the method of recognising, evaluating, and managing risks to the organization’s resources and profits. The risks may come from various aspects which include financial insecurity, strategic management mistakes, regulatory liability, incidents, and even natural hazards. Failure in managing risks within an organization will make it difficult for the organization to determine its long-term goals. Establishing objectives without properly considering the risks will also hinder the operations once the unforeseen risks manifest themselves.

In studying and managing risks, managers should be aware that various types of risks may exist in operations. In this article, we will look closer into two of the most common risks, namely inherent risk and residual risk. These two types of risks are correlated with each other and should be managed well in the organization.

Inherent Risk Definition

Inherent risk refers to the amount of risks that exist within the operations without implementing the controls and restrictions. In simpler words, inherent risks usually occur when there is no control for the operations. It is the threats that naturally exist before there is any effort to solve them hence it poses impact on the development of recovery strategy for the said risks.

In terms of the finance sector, inherent risk refers to the risk faced by a financial reporting mistake or omission due to causes other than a lack of internal control. As for financial auditing, inherent risk is bound to emerge when contracts are complicated or where financial forecasts require a lot of analysis and discretion. The inherent risk could be considered the worst-case scenario since it depicts the failure of all internal processes. The risk of financial misstatement due to mistakes in transactions or fraud is considered as inherent risk in financing. These misstatements or errors may exist in the financial statements or any other reports that come along with the statements. These risks may be evaluated or assessed by outside auditors.

What is Inherent Risk?

As explained earlier, inherent risk refers to raw risk, which has not been mitigated with any processes to reduce or treat them. It is the existing risk before an organization decides to apply risk reduction controls or methods over them. The other definition states that inherent risk is the amount of risk at the current level of controls, no matter how inefficient they are, instead of no existing controls at all. For both definitions, we could say that inherent risk is the risk that exists within the organization before improvements are made to reduce or overcome the risk foreseen.

Inherent risk is only determined after the organization’s goals and objectives have been established and the hurdles that may obstruct the organization from achieving the goals have been identified. Apart from determining the effects the risk may bring to the organization, managers should also consider identifying the origin and cause of the risks either they originated from errors done or from natural causes. This will bring more understanding of the risk’s characteristics and source thus will assist in lowering the probability of occurrence.

Inherent Risk Examples

It is not quite easy to pinpoint the specific inherent risk within the operation since the range could be wide and varies. A simple example would be entrance security for a place. The inherent risk could be as simple as not adding a door, password, having a security guard, and so forth.

In terms of the business sector, inherent risk concerns the risks that may exist in relation to the specific recovery strategy for a specific business unit. For example, what are the risks that may exist before changes or improvements are made for the organization’s call center? They may be facing downtime or high trafficking. Lack of qualified and experienced staff for the sector could also pose risks. All of the inherent risks are coloured by the existing realities before attempts for fixing or treatment were done for the operations and systems.

There are many types of risk associated with auditing and inherent risk is considered to be one of the riskiest threats and it is not easily eliminated by adding more number of auditor or safeguards in the process. However, it is still fundamental to be addressed when analysing the organization financial statements.

One of the examples of inherent risk that may exist in an organization is the inability of a certain process to adapt and evolve to keep up with new changes. It is important for each sector to be able to adapt to innovation and be improved on to keep up with new products and technology introduced. Failure in keeping up will make the operations being left behind and not being able to compete and perform as well as other operations or organizations of a similar field.

The other example of inherent risk that may exist in the financing sector is the raw financial statements which have not been audited. The inherent risk may exist due to errors that might happen or any malicious attempt for fraud or biasness from any party. The other examples of risks that may exist in financing are miscalculations, non-compliant with regulations, and many more. Hence, any statements released from the sector must go through auditing to reduce the inherent risk that may circulate it.

Inherent Risk Recovery

Managers should be aware and prepared for the inherent impact and likelihood. This refers to the impact that may affect the operations if the inherent risk were to happen and no precautions and controls were established to address them. Hence, they should come up with an effective recovery plan. There are two aspects that should be considered when a recovery plan for inherent risk is established:

The recovery time

For this aspect, it is crucial to figure out in advance how long will it take for the operation to fully recover before it could operate again whenever interruption or errors occur. It may take hours, days, weeks, or even longer depending on the cruciality of the operational systems and the efficiency of the recovery plan. In short, this factor is the metric in regards to determine how critical the business operation running in the organization.

The threat environment

Threat environment refers to the multiple kinds of threats that may exist within a certain business unit in association with the recovery strategy that has been created. Threats could be in terms of the geographical factors to even the utilization of technology in the organization. For the geographical factor, a certain location may pose a higher threat or risk to the business. On the other hand, for technology, if an organization relies on a higher number of technology, they may face complexity in handling them.

Residual Risk Definition

Residual risk refers to the amount of risks that are left after efforts to eradicate the risks have been done.

Whenever the management team has identified the raw risks or inherent risks of certain operations or processes, countermeasures may be taken to treat the risks said. However, not all risks could be simply eradicated completely. The risks that remain even after the controls the mitigated are known as residual risks.

The residual impact could be defined as the effects the residual risks bring towards the business. As for residual likelihood, it could be defined as the possibility of the occurrence if the residual risk were to arise.

What is Residual Risk?

In risk management, there are several ways to overcome the risks that may be present in the business operations. The risks could be managed either by avoiding, reducing, transferring, or accepting. Just as the name suggests, risk avoidance is when the team decided to go for another way and avoid performing process that may be exposed to a certain risk altogether. Risk reduction, on the other hand, is when solutions were done to lower the level of risk of a certain operation. Risk transfer is when the risk is shifted to another party or team. Last but not least, risk acceptance is when the management is aware of a certain risk but decided not to invest in solving the risk.

Despite all of these efforts in handling risks, it is still difficult or impossible to completely eradicate all risks that exist. The risks that remain after the control’s mitigation were done are known as residual risks.

Residual Risk Recovery

When considering to treat risks in an organization, several factors may affect your decision and efforts in doing so. Here are two examples of factors that may be related to the process of eliminating risks.

Risk tolerance

Different teams or management may establish different levels of risk tolerance. This may vary depending on the criticality of the recovery plan or how important the process is. For example, an operation which contributes more than half of the business profit at a time may have a huge impact if an error occurs, hence the risk tolerance for this operation must be low. If errors were to occur at two different sectors or processes, one of them may possess higher risk tolerance hence the lower risk tolerance should be attended to first. The judgement on these decisions may be up to the management and the cruciality of the operations involved.

The condition of countermeasures

Before implementation for improvement was done to overcome the risks, it is important to check the condition and quality of the countermeasures for the risks. This may include the analysis of the business impact, the recovery plan and strategies, the recovery team, training, and so forth. All of these are crucial to ensure the success of the risk treatment and avoid the risks from worsening instead. If the aspects of risk treatment are of poor quality, it may bring more harm to the operations instead of recovering them.

Residual Risk Examples

As mentioned before, there are several ways to manage risks. Let’s look at several examples of residual risks after the risk management has been implemented.

For risk avoidance, it is safe to say that we could completely avoid facing the risks of a certain initial operation at the moment. However, the residual risk that may remain is that there is no countermeasure plan to overcome that issue if the same risk were to be faced again in the future.

As for risk reduction, while a certain implementation such as technology may be able to reduce the risk of certain operations, we cannot completely eliminate the risks of errors that may happen due to human errors or if downtime were to occur.

The most common example for risk transfer is by purchasing insurance. If a bad scenario were to occur, the loss could be shifted to the insurance party instead. However, this only lasts well only if the insurance company itself is in good condition. If a worse scenario were to happen to the third party (eg. bankruptcy) the loss may revert back to us. This is the residual risk from this example.

Lastly, for risk acceptance, since no efforts are done to treat the risk, the whole risk that exists within the operation is considered as residual risks.

Inherent Risk vs Residual Risk and How to Assess them

After learning about all those explanations on inherent risk and residual risk we could conclude that inherent risk and residual risk are related to each other. Inherent risk refers to the raw existing risk without the attempt to fix it yet. Residual risk, on the other hand, refers to the excess risk that may still exist after controls have been done to treat the inherent risk earlier.

Regardless, some steps could be followed to assess and control risks within an operation.

  • Establish the response towards risk

Firstly, it is important to come up with the response that should be taken if a risk were to arise. This could be considered in terms of risk likelihood and risk impact, the seriousness it may bring towards the operation and business itself. The risk will then be managed after analysis has been thoroughly done.

  • Establish the risk controls

Risk controls are done to solve the risks, commonly implementation of risk reduction. In most cases, risk control requires an additional procedure in the business operation to lower the risks and may be affected by cost as well.

  • Experimenting controls

Experimentation is fundamental to assess either the established risk controls are effective as the solution for the said risks. It may or may not perfectly eliminate the risk but as long as the risk could be lowered to a certain tolerable level, that should suffice.

  • Reparation

All of the corrective or reparation actions that were done while treating risks should be recorded. This could bring information for more improvement or for future references if the same threats were to occur again.