I recently had a conversation with clients around a risk analysis they conducted and noticed as they walked me through it that they seemed to get hung up on the terms “inherent risk” and “residual risk” and what inherent risk represented in that particular scenario.
They could not get comfortable with the current state of their control environment without having a firm grasp on the assessed inherent risk for that scenario. This stemmed from their experience in conducting risk assessments where the first step is to identify the inherent risk, then factor in controls to arrive at residual risk.
Here are the standard definitions of the two concepts:
- Inherent risk represents the amount of risk that exists in the absence of controls.
- Residual risk is the amount of risk that remains after controls are accounted for.
Sounds straightforward. But these two terms seem to fall apart when put into practice.
Applying the above definitions to the clients’ scenario uncovered the fact that the “inherent” risk being described was not a “no controls“ environment, but rather, one that only excluded some controls.
The flaw with inherent risk is that in most cases, when used in practice, it does not explicitly consider which controls are being included or excluded.
A truly inherent risk state, in our example, would assume no employee background checks or interviews are conducted and that no locks exist on any doors. This could lead to almost any risk scenario being evaluated as inherently high. Treating inherent risk therefore can be quite arbitrary.
According to Jack Jones, author of Measuring and Managing Information Risk: A FAIR Approach and creator of the FAIR model, much more realistic and useful definitions would be
- Inherent risk is current risk level given the existing set of controls rather than the hypothetical notion of an absence of any controls.
- Residual risk would then be whatever risk level remain after additional controls are applied.
How FAIR can help
Applying the FAIR model to risk analyses, such as the scenario described above, can help rid the ambiguity around the “no controls” notion of inherent risk by focusing on explicitly identifying and evaluating key controls in the current state environment.
Specifically, when measuring the current level of risk for a given scenario, controls are factored into either the frequency or magnitude side of the model based on their nature (avoidance, deterrent, response, etc.). Doing so allows you to be more intentional about the controls that you chose to include or exclude from your analysis, and ultimately identify which controls appear to have the greatest effect on the loss scenario.
Learn more in Jack’s blog post Using the FAIR Model to Measure Inherent Risk.