I recently had a conversation with clients around a risk analysis they conducted and noticed as they walked me through it that they seemed to get hung up on the terms “inherent risk” and “residual risk” and the inherent risk definition for that particular scenario.
They could not get comfortable with the current state of their control environment without having a firm grasp on what is an inherent risk assessed for that scenario. This stemmed from their experience in conducting risk assessments where the first step is to identify the inherent risk, then factor in controls to arrive at residual risk.
Author Rachel Slabotsky is Vice President, Professional Services, for RiskLens, the technical adviser to the FAIR Institute. Read more blog posts by Rachel Slabotsky.
Here are the standard definitions of inherent and residual risk:
- Inherent risk represents the amount of risk that exists in the absence of controls.
- Residual risk is the amount of risk that remains after controls are accounted for.
Sounds straightforward. But these two terms seem to fall apart when put into practice.
Applying the above definitions to the clients’ scenario uncovered the fact that the “inherent” risk being described was not a “no controls“ environment, but rather, one that only excluded some controls.
The flaw with inherent risk is that in most cases, when used in practice, it does not explicitly consider which controls are being included or excluded.
A truly inherent risk state, in our example, would assume no employee background checks or interviews are conducted and that no locks exist on any doors. This could lead to almost any risk scenario being evaluated as inherently high. Treating inherent risk therefore can be quite arbitrary.
According to Jack Jones, author of Measuring and Managing Information Risk: A FAIR Approach and creator of the FAIR model, much more realistic and useful definitions would be
- Inherent risk is current risk level given the existing set of controls rather than the hypothetical notion of an absence of any controls.
- Residual risk would then be whatever risk level remain after additional controls are applied.
How the FAIR model can help
Applying the FAIR model to risk analyses, such as the scenario described above, can help rid the ambiguity around the “no controls” notion of inherent risk by focusing on explicitly identifying and evaluating key controls in the current state environment.
Specifically, when measuring the current level of risk for a given scenario, controls are factored into either the frequency or magnitude side of the model based on their nature (avoidance, deterrent, response, etc.). Doing so allows you to be more intentional about the controls that you chose to include or exclude from your analysis, and ultimately identify which controls appear to have the greatest effect on the loss scenario.
Take advantage of the advice, best practices and expert insights on cyber risk quantification gathered by the FAIR Institute. Become a Contributing Member.
Update: An Alternate View of Inherent Risk from Jack Jones
In the blog post A Solution for Measuring Inherent Risk, FAIR model creator Jack Jones wrote that “current risk” is indeed a useful way of treating inherent risk but that “the standard ‘no controls at all’ definition of inherent risk is firmly ensconced in our profession’s psyche,” and calls out for a solution.
Jack took as an example, the analysis of a ransomware scenario. For the magnitude side of the analysis, using a “Non-FAIR” approach that assumes a lack of any controls, results in a loss magnitude of 100% of the business value, in other words, the business fails. For a “FAIR” approach, an analyst could simply add the worst-case loss magnitude values from the different forms of loss in a ransomware scenario. For the probability side of the analysis, the probability of a ransomware event in the next 12 months could reasonably be set at 100%, given the rampant ransomware attacks these days.
The inherent risk would therefore be 100% the value of the company or 100% the sum of the worst-case loss magnitude values. “Either way, we now have a way to measure inherent risk that is defensible and at least mostly aligns with the ‘no controls’ definition of inherent risk,” Jack wrote.
Stay tuned…Jack’s introduction of the FAIR Controls Analytics Model (FAIR-CAM™) sets the stage for quantification of the effectiveness of controls in reducing risk, meaning a reliable way to derive residual risk.