The web site is now storing only essential cookies on your computer. If you don't allow cookies, you may not be able to use certain features of the web site including but not limited to: log in, buy products, see personalized content, switch between site cultures. It is recommended that you allow all cookies.

Prioritising Risks - Inherent Versus Residual

Pieter-Louw van der Ahee

We are often asked about the difference between inherent and residual risk ratings within the risk management process, and why this “academic” distinction is important to anyone other than a risk management practitioner or an internal auditor.
 
Before we answer these questions, let us briefly consider the process of prioritising risks. Once identified, risks need to be prioritised somehow. Practically, we all ask the same two questions in our everyday lives when assessing two different risks: Firstly, what is the likelihood of each occurring or materialising?  And, secondly, if the risk were to occur, what is the potential impact on me, my business process and/or my organisation? Combining these two factors then results in a prioritisation. This enables us to plan our day accordingly. 
 
So, the risk management process, because it mirrors real life, prioritises identified risks using standardised definitions and ratings associated with the impact and the likelihood of each risk.
 
Risks in the first instance must always be prioritised from an inherent perspective, i.e. given my organisation, my industry and my environment, what is the likelihood of this risk occurring, and what is the impact were it to occur?  It is important that the inherent rating is performed before taking any existing actions into account, i.e. if we were to do nothing, what is the impact and likelihood of the risk? 
 
The next step in the risk management process is to identify the current actions that are in place to mitigate the risk.  Thereafter, the same risk is now rated from a residual perspective, i.e. given what we are currently doing, thus at a point in time, what is the likelihood of the risk occurring, and what is the impact if it were to occur?
 
Why is this distinction important? It seems very artificial. 
 
It is to a certain extent an artificial and quite difficult distinction to make.  Most of us find it very difficult to ignore existing actions and we question the value in assessing or prioritising risks on an inherent basis.
 
It must be remembered, though, that the primary benefit of a risk register is that it provides context and justification within any organisation. More importantly, it gives a standardised and commonly accepted context on a granular or detailed risk level. 
 
Why have we found it necessary over the last few years to spend more time and effort on process A than on process B? Why is the organisation structured in the way that it is? Why does the procurement process garner a bigger piece of the budget than, for example, the petty cash process in a retailer? The answers to these questions may seem obvious, but, it is because of the inherent risk associated with each area or process. 
 
To take the point further, I will use an example. I start a chair-making factory today, and I appoint someone to take responsibility of two things: making chairs and managing the petty cash. Presumably, that person will do his/her own risk prioritisation and, if I had managed to hire the right person, he/she will spend all of his/her limited time on the chair-making process. The result may be that, ironically, after twelve months, the residual risk associated with chair-making may be lower than the residual risk associated with petty cash. This may seem like an obvious example, but once risks become more nuanced within a business process, the benefits of exposing the relative importance of tasks associated with risks become clear. 
 
It also now becomes clear why oversight needs to focus on both the generic or inherent risks, as well as the point in time or residual risks. Oversight has been appointed to ensure that key risks are being managed. As such, it needs to focus on ensuring that the risks inherent to the organisation have the focus and resources they deserve, before focusing on the topical issues, i.e. the risks that are not being appropriately managed now.  And, if the organisation is mature and well-managed, there should be very little correlation between the top inherent risks and the top residual risks.