Risk assessments form the basis of nearly every internal audit plan. Many assessments start with common risks to evaluate in different areas, while others go deeper into process-level risks. In both cases, the evaluator must decide if they will consider inherent risk, residual risk, or both measures when determining which risks will drive the audit plan. In this article, we will review and discuss the information these risk measurements capture, how they differ, and share best practices for working with inherent and residual risk scores.
Incorporating inherent and residual risk in your risk assessment
Unavoidability of inherent risk
Most often comprised of both the impact and likelihood assessed together, Inherent risk refers to the underlying level of risk associated with an activity or process before the process owner puts mitigating controls in place. Inherent risk describes the natural, unavoidable risk that exists simply by doing something. We all face inherent risk every day, all the time. When you eat food, there is an inherent risk of choking. While driving a car, there is an inherent risk of getting into an accident. In a business setting, there is an inherent risk of a cybersecurity breach. You can never completely eliminate inherent risk, as the likelihood of the risk occurring and the impact are set by the characteristics of the risk to your organization. Understanding the risk inherent to a situation enables leaders to make better, more informed decisions. By identifying and assessing the inherent risks associated with an activity, you can develop mitigation strategies that maximize potential benefits while minimizing the inherent impact and likelihood of the risks.
Complexity of residual risk
Residual risk refers to the risk level after implementing control processes to mitigate the inherent risk. The level of residual risk depends on the effectiveness of the implemented controls. Consider the examples from before. The risk of choking on your breakfast is lessened by chewing well. Eliminating distractions such as cell phones reduces the risk of a car accident. For our business example, the risk of a cybersecurity breach is more complex but can be mitigated by implementing a series of controls, including identity management, network segmentation, data encryption, and many others, since one control would never be enough. Risk management usually aims to reduce residual risk to an acceptable level rather than eliminate it altogether.
Measuring the effect of controls
Putting a precise number on the likelihood or impact of any risk can be challenging and subjective, so we typically measure risks on a scale. Designing and implementing effective controls is meant to bring the risk rating down the scale by making the risk less likely to happen or less impactful if it does occur. In the cybersecurity example, strong identity controls can prevent a breach (likelihood), and network segmentation controls could contain the damage (impact). The total effect of the controls is measured by how much the inherent risk is reduced, leaving the residual risk. While executing the audit plan, the auditors can provide the residual risk scores after evaluating the controls' design and operating effectiveness. Until then, residual risk scores are based on limited information.
Risk assessment: Example 1.0
Inherent Risk Rating |
|
|
|
|||||
Risk |
Impact |
Likelihood |
Calculated Residual Risk |
Controls |
Assessment of Controls |
Calculated Residual Risk Rating |
||
Cybersecurity Breach |
Very High |
Moderate |
High |
Access Controls, Strong Passwords, Multifactor Authentication, Network Intrusion Detection, Network Segmentation, Data Encryption |
Strong |
Moderate |
Click below to view a demo of TeamMate+ for risk management
Length: 17 minutes, 12 seconds
A comprehensive picture
Assessing the risk inherent to an organization requires a comprehensive view of the risks and controls. When evaluators capture the inherent risk and residual risk in the assessment, the effectiveness of the controls becomes readily evident. In the example above, the controls appear effective, but even these are not enough to completely mitigate the risk. In this case, the auditors could inquire if the organization considered sharing the residual risk by acquiring cybersecurity insurance. With a comprehensive picture of the risk and control environment, internal audit teams can provide deeper insights and meaningful recommendations based on complete information.