Inherent Risk vs. Residual Risk: Understanding the Difference

March 28, 2023
In this article:

Effective risk management is a top priority for companies across all industries: 52% of organizations agree that reducing their risk profile via proactive risk mitigation is just as important as an effective risk response.

With so much attention now given to risk management processes, how companies define and talk about risks has also changed. Two terms that you've likely heard being thrown around before are "inherent risk" and "residual risk." These two types of risk are both important to consider when performing risk assessments, but there are some important differences between them.

To help you assess your company's level of risk and determine the exact types of risks that make up your risk profile, let's take a look at everything you need to know about the difference between inherent and residual risk.

What is inherent risk?

Inherent risk exists when there are no internal controls in place. You can think of inherent risks as preventable with the right security controls. In the absence of controls, though, inherent risks can become big issues.

The fact that inherent risks can be prevented with the right risk controls makes identifying inherent risks a vital part of risk analysis. After all, focusing on preventable risks is ultimately more fruitful than focusing on unavoidable risks.

Examples of inherent risk

Mishandling of sensitive data is one example of an inherent risk. Without the proper controls in place to dictate how data is stored, accessed, and shared, your company's sensitive data could end up being exposed. Since this is a risk that can be prevented with the right controls, though, it is considered an inherent risk.

Another example of inherent risk is a lack of device or software security. Without the right cybersecurity software and protocols in place, every device, network, or cloud-based account that provides access to sensitive data will be a source of serious risk to your company.

What is residual risk?

Residual risks cannot be prevented entirely, no matter what measures your company takes. They are risks that will continue to exist regardless of the controls in place. 

However, while you cannot entirely prevent residual risks, you can reduce the amount of risk they pose. This makes it important to consider how to mitigate residual risks when trying to reduce your current risk level — even if you can't eliminate them completely.

Examples of residual risk

Cybersecurity threats such as data breaches are one common example of residual risks: 35% of risk executives list cyber/information risk as the greatest threat to their company's growth. 

While an effective cybersecurity program can mitigate cybersecurity risks, you can never completely eliminate the potential for third-party cyberattacks — making these attacks a form of residual risk.

Another type of information security risk that constitutes a residual risk is internal data theft. While measures such as thorough employee screening and segregation of duties can reduce this risk, it, too, cannot be prevented entirely.

Differences between inherent and residual risk

The primary difference between inherent and residual risk is whether or not you can eliminate the risk with the right controls. However, this key difference leads to several secondary differences as well. 

For one, inherent risk tends to be more hypothetical. It's the risk that exists when no controls are in place. Residual risk, meanwhile, is the risk that remains with all applicable controls in place. 

Think of risks in terms of a lock on your office door. If the front door doesn't have a lock on it, you have an inherent risk of unauthorized individuals entering your office. You can resolve this inherent risk by putting a lock on the door. 

Even after this fix, there is still a residual risk that those unauthorized individuals will enter your office by other means (picking the lock, following someone in, etc.). You may choose to mitigate this residual risk with a receptionist who monitors and approves visitors, or installing security cameras. These solutions help address the likelihood of a breach, but they don't completely remove the risk itself.

Companies that have already implemented all the controls needed to eliminate inherent risks can focus mostly on residual risk when determining the risk score of their business processes.

How do you calculate inherent risk and residual risk?

Today, organizations contend with a wide variety of risks, including both inherent and residual risks. 

But with so many potential risk factors floating around, how do you determine which ones present the biggest threat to your company? And, even more importantly, how can companies reduce the likelihood and potential impact of the risks they identify?

Here are five steps to help you identify and mitigate your company's inherent and residual risks.

1) Conduct a risk assessment

A risk assessment is a thorough analysis of your organization and its business processes to identify potential issues that could present a risk to your company. 

Analyzing how your data is stored, who has access to it, and how it is secured is one key pillar of a risk assessment. However, depending on the exact nature of your business and its processes, there is a broad range of other risk factors that you might need to consider as well.

HyperComply’s Risk Register Template can help you get started. This comprehensive tool can help you break down risks by category, their impact on your business, and likelihood of occurring. From there, you can determine how to address them and which team member is responsible.

2) Create a risk register

Risk registers document the details about the inherent and residual risks your company faces, along with the controls in place to prevent them. Ideally, your risk register should also include information on each documented risk's likelihood and potential impact, which brings us to the next step in the risk assessment process...

3) Evaluate the likelihood and potential impact of risks

You can't determine a risk's threat level without considering its likelihood and potential impact. Starting with likelihood, a risk with a high chance of happening is a much bigger concern than a low-likelihood risk (assuming all else is equal). 

Meanwhile, potential impact measures the impact on your company if the risk becomes a reality. This includes direct financial consequences such as lost assets and other impacts like reputational damage and running afoul of regulatory requirements.

When determining your company's risk tolerance and current risk level, you need to carefully evaluate the likelihood and impact of each risk you identify. Based on this evaluation, you can then start prioritizing risks to identify which ultimately present the biggest threat to your company.

4) Prioritize risks

Once you've evaluated the likelihood and potential impact of each identified risk, you can prioritize risks based on these two factors. Risks with a high likelihood of happening or an especially costly impact take the highest priority. On the other hand, risks with a low likelihood or low impact don’t have to be addressed quite as urgently.

Ideally, your company will be able to establish the controls needed to mitigate all the risks you identify. But in the real world, business leaders must often make hard choices about where to best allocate resources. By prioritizing your company's risks based on likelihood and impact, you can focus the resources available to you on the risks that are most important to address.

5) Implement controls and continuously monitor risk

Going in order of priority, any inherent risks that you identify should be mitigated with the appropriate risk controls. This can include controls like cybersecurity programs, role-based access control, vendor risk assessments, and a wide range of other controls depending on the specific risks you seek to address.

Along with implementing the controls needed to eliminate inherent risks, it's also important to continually monitor risks and your company's risk profile. One of the difficult things about risk management is that risks tend to be dynamic rather than static. New risks can arise as your company grows, and risks currently presenting a major threat to your company might shrink as new controls become available. 

To ensure that you stay up to date with your company's risks, it's a good idea to monitor risk continually via routine risk assessments.

Understanding inherent and residual risk in third-party risk management

Third-party vendors with access to your company's sensitive data are a common source of both inherent and residual risk. Even if your organization's security controls are solid, working with a vendor that doesn't have the proper protocols in place can open you up to a world of risks. This makes a third-party risk management program a vital part of reducing the risk profile for most companies.

One of the best controls for eliminating third-party vendors' inherent risk is conducting thorough vendor risk assessments. However, 44% of organizations state that manually conducting vendor compliance assessments is the most difficult part of third-party risk management.

This is where HyperComply comes in. Companies can send automated vendor risk assessments and compliance questionnaires with our cutting-edge compliance platform. This dramatically streamlines the process of vetting vendors and helps insulate your company from new risks when onboarding a new vendor.

Get a free risk register template from HyperComply

Identifying inherent and residual risks is a vital part of effective risk management. While residual risk can be difficult to mitigate, inherent risks are much easier for organizations to eliminate and control.

One incredibly common source of inherent risk is the risk posed by third-party vendors — and the best control for eliminating inherent risk is thorough vendor risk assessments. With HyperComply, you can send automated vendor risk assessments and store the data you gather in a searchable knowledge base, making assessing vendor risk easier.

To start using HyperComply to thoroughly and easily evaluate the risks posed by your vendors, sign up for a HyperComply demo today.