The ISO 31000:2009 standard does not refer to “inherent” risk. Is this a deliberate omission and if so, what is the reason? This leads to the question as to whether inherent risk is a useful concept in risk management and risk assessment.
The main areas of contention are:
What does Inherent Risk mean?
There are few common definitions in risk but “Inherent risk” is commonly defined as “the risk without considering internal controls” or alternatively “a raw risk that has no mitigation factors or treatments applied to it”. Residual Risk on the other hand is commonly defined as “the level of risk remaining after controls have been applied”.
Can Inherent Risk be determined?
One of the main arguments against the use of inherent risk as a concept is the perceived difficultly in determining its level. Consider “Building Security Risk” – the risk that an unauthorised person will access a building and carry out unauthorised and or damaging actions. When we assess “What is the level of risk before considering controls?”, workshop responses vary as we have limited experience of this risk without any controls.
As a result, there is often difficulty in determining a consistent inherent risk scenario. Does this mean a lack of all or a combination of some of the following controls — no security guards, no CCTV, no windows, no doors and no walls?
This is a common problem when trying to assess inherent risk in a typical risk assessment. This problem can however, largely be overcome by changing the order of the risk assessment by firstly identifying the controls that mitigate the risk. Secondly, the inherent risk assessment is then performed by asking the question “What is the level of risk before considering the identified controls?”. This approach overcomes the question of what controls are assumed not to exist or working effectively. If a “control” is not specifically identified, it is assumed to be present in the inherent risk assessment. These pre-existing controls are often referred to as “base-line” controls.
In determining whether a control is base-line or not, it helps to define “a control?”. A definition we find useful is “a specific action taken by the organisation with the objective of reducing the risk”.
The key is a “specific action”. Security guards and CCTV would be seen as non base-line or “identified” and therefore be considered in the inherent risk assessment.
However, windows and doors would be base-line controls as it would be reasonable to expect that they would exist in the inherent environment without any specific action being undertaken by the organisation.
For further insights you can also read, 'Can Residual Risk be higher than Inherent Risk?'.
Can Inherent Likelihood and Consequence always be determined?
Likelihood is a measure of the expected frequency of the risk occurring. Multiple factors can go into the measurement of likelihood. If one or more of those factors cannot be determined, it is difficult to determine inherent likelihood.
For example, the likelihood of fraud risk requires consideration of:
- The likelihood that an individual is dishonest
- The level of skill they possess in carrying out the fraud
- The chance of success if they were to carry out the fraud
Point a) is virtually impossible to determine, b) is difficult to determine and c) can be reasonably determined with sufficient thought. As a result inherent risk for fraud is virtually impossible to determine and requires an assumption about a) and b).
However, for many other risks it is, in relation, easier to assess inherent risk.
What is the difference in these risks? We believe it lies in whether the risk is deliberate or non-deliberate. Where the risk is non deliberate or accidental, the inherent likelihood can be relatively easy to obtain. Where the risk is deliberate through actions of people, such as fraud, inherent likelihood cannot be determined and the best we can do is to determine the chance of success if the person was dishonest, If we assess this likelihood on this (incomplete) basis we must be careful when comparing the level of risk with other non-deliberate risks where all factors affecting likelihood have been considered.
Is inherent risk useful as part of a risk assessment process?
Where it is considered possible to assess inherent risk, we are of the view that its determination can be very useful. The reasons are:
- It assists in identifying which controls are key. We commonly define a key control as one that is “not negotiable”. This is usually assessed by considering the risk if the control did not exist (inherent risk) and where that risk is excessively high, we might consider the control not negotiable and therefore key. This analysis is then used to select which controls will be subject to periodic attestation as “key controls”.
- In risk based audit, audit should focus their testing on controls that are key. As above, these are controls that reduce a high inherent risk by a substantial amount.
- Scenario analysis for stress testing purposes should be carried out on those risks which have the potential to result in catastrophic impact. Such a scenario is most likely to occur when a risk with an inherent impact of, say, very high and the related controls fail. Therefore risks that have an inherent impact rating of very high would be used for further scenario analysis.
- Risk reporting to Board and Management should include information on those risks that have the potential to be catastrophic for the organisation, namely those risks where the inherent impact is very high.
The debate over the usefulness of inherent risk will no doubt continue. The key is to apply the most relevant approach to the type of risk and recognise not all risks are the same. Where possible the determination of inherent risk can be useful in understanding the nature of the risk, the potential worst case scenario and the importance of related controls.
Want to learn more?
If you wish to learn more about how Protecht can help you, please email info@protechtgroup.com